On Mon, 2011-09-05 at 16:24 +0200, Martin Kosek wrote:
> How to test:
> 1) on server:
> - check that files in /usr/share/ipa/html are world readable
> - check that IPA files in /etc/httpd/conf.d/ are world readable
> 
> 2) on client:
> - check that /etc/ipa/default.conf is world readable, i.e. non-root can
> kinit and run "ipa" commands
> 
> ---
> 
> Fix permissions for (configuration) files produced by
> ipa-server-install or ipa-client-install. This patch is needed
> when root has a umask preventing files from being world readable.
> 
> https://fedorahosted.org/freeipa/ticket/1644
> 

Attaching a patch for ipa-2-1 branch too.

Martin
>From 03f390bb4140515dbf4fa155a081448d5e7b0b1f Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Tue, 6 Sep 2011 08:39:24 +0200
Subject: [PATCH] Fix permissions in installers

Fix permissions for (configuration) files produced by
ipa-server-install or ipa-client-install. This patch is needed
when root has a umask preventing files from being world readable.

https://fedorahosted.org/freeipa/ticket/1644
---
 install/tools/ipa-server-install          |   34 ++++++++++++++--------------
 ipa-client/ipa-install/ipa-client-install |    9 +++++--
 ipaserver/install/dsinstance.py           |   15 ++++++------
 ipaserver/install/httpinstance.py         |   16 ++++++++++---
 ipaserver/install/krbinstance.py          |    6 +++-
 5 files changed, 47 insertions(+), 33 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index e8a48fad22778c8a6b85904d14c1bf1003cfa8a0..750144d72fe4e25a46bdca9777f76d89de46f8a8 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -806,23 +806,23 @@ def main():
     logging.debug("will use dns_forwarders: %s\n" % str(dns_forwarders))
 
     # Create the management framework config file and finalize api
-    old_umask = os.umask(022)   # must be readable for httpd
-    try:
-        fd = open("/etc/ipa/default.conf", "w")
-        fd.write("[global]\n")
-        fd.write("host=" + host_name + "\n")
-        fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
-        fd.write("realm=" + realm_name + "\n")
-        fd.write("domain=" + domain_name + "\n")
-        fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; % host_name)
-        fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
-        fd.write("enable_ra=True\n")
-        if not options.selfsign:
-            fd.write("ra_plugin=dogtag\n")
-        fd.write("mode=production\n")
-        fd.close()
-    finally:
-        os.umask(old_umask)
+    target_fname = '/etc/ipa/default.conf'
+    fd = open(target_fname, "w")
+    fd.write("[global]\n")
+    fd.write("host=" + host_name + "\n")
+    fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
+    fd.write("realm=" + realm_name + "\n")
+    fd.write("domain=" + domain_name + "\n")
+    fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; % host_name)
+    fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
+    fd.write("enable_ra=True\n")
+    if not options.selfsign:
+        fd.write("ra_plugin=dogtag\n")
+    fd.write("mode=production\n")
+    fd.close()
+
+    # Must be readable for everyone
+    os.chmod(target_fname, 0644)
 
     api.bootstrap(**cfg)
     api.finalize()
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index fe520be9e79b12b2222fce45c6f7b1716d67ff46..6846e23311b7e9379a33757bc1a2dc8f1d2013fe 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -330,8 +330,10 @@ def configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server):
     opts.append({'name':'global', 'type':'section', 'value':defopts})
     opts.append({'name':'empty', 'type':'empty'})
 
-    fstore.backup_file("/etc/ipa/default.conf")
-    ipaconf.newConf("/etc/ipa/default.conf", opts)
+    target_fname = '/etc/ipa/default.conf'
+    fstore.backup_file(target_fname)
+    ipaconf.newConf(target_fname, opts)
+    os.chmod(target_fname, 0644)
 
     return 0
 
@@ -504,7 +506,8 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, c
     logging.debug("Writing Kerberos configuration to %s:\n%s"
             % (filename, krbconf.dump(opts)))
 
