URL: https://github.com/freeipa/freeipa/pull/471
Author: HonzaCholasta
 Title: #471: Fix some privilege separation regressions
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/471/head:pr471
git checkout pr471
From 997191f2ea9f8b6066012b98283204e7a5c56c7e Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 16 Feb 2017 10:57:14 +0100
Subject: [PATCH 1/5] client install: create /etc/ipa/nssdb with correct mode

The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.

Create the directory with mode 644 to fix the issue.

https://fedorahosted.org/freeipa/ticket/5959
---
 ipaclient/install/client.py |  2 +-
 ipapython/certdb.py         | 10 ++++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index e43ec7b..f951770 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2284,7 +2284,7 @@ def install_check(options):
 
 def create_ipa_nssdb():
     db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-    db.create_db(backup=True)
+    db.create_db(mode=0o755, backup=True)
     os.chmod(db.pwd_file, 0o600)
     os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
     os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 73387cf..b22c3c1 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -124,9 +124,11 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
         """
         dirmode = 0o750
         filemode = 0o640
+        pwdfilemode = 0o640
         if mode is not None:
             dirmode = mode
             filemode = mode & 0o666
+            pwdfilemode = mode & 0o660
 
         uid = -1
         gid = -1
@@ -147,7 +149,7 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
             # Create the password file for this db
             with io.open(os.open(self.pwd_file,
                                  os.O_CREAT | os.O_WRONLY,
-                                 filemode), 'w', closefd=True) as f:
+                                 pwdfilemode), 'w', closefd=True) as f:
                 f.write(ipautil.ipa_generate_password())
                 f.flush()
 
@@ -162,7 +164,11 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
             if os.path.exists(path):
                 if uid != -1 or gid != -1:
                     os.chown(path, uid, gid)
-                os.chmod(path, filemode)
+                if path == self.pwd_file:
+                    new_mode = pwdfilemode
+                else:
+                    new_mode = filemode
+                os.chmod(path, new_mode)
                 tasks.restore_context(path)
 
     def list_certs(self):

From 67d63be7fca7938bf60f1c199b0e570e2e111af3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 16 Feb 2017 11:09:04 +0100
Subject: [PATCH 2/5] server upgrade: fix upgrade in CA-less

Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as
/var/lib/ipa/radb is not populated in CA-less.

Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in
CA-less, as it might be an incorrect certificate from previous CA-ful
install, and is not necessary anyway.

https://fedorahosted.org/freeipa/ticket/5959
---
 ipaserver/install/plugins/update_ra_cert_store.py | 4 ++++
 ipaserver/install/plugins/upload_cacrt.py         | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py
index d7d28fd..c3aef6f 100644
--- a/ipaserver/install/plugins/update_ra_cert_store.py
+++ b/ipaserver/install/plugins/update_ra_cert_store.py
@@ -22,6 +22,10 @@ class update_ra_cert_store(Updater):
     """
 
     def execute(self, **options):
+        ca_enabled = self.api.Command.ca_is_enabled()['result']
+        if not ca_enabled:
+            return False, []
+
         olddb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
         if not olddb.has_nickname('ipaCert'):
             # Nothign to do
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
index 1a78108..425ea63 100644
--- a/ipaserver/install/plugins/upload_cacrt.py
+++ b/ipaserver/install/plugins/upload_cacrt.py
@@ -18,6 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from ipalib.install import certstore
+from ipaplatform.paths import paths
 from ipaserver.install import certs
 from ipalib import Registry, errors
 from ipalib import Updater
@@ -34,7 +35,7 @@ class update_upload_cacrt(Updater):
     """
 
     def execute(self, **options):
-        db = certs.CertDB(self.api.env.realm)
+        db = certs.CertDB(self.api.env.realm, paths.HTTPD_ALIAS_DIR)
         ca_cert = None
 
         ca_enabled = self.api.Command.ca_is_enabled()['result']

From 4de588f7202aa838cc53eaf35f4b6377625424fd Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 16 Feb 2017 11:13:13 +0100
Subject: [PATCH 3/5] server upgrade: fix upgrade from pre-4.0

update_ca_renewal_master uses ipaCert certmonger tracking information to
decide whether the local server is the CA renewal master or not. The
information is lost when migrating from /etc/httpd/alias to
/var/lib/ipa/radb in update_ra_cert_store.

