URL: https://github.com/freeipa/freeipa/pull/450
Author: stlaz
 Title: #450: Add FIPS-token password of HTTPD NSS database
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/450/head:pr450
git checkout pr450
From 618747ed33263f1a45be0855e63e0de80e55ce8a Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Mon, 9 Jan 2017 08:45:33 +0100
Subject: [PATCH] Add FIPS-token password of HTTPD NSS database

This change is required for httpd to function properly in FIPS

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/httpinstance.py | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7317fba..6383e27 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -329,14 +329,19 @@ def create_password_conf(self):
         This is the format of mod_nss pin files.
         """
         pwd_conf = paths.HTTPD_PASSWORD_CONF
-
         ipautil.backup_file(pwd_conf)
-        f = open(pwd_conf, "w")
-        f.write("internal:")
-        pwdfile = open(os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt'))
-        f.write(pwdfile.read())
-        f.close()
-        pwdfile.close()
+
+        passwd_fname = os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt')
+        with open(passwd_fname, 'r') as pwdfile:
+            password = pwdfile.read()
+
+        with open(pwd_conf, "w") as f:
+            f.write("internal:")
+            f.write(password)
+            f.write("\nNSS FIPS 140-2 Certificate DB:")
+            f.write(password)
+            # make sure other processes can access the file contents ASAP
+            f.flush()
         pent = pwd.getpwnam(constants.HTTPD_USER)
         os.chown(pwd_conf, pent.pw_uid, pent.pw_gid)
         os.chmod(pwd_conf, 0o400)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to