-    krbconf.newConf(filename, opts);
+    krbconf.newConf(filename, opts)
+    os.chmod(filename, 0644)
 
     return 0
 
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 09ef8c52526dd001fe1639b011951f74064bfc82..8ccb22cf0121b0ee30f7e48d9e07805755c1b75a 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -356,13 +356,14 @@ class DsInstance(service.Service):
         self.sub_dict['BASEDC'] = self.realm_name.split('.')[0].lower()
         base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict)
         logging.debug(base_txt)
-        old_umask = os.umask(022)   # must be readable for dirsrv
-        try:
-            base_fd = open("/var/lib/dirsrv/boot.ldif", "w")
-            base_fd.write(base_txt)
-            base_fd.close()
-        finally:
-            os.umask(old_umask)
+
+        target_fname = '/var/lib/dirsrv/boot.ldif'
+        base_fd = open(target_fname, "w")
+        base_fd.write(base_txt)
+        base_fd.close()
+
+        # Must be readable for dirsrv
+        os.chmod(target_fname, 0440)
 
         inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict)
         logging.debug("writing inf template")
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 04d1ed402fa9dc96c743772bf40af05fcf55d008..775d5a7816f9a4ab22963d4a5ee15b33abbe1503 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -136,17 +136,21 @@ class HTTPInstance(service.Service):
         os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
 
     def __configure_http(self):
+        target_fname = '/etc/httpd/conf.d/ipa.conf'
         http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
         self.fstore.backup_file("/etc/httpd/conf.d/ipa.conf")
-        http_fd = open("/etc/httpd/conf.d/ipa.conf", "w")
+        http_fd = open(target_fname, "w")
         http_fd.write(http_txt)
         http_fd.close()
+        os.chmod(target_fname, 0644)
 
+        target_fname = '/etc/httpd/conf.d/ipa-rewrite.conf'
         http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict)
         self.fstore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf")
-        http_fd = open("/etc/httpd/conf.d/ipa-rewrite.conf", "w")
+        http_fd = open(target_fname, "w")
         http_fd.write(http_txt)
         http_fd.close()
+        os.chmod(target_fname, 0644)
 
     def __disable_mod_ssl(self):
         if os.path.exists(SSL_CONF):
@@ -227,10 +231,12 @@ class HTTPInstance(service.Service):
             os.chmod(certs.CA_SERIALNO, 0664)
 
     def __setup_autoconfig(self):
+        target_fname = '/usr/share/ipa/html/preferences.html'
         prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict)
-        prefs_fd = open("/usr/share/ipa/html/preferences.html", "w")
+        prefs_fd = open(target_fname, "w")
         prefs_fd.write(prefs_txt)
         prefs_fd.close()
+        os.chmod(target_fname, 0644)
 
         # The signing cert is generated in __setup_ssl
         db = certs.CertDB(self.realm, subject_base=self.subject_base)
@@ -240,12 +246,14 @@ class HTTPInstance(service.Service):
         pwdfile.close()
 
         tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+        target_fname = '/usr/share/ipa/html/configure.jar'
         shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir)
         db.run_signtool(["-k", "Signing-Cert",
-                         "-Z", "/usr/share/ipa/html/configure.jar",
+                         "-Z", target_fname,
                          "-e", ".html", "-p", pwd,
                          tmpdir])
         shutil.rmtree(tmpdir)
+        os.chmod(target_fname, 0755)    # everyone can execute the jar
 
     def __publish_ca_cert(self):
         ca_db = certs.CertDB(self.realm)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 5326e2f23f0c783c72397cc130603c49755373c7..47fd520d3c909cad6b88597aee52065636171f2b 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -316,16 +316,18 @@ class KrbInstance(service.Service):
     def __create_replica_instance(self):
         self.__create_instance(replica=True)
 
-    def __template_file(self, path):
+    def __template_file(self, path, chmod=0644):
         template = os.path.join(ipautil.SHARE_DIR, os.path.basename(path) + ".template")
         conf = ipautil.template_file(template, self.sub_dict)
         self.fstore.backup_file(path)
         fd = open(path, "w+")
         fd.write(conf)
         fd.close()
+        if chmod is not None:
+            os.chmod(path, chmod)
 
     def __create_instance(self, replica=False):
-        self.__template_file("/var/kerberos/krb5kdc/kdc.conf")
+        self.__template_file("/var/kerberos/krb5kdc/kdc.conf", chmod=None)
         self.__template_file("/etc/krb5.conf")
         self.__template_file("/usr/share/ipa/html/krb5.ini")
         self.__template_file("/usr/share/ipa/html/krb.con")
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to