Make sure update_ra_cert_store is executed after update_ca_renewal_master
so that correct information is used.

https://fedorahosted.org/freeipa/ticket/5959
---
 install/updates/05-pre_upgrade_plugins.update  | 1 -
 install/updates/90-post_upgrade_plugins.update | 2 ++
 ipaserver/install/plugins/ca_renewal_master.py | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/install/updates/05-pre_upgrade_plugins.update b/install/updates/05-pre_upgrade_plugins.update
index 19918ef..d0e3eb7 100644
--- a/install/updates/05-pre_upgrade_plugins.update
+++ b/install/updates/05-pre_upgrade_plugins.update
@@ -8,4 +8,3 @@ plugin: update_referint
 plugin: update_uniqueness_plugins_to_new_syntax
 
 # last
-plugin: update_ra_cert_store
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index 7c672e4..34069e7 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -15,6 +15,8 @@ plugin: update_idrange_type
 plugin: update_pacs
 plugin: update_service_principalalias
 plugin: update_upload_cacrt
+# update_ra_cert_store has to be executed after update_ca_renewal_master
+plugin: update_ra_cert_store
 
 # last
 # DNS version 1
diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
index 4fa4edb..2447a34 100644
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@@ -74,7 +74,7 @@ def execute(self, **options):
                 return False, []
 
         criteria = {
-            'cert-database': paths.IPA_RADB_DIR,
+            'cert-database': paths.HTTPD_ALIAS_DIR,
             'cert-nickname': 'ipaCert',
         }
         request_id = certmonger.get_request_id(criteria)

From 73d171a2df9cd5e93878898737ac9b2bbff373b9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 16 Feb 2017 11:19:09 +0100
Subject: [PATCH 4/5] server upgrade: always upgrade KRA agent PEM file

Before the KRA agent PEM file is exported in server upgrade, the sysupgrade
state file is consulted. This causes the KRA agent PEM file not to be
exported to the new location if the upgrade was executed in the past.

Do not consult the sysupgrade state file to decide whether to upgrade the
KRA agent PEM file or not, the existence of the file is enough to make this
decision.

https://fedorahosted.org/freeipa/ticket/6675
---
 ipaplatform/base/paths.py           | 1 +
 ipaserver/install/server/upgrade.py | 7 ++++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 8db9e61..5d5fb99 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -39,6 +39,7 @@ class BasePathNamespace(object):
     HOSTS = "/etc/hosts"
     ETC_HTTPD_DIR = "/etc/httpd"
     HTTPD_ALIAS_DIR = "/etc/httpd/alias"
+    OLD_KRA_AGENT_PEM = "/etc/httpd/alias/kra-agent.pem"
     IPA_RADB_DIR = "/var/lib/ipa/radb"
     HTTPD_CONF_D_DIR = "/etc/httpd/conf.d/"
     HTTPD_IPA_KDCPROXY_CONF = "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf"
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index e65592c..1acad55 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1386,7 +1386,9 @@ def fix_trust_flags():
 def export_kra_agent_pem():
     root_logger.info('[Exporting KRA agent PEM file]')
 
-    if sysupgrade.get_upgrade_state('http', 'export_kra_agent_pem'):
+    sysupgrade.remove_upgrade_state('http', 'export_kra_agent_pem')
+
+    if os.path.exists(paths.KRA_AGENT_PEM):
         root_logger.info("KRA agent PEM file already exported")
         return
 
@@ -1395,8 +1397,7 @@ def export_kra_agent_pem():
         return
 
     krainstance.export_kra_agent_pem()
-
-    sysupgrade.set_upgrade_state('http', 'export_kra_agent_pem', True)
+    installutils.remove_file(paths.OLD_KRA_AGENT_PEM)
 
 
 def update_mod_nss_protocol(http):

From bfe1d3160fcb68d1410a1f4cde89aac903f44fd5 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 20 Feb 2017 08:24:47 +0100
Subject: [PATCH 5/5] server upgrade: uninstall ipa_memcached properly

Make sure ipa_memcached is not running and no stale state is left in the
sysupgrade state file on server upgrade.

https://fedorahosted.org/freeipa/ticket/5959
---
 ipaserver/install/server/upgrade.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 1acad55..26f6b8f 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -79,14 +79,12 @@ def uninstall_ipa_memcached():
     We can't use the full service uninstaller because that will attempt
     to stop and disable the service which by now doesn't exist. We just
     want to clean up sysrestore.state to remove all references to
-    ipa_kpasswd.
+    ipa_memcached.
     """
     ipa_memcached = service.SimpleServiceInstance('ipa_memcached')
 
-    enabled = not ipa_memcached.restore_state("enabled")
+    ipa_memcached.uninstall()
 
-    if enabled is not None and not enabled:
-        ipa_memcached.remove()
 
 def backup_file(filename, ext):
     """Make a backup of filename using ext as the extension. Do not overwrite
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to