URL: https://github.com/freeipa/freeipa/pull/531
Author: HonzaCholasta
 Title: #531: httpinstance: don't load system trust module in /etc/httpd/alias
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/531/head:pr531
git checkout pr531
From 1ba0d5d73119ac45e9c4fe39440f61f448dbf3a3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 1 Mar 2017 17:54:05 +0100
Subject: [PATCH] httpinstance: disable system trust module in /etc/httpd/alias

Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https

Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above

 ipaplatform/base/paths.py           |  1 +
 ipaserver/install/httpinstance.py   | 12 ++++++++++++
 ipaserver/install/server/upgrade.py | 16 ++++++++++++++++
 3 files changed, 29 insertions(+)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index e4d4f2e..19a44fc 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -165,6 +165,7 @@ class BasePathNamespace(object):
     BIN_KVNO = "/usr/bin/kvno"
     LDAPMODIFY = "/usr/bin/ldapmodify"
     LDAPPASSWD = "/usr/bin/ldappasswd"
+    MODUTIL = "/usr/bin/modutil"
     NET = "/usr/bin/net"
     BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
     NSUPDATE = "/usr/bin/nsupdate"
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 0c2216e..91b039c 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -349,11 +349,23 @@ def create_password_conf(self):
         os.chown(pwd_conf, pent.pw_uid, pent.pw_gid)
         os.chmod(pwd_conf, 0o400)
+    def disable_system_trust(self):
+        try:
+            ipautil.run([paths.MODUTIL,
+                         '-dbdir', paths.HTTPD_ALIAS_DIR,
+                         '-disable', 'Root Certs',
+                         '-force'])
+        except ipautil.CalledProcessError:
+            return False
+        else:
+            return True
     def __setup_ssl(self):
         db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
                           subject_base=self.subject_base, user="root",
                           truncate=(not self.promote))
+        self.disable_system_trust()
         if self.pkcs12_info:
             if self.ca_is_configured:
                 trust_flags = 'CT,C,C'
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index d7271e5..bc79a9f 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1495,6 +1495,21 @@ def enable_anonymous_principal(krb):
+def disable_httpd_system_trust(http):
+    ca_certs = []
+    db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+    for nickname, trust_flags in db.list_certs():
+        if 'u' not in trust_flags:
+            cert = db.get_cert_from_db(nickname, pem=False)
+            if cert:
+                ca_certs.append((cert, nickname, trust_flags))
+    if http.disable_system_trust():
+        for cert, nickname, trust_flags in ca_certs:
+            db.add_cert(cert, nickname, trust_flags)
 def upgrade_configuration():
     Execute configuration upgrade of the IPA services
@@ -1630,6 +1645,7 @@ def upgrade_configuration():
+    disable_httpd_system_trust(http)
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to