On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
Hello,

See the commit message for details.

https://fedorahosted.org/freeipa/ticket/3594



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

+    def regenerate_ca_file(self, ca_file):
+        dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
+        keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
+
+        os.write(dm_pwd_fd, self.dirman_password)
+        os.close(dm_pwd_fd)
+
+        keydb_pwd = ''
+        with open('/etc/pki/pki-tomcat/password.conf') as f:
+            for line in f.readlines():
+                key, value = line.strip().split('=')
+                if key == 'internal':
+                    keydb_pwd = value
+                    break
+
+        os.write(keydb_pwd_fd, keydb_pwd)
+        os.close(keydb_pwd_fd)
+
+        ipautil.run([
+            '/usr/bin/PKCS12Export',
+            '-d', '/etc/pki/pki-tomcat/alias/',
+            '-p', keydb_pwd_fname,
+            '-w', dm_pwd_fname,
+            '-o', ca_file
+        ])
+

If the PKCS12Export call fails (returns non-zero code), we raise exception here, and the temporary files are never removed.

+        os.remove(dm_pwd_fname)
+        os.remove(keydb_pwd_fname)

This might not be a big issue since mkstemp() call creates temporary file readable and writable only be given user ID, however, we should not leave files with passwords in plaintext on the disk if it is not necessary.

This can be easily prevented by wrapping the call up with try-chatch-finally block, or using raiseonerr=False options of run method.

Tomas
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to