Re: [Freeipa-devel] [PATCH 0374-0375] Fix permissions on newly created directories

2015-12-14 Thread Tomas Babej 


On 12/11/2015 07:19 PM, Martin Basti wrote:
> 
> 
> On 10.12.2015 15:18, Martin Basti wrote:
>> Hello,
>>
>> patch 0374 fixes the ticket, but I found more issues with directory
>> permission, I fixed them in 0375
>>
>> https://fedorahosted.org/freeipa/ticket/5520
>>
>> Patches attached.
> 
> Patches attached.


ACK, works as expected.

Pushed to master: 4272ba40ea909b1f783a6fada5b1eebb6efbdf93

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0374-0375] Fix permissions on newly created directories

2015-12-13 Thread Martin Basti 

Hello,

patch 0374 fixes the ticket, but I found more issues with directory 
permission, I fixed them in 0375


https://fedorahosted.org/freeipa/ticket/5520

Patches attached.
From ae0bcea3f6173bd6466d26a7d0cb2886029a10f6 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 9 Dec 2015 12:12:22 +0100
Subject: [PATCH] DNS: fix file permissions

With non default umask named-pkcs11 cannot access the softhsm token storage

https://fedorahosted.org/freeipa/ticket/5520
---
 ipaserver/install/dnskeysyncinstance.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index b2ccc027469a352c815963abfd0c0a61dd37297f..f2a976eecd2c4f6de1e12c46969c6d5addd79e41 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -201,7 +201,8 @@ class DNSKeySyncInstance(service.Service):
 # create dnssec directory
 if not os.path.exists(paths.IPA_DNSSEC_DIR):
 self.logger.debug("Creating %s directory", paths.IPA_DNSSEC_DIR)
-os.mkdir(paths.IPA_DNSSEC_DIR, 0o770)
+os.mkdir(paths.IPA_DNSSEC_DIR)
+os.chmod(paths.IPA_DNSSEC_DIR, 0o770)
 # chown ods:named
 os.chown(paths.IPA_DNSSEC_DIR, self.ods_uid, self.named_gid)
 
@@ -218,6 +219,7 @@ class DNSKeySyncInstance(service.Service):
 named_fd.truncate(0)
 named_fd.write(softhsm_conf_txt)
 named_fd.close()
+os.chmod(paths.DNSSEC_SOFTHSM2_CONF, 0o644)
 
 # setting up named to use softhsm2
 if not self.fstore.has_file(paths.SYSCONFIG_NAMED):
-- 
2.5.0

From 57f7841185e6e25d12ca83a537d2cb7184854a23 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 9 Dec 2015 13:40:04 +0100
Subject: [PATCH] Explicitly call chmod on newly created directories

Without calling os.chmod(), umask is effective and may cause that
directory is created with permission that causes failure.

This can be related to https://fedorahosted.org/freeipa/ticket/5520
---
 ipaplatform/base/services.py |  1 +
 ipaserver/install/cainstance.py  |  1 +
 ipaserver/install/ipa_backup.py  |  7 ---
 ipaserver/install/ipa_replica_prepare.py |  3 ++-
 ipaserver/install/ipa_restore.py | 10 ++
 5 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
index da2f1011e34431664cd5c730668ae483b7bd0a1d..e6a0403b6edfb62a1d7f807fef93121718ba59f5 100644
--- a/ipaplatform/base/services.py
+++ b/ipaplatform/base/services.py
@@ -421,6 +421,7 @@ class SystemdService(PlatformService):
 try:
 if not ipautil.dir_exists(srv_tgt):
 os.mkdir(srv_tgt)
+os.mkdir(srv_tgt, 0o755)
 if os.path.exists(srv_lnk):
 # Remove old link
 os.unlink(srv_lnk)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 2ca718a7b6799b7daf825918517a54852746a84f..56ec3fe74e8d4adfe17f46a62f705021f6a81f75 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -794,6 +794,7 @@ class CAInstance(DogtagInstance):
 
 if not ipautil.dir_exists(self.ra_agent_db):
 os.mkdir(self.ra_agent_db)
+os.chmod(self.ra_agent_db, 0o755)
 
 # Create the password file for this db
 hex_str = binascii.hexlify(os.urandom(10))
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 6d97ef13b383b9917fa70426a99463f8c14955e8..523cb9180f36a32f3d18547c9b5db86e913985d9 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -272,8 +272,8 @@ class Backup(admintool.AdminTool):
 os.chown(self.top_dir, pent.pw_uid, pent.pw_gid)
 os.chmod(self.top_dir, 0o750)
 self.dir = os.path.join(self.top_dir, "ipa")
-os.mkdir(self.dir, 0o750)
-
+os.mkdir(self.dir)
+os.chmod(self.dir, 0o750)
 os.chown(self.dir, pent.pw_uid, pent.pw_gid)
 
 self.header = os.path.join(self.top_dir, 'header')
@@ -585,7 +585,8 @@ class Backup(admintool.AdminTool):
 backup_dir = os.path.join(paths.IPA_BACKUP_DIR, time.strftime('ipa-full-%Y-%m-%d-%H-%M-%S'))
 filename = os.path.join(backup_dir, "ipa-full.tar")
 
-os.mkdir(backup_dir, 0o700)
+os.mkdir(backup_dir)
+os.chmod(backup_dir, 0o700)
 
 cwd = os.getcwd()
 os.chdir(self.dir)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index c1bce693b37d26944339f0797b5c15b3da847215..cef0228ea87b8e0bc2c01cfe4b1589811c631c79 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -361,7 +361,8 @@ class ReplicaPrepare(admintool.AdminTool):
 
 self.top_dir = tempfile.mkdtemp("ipa")
 self.dir = os.path.j

Re: [Freeipa-devel] [PATCH 0374-0375] Fix permissions on newly created directories

2015-12-11 Thread Martin Basti 



On 10.12.2015 15:18, Martin Basti wrote:

Hello,

patch 0374 fixes the ticket, but I found more issues with directory 
permission, I fixed them in 0375


https://fedorahosted.org/freeipa/ticket/5520

Patches attached.


Patches attached.
From ae0bcea3f6173bd6466d26a7d0cb2886029a10f6 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 9 Dec 2015 12:12:22 +0100
Subject: [PATCH] DNS: fix file permissions

With non default umask named-pkcs11 cannot access the softhsm token storage

https://fedorahosted.org/freeipa/ticket/5520
---
 ipaserver/install/dnskeysyncinstance.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index b2ccc027469a352c815963abfd0c0a61dd37297f..f2a976eecd2c4f6de1e12c46969c6d5addd79e41 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -201,7 +201,8 @@ class DNSKeySyncInstance(service.Service):
 # create dnssec directory
 if not os.path.exists(paths.IPA_DNSSEC_DIR):
 self.logger.debug("Creating %s directory", paths.IPA_DNSSEC_DIR)
-os.mkdir(paths.IPA_DNSSEC_DIR, 0o770)
+os.mkdir(paths.IPA_DNSSEC_DIR)
+os.chmod(paths.IPA_DNSSEC_DIR, 0o770)
 # chown ods:named
 os.chown(paths.IPA_DNSSEC_DIR, self.ods_uid, self.named_gid)
 
@@ -218,6 +219,7 @@ class DNSKeySyncInstance(service.Service):
 named_fd.truncate(0)
 named_fd.write(softhsm_conf_txt)
 named_fd.close()
+os.chmod(paths.DNSSEC_SOFTHSM2_CONF, 0o644)
 
 # setting up named to use softhsm2
 if not self.fstore.has_file(paths.SYSCONFIG_NAMED):
-- 
2.5.0

From 57f7841185e6e25d12ca83a537d2cb7184854a23 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 9 Dec 2015 13:40:04 +0100
Subject: [PATCH] Explicitly call chmod on newly created directories

Without calling os.chmod(), umask is effective and may cause that
directory is created with permission that causes failure.

This can be related to https://fedorahosted.org/freeipa/ticket/5520
---
 ipaplatform/base/services.py |  1 +
 ipaserver/install/cainstance.py  |  1 +
 ipaserver/install/ipa_backup.py  |  7 ---
 ipaserver/install/ipa_replica_prepare.py |  3 ++-
 ipaserver/install/ipa_restore.py | 10 ++
 5 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
index da2f1011e34431664cd5c730668ae483b7bd0a1d..e6a0403b6edfb62a1d7f807fef93121718ba59f5 100644
--- a/ipaplatform/base/services.py
+++ b/ipaplatform/base/services.py
@@ -421,6 +421,7 @@ class SystemdService(PlatformService):
 try:
 if not ipautil.dir_exists(srv_tgt):
 os.mkdir(srv_tgt)
+os.mkdir(srv_tgt, 0o755)
 if os.path.exists(srv_lnk):
 # Remove old link
 os.unlink(srv_lnk)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 2ca718a7b6799b7daf825918517a54852746a84f..56ec3fe74e8d4adfe17f46a62f705021f6a81f75 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -794,6 +794,7 @@ class CAInstance(DogtagInstance):
 
 if not ipautil.dir_exists(self.ra_agent_db):
 os.mkdir(self.ra_agent_db)
+os.chmod(self.ra_agent_db, 0o755)
 
 # Create the password file for this db
 hex_str = binascii.hexlify(os.urandom(10))
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 6d97ef13b383b9917fa70426a99463f8c14955e8..523cb9180f36a32f3d18547c9b5db86e913985d9 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -272,8 +272,8 @@ class Backup(admintool.AdminTool):
 os.chown(self.top_dir, pent.pw_uid, pent.pw_gid)
 os.chmod(self.top_dir, 0o750)
 self.dir = os.path.join(self.top_dir, "ipa")
-os.mkdir(self.dir, 0o750)
-
+os.mkdir(self.dir)
+os.chmod(self.dir, 0o750)
 os.chown(self.dir, pent.pw_uid, pent.pw_gid)
 
 self.header = os.path.join(self.top_dir, 'header')
@@ -585,7 +585,8 @@ class Backup(admintool.AdminTool):
 backup_dir = os.path.join(paths.IPA_BACKUP_DIR, time.strftime('ipa-full-%Y-%m-%d-%H-%M-%S'))
 filename = os.path.join(backup_dir, "ipa-full.tar")
 
-os.mkdir(backup_dir, 0o700)
+os.mkdir(backup_dir)
+os.chmod(backup_dir, 0o700)
 
 cwd = os.getcwd()
 os.chdir(self.dir)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index c1bce693b37d26944339f0797b5c15b3da847215..cef0228ea87b8e0bc2c01cfe4b1589811c631c79 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -361,7 +361,8 @@ class ReplicaPrepare(admintool.AdminTool):
 
 self