[Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install
Ensure network configuration file has proper permissions As network configuration file is created as temporary file, it has stricter permissions than we need for the target system configuration file. Ensure permissions are properly reset before installing file. If permissions are not reset, system may have no networking enabled after reboot. -- / Alexander Bokovoy From 2df08449eec5c64f64b20232842f6432b8b64f8f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 10 Aug 2011 14:54:32 +0300 Subject: [PATCH] Ensure network configuration file has proper permissions As network configuration file is created as temporary file, it has stricter permissions than we need for the target system configuration file. Ensure permissions are properly reset before installing file. If permissions are not reseted, system may have no networking enabled after reboot. --- ipa-client/ipa-install/ipa-client-install |4 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index e3b9dfbab5975aade08ee36e98fc9a048df76784..5f94b1f94f0574c366dcd1073eda7b19f7d89402 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -23,6 +23,7 @@ try: import sys import os +import stat import time import socket import logging @@ -564,6 +565,9 @@ $)''', re.VERBOSE) statestore.backup_state('network', 'hostname', value) new_config.write(new_line) new_config.flush() +# Make sure the resulting file is readable by others before installing it +os.fchmod(new_config.fileno(), stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) +os.fchown(new_config.fileno(), 0, 0) # At this point new_config is closed but not removed due to 'delete=False' above # Now, install the temporary file as configuration and ensure old version is available as .orig -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install
On 10.08.2011 14:57, Alexander Bokovoy wrote: Ensure network configuration file has proper permissions As network configuration file is created as temporary file, it has stricter permissions than we need for the target system configuration file. Ensure permissions are properly reset before installing file. If permissions are not reset, system may have no networking enabled after reboot. Forgot to add: this is brown bag bug worth including into 2.1 release. At least, it affected fresh server install for me using ipa-devel repo. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install
On 10.08.2011 14:57, Alexander Bokovoy wrote: Ensure network configuration file has proper permissions As network configuration file is created as temporary file, it has stricter permissions than we need for the target system configuration file. Ensure permissions are properly reset before installing file. If permissions are not reset, system may have no networking enabled after reboot. One more fix: relabel SELinux label after copying file. -- / Alexander Bokovoy From 3cdc4a2eaa6691be4660cb1239ca271cd620ecf5 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 10 Aug 2011 15:15:01 +0300 Subject: [PATCH] Ensure network configuration file has proper permissions As network configuration file is created as temporary file, it has stricter permissions than we need for the target system configuration file. Ensure permissions are properly reset before installing file. If permissions are not re-set, system may have no networking enabled after reboot. --- ipa-client/ipa-install/ipa-client-install | 10 ++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index e3b9dfbab5975aade08ee36e98fc9a048df76784..1caf9c1ee4d0c30d1267f5bc028291a56f02e7c8 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -23,6 +23,7 @@ try: import sys import os +import stat import time import socket import logging @@ -564,6 +565,9 @@ $)''', re.VERBOSE) statestore.backup_state('network', 'hostname', value) new_config.write(new_line) new_config.flush() +# Make sure the resulting file is readable by others before installing it +os.fchmod(new_config.fileno(), stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) +os.fchown(new_config.fileno(), 0, 0) # At this point new_config is closed but not removed due to 'delete=False' above # Now, install the temporary file as configuration and ensure old version is available as .orig @@ -574,6 +578,12 @@ $)''', re.VERBOSE) except CalledProcessError, e: print sys.stderr, Failed to set this machine hostname to %s (%s). % (hostname, str(e)) +# For SE Linux environments it is important to reset SE labels to the expected ones +try: +ipautil.run(['/sbin/restorecon', network_filename]) +except CalledProcessError, e: +print sys.stderr, Failed to set permissions for %s (%s). % (network_filename, str(e)) + def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.new_config() -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install
On Wed, 2011-08-10 at 15:16 +0300, Alexander Bokovoy wrote: On 10.08.2011 14:57, Alexander Bokovoy wrote: Ensure network configuration file has proper permissions As network configuration file is created as temporary file, it has stricter permissions than we need for the target system configuration file. Ensure permissions are properly reset before installing file. If permissions are not reset, system may have no networking enabled after reboot. One more fix: relabel SELinux label after copying file. ACK. This one is important so pushed to master. I just added a link to the bug comment before pushing. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel