subject:"\[Freeipa\-devel\] \[PATCH\] 0010 fix \/etc\/sysconfig\/network permissions in ipa\-client\-install"

[Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install

2011-08-10 Thread Alexander Bokovoy

Ensure network configuration file has proper permissions

As network configuration file is created as temporary file, it has
stricter permissions than we need for the target system configuration
file. Ensure permissions are properly reset before installing file.

If permissions are not reset, system may have no networking enabled
after reboot.
-- 
/ Alexander Bokovoy
From 2df08449eec5c64f64b20232842f6432b8b64f8f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Wed, 10 Aug 2011 14:54:32 +0300
Subject: [PATCH] Ensure network configuration file has proper permissions

As network configuration file is created as temporary file, it has stricter 
permissions than
we need for the target system configuration file. Ensure permissions are 
properly reset before
installing file.

If permissions are not reseted, system may have no networking enabled after 
reboot.
---
 ipa-client/ipa-install/ipa-client-install |4 
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install 
b/ipa-client/ipa-install/ipa-client-install
index 
e3b9dfbab5975aade08ee36e98fc9a048df76784..5f94b1f94f0574c366dcd1073eda7b19f7d89402
 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -23,6 +23,7 @@ try:
 import sys
 
 import os
+import stat
 import time
 import socket
 import logging
@@ -564,6 +565,9 @@ $)''', re.VERBOSE)
 statestore.backup_state('network', 'hostname', 
value)
 new_config.write(new_line)
 new_config.flush()
+# Make sure the resulting file is readable by others before installing 
it
+os.fchmod(new_config.fileno(), stat.S_IRUSR | stat.S_IWUSR | 
stat.S_IRGRP | stat.S_IROTH)
+os.fchown(new_config.fileno(), 0, 0)
 
 # At this point new_config is closed but not removed due to 'delete=False' 
above
 # Now, install the temporary file as configuration and ensure old version 
is available as .orig
-- 
1.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install

2011-08-10 Thread Alexander Bokovoy

On 10.08.2011 14:57, Alexander Bokovoy wrote:
 Ensure network configuration file has proper permissions
 
 As network configuration file is created as temporary file, it has
 stricter permissions than we need for the target system configuration
 file. Ensure permissions are properly reset before installing file.
 
 If permissions are not reset, system may have no networking enabled
 after reboot.

Forgot to add: this is brown bag bug worth including into 2.1 release.
At least, it affected fresh server install for me using ipa-devel repo.

-- 
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install

2011-08-10 Thread Alexander Bokovoy

On 10.08.2011 14:57, Alexander Bokovoy wrote:
 Ensure network configuration file has proper permissions
 
 As network configuration file is created as temporary file, it has
 stricter permissions than we need for the target system configuration
 file. Ensure permissions are properly reset before installing file.
 
 If permissions are not reset, system may have no networking enabled
 after reboot.
One more fix: relabel SELinux label after copying file.
-- 
/ Alexander Bokovoy
From 3cdc4a2eaa6691be4660cb1239ca271cd620ecf5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Wed, 10 Aug 2011 15:15:01 +0300
Subject: [PATCH] Ensure network configuration file has proper permissions

As network configuration file is created as temporary file, it has stricter 
permissions than
we need for the target system configuration file. Ensure permissions are 
properly reset before
installing file.

If permissions are not re-set, system may have no networking enabled after 
reboot.
---
 ipa-client/ipa-install/ipa-client-install |   10 ++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install 
b/ipa-client/ipa-install/ipa-client-install
index 
e3b9dfbab5975aade08ee36e98fc9a048df76784..1caf9c1ee4d0c30d1267f5bc028291a56f02e7c8
 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -23,6 +23,7 @@ try:
 import sys
 
 import os
+import stat
 import time
 import socket
 import logging
@@ -564,6 +565,9 @@ $)''', re.VERBOSE)
 statestore.backup_state('network', 'hostname', 
value)
 new_config.write(new_line)
 new_config.flush()
+# Make sure the resulting file is readable by others before installing 
it
+os.fchmod(new_config.fileno(), stat.S_IRUSR | stat.S_IWUSR | 
stat.S_IRGRP | stat.S_IROTH)
+os.fchown(new_config.fileno(), 0, 0)
 
 # At this point new_config is closed but not removed due to 'delete=False' 
above
 # Now, install the temporary file as configuration and ensure old version 
is available as .orig
@@ -574,6 +578,12 @@ $)''', re.VERBOSE)
 except CalledProcessError, e:
 print sys.stderr, Failed to set this machine hostname to %s (%s). 
% (hostname, str(e))
 
+# For SE Linux environments it is important to reset SE labels to the 
expected ones
+try:
+ipautil.run(['/sbin/restorecon', network_filename])
+except CalledProcessError, e:
+print sys.stderr, Failed to set permissions for %s (%s). % 
(network_filename, str(e))
+
 def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
 sssdconfig = SSSDConfig.SSSDConfig()
 sssdconfig.new_config()
-- 
1.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install

2011-08-10 Thread Martin Kosek

On Wed, 2011-08-10 at 15:16 +0300, Alexander Bokovoy wrote:
 On 10.08.2011 14:57, Alexander Bokovoy wrote:
  Ensure network configuration file has proper permissions
  
  As network configuration file is created as temporary file, it has
  stricter permissions than we need for the target system configuration
  file. Ensure permissions are properly reset before installing file.
  
  If permissions are not reset, system may have no networking enabled
  after reboot.
 One more fix: relabel SELinux label after copying file.

ACK. This one is important so pushed to master. I just added a link to
the bug comment before pushing.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install

Re: [Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install

Re: [Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install

Re: [Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install

4 matches

Site Navigation

Mail list logo

Footer information