URL: https://github.com/freeipa/freeipa/pull/468 Author: simo5 Title: #468: Remove non-sensical kdestroy on https stop Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/468/head:pr468 git checkout pr468
From 7a8212217891ad2f9453b82d136cf30ad0b0dd74 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Wed, 15 Feb 2017 04:44:59 -0500 Subject: [PATCH] Remove non-sensical kdestroy on https stop This kdestroy runs as root and wipes root's own ccachs ... this is totally inappropriate. Use a file ccache that ends up in the private tmp, so that if the service is restarted the file is automatically removed. https://fedorahosted.org/freeipa/ticket/6673 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/ipa-httpd.conf.template | 2 +- ipaplatform/base/paths.py | 1 + ipaplatform/debian/paths.py | 1 - ipaplatform/redhat/tasks.py | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template index 8822066..39bcfcc 100644 --- a/install/share/ipa-httpd.conf.template +++ b/install/share/ipa-httpd.conf.template @@ -1,7 +1,7 @@ # Do not edit. Created by IPA installer. [Service] +Environment=KRB5CCNAME=$KRB5CC_HTTPD Environment=GSS_USE_PROXY=yes Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG ExecStartPre=$IPA_HTTPD_KDCPROXY -ExecStopPost=$POST diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 8db9e61..9993c38 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -351,5 +351,6 @@ class BasePathNamespace(object): IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab' EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d' GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf' + KRB5CC_HTTPD = '/tmp/krb5cc-httpd' path_namespace = BasePathNamespace diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py index 5cbe9b8..ad0e13c 100644 --- a/ipaplatform/debian/paths.py +++ b/ipaplatform/debian/paths.py @@ -89,7 +89,6 @@ class DebianPathNamespace(BasePathNamespace): VAR_OPENDNSSEC_DIR = "/var/lib/opendnssec" OPENDNSSEC_KASP_DB = "/var/lib/opendnssec/db/kasp.db" IPA_ODS_EXPORTER_CCACHE = "/var/lib/opendnssec/tmp/ipa-ods-exporter.ccache" - KRB5CC_HTTPD = "/var/run/apache2/ipa/krbcache/krb5ccache" IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock" IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log' diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 5bddd14..123595e 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -458,7 +458,7 @@ def configure_httpd_service_ipa_conf(self): dict( KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG, IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY, - POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY) + KRB5CC_HTTPD=paths.KRB5CC_HTTPD, ) )
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code