URL: https://github.com/freeipa/freeipa/pull/471 Author: HonzaCholasta Title: #471: Fix some privilege separation regressions Action: opened
PR body: """ **client install: create /etc/ipa/nssdb with correct mode** The NSS database directory is created with mode 640, which causes the IPA client to fail to connect to any IPA server, because it is unable to read trusted CA certificates from the NSS database. Create the directory with mode 644 to fix the issue. **server upgrade: fix upgrade in CA-less** Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as /var/lib/ipa/radb is not populated in CA-less. Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in CA-less, as it might be an incorrect certificate from previous CA-ful install, and is not necessary anyway. **server upgrade: fix upgrade from pre-4.0** update_ca_renewal_master uses ipaCert certmonger tracking information to decide whether the local server is the CA renewal master or not. The information is lost when migrating from /etc/httpd/alias to /var/lib/ipa/radb in update_ra_cert_store. Make sure update_ra_cert_store is executed after update_ca_renewal_master so that correct information is used. **server upgrade: always upgrade KRA agent PEM file** Before the KRA agent PEM file is exported in server upgrade, the sysupgrade state file is consulted. This causes the KRA agent PEM file not to be exported to the new location if the upgrade was executed in the past. Do not consult the sysupgrade state file to decide whether to upgrade the KRA agent PEM file or not, the existence of the file is enough to make this decision. https://fedorahosted.org/freeipa/ticket/5959 https://fedorahosted.org/freeipa/ticket/6675 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/471/head:pr471 git checkout pr471
From cca67c28fbc17ae17e1b09fc2a9ff7a692000341 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 16 Feb 2017 10:57:14 +0100 Subject: [PATCH 1/4] client install: create /etc/ipa/nssdb with correct mode The NSS database directory is created with mode 640, which causes the IPA client to fail to connect to any IPA server, because it is unable to read trusted CA certificates from the NSS database. Create the directory with mode 644 to fix the issue. https://fedorahosted.org/freeipa/ticket/5959 --- ipaclient/install/client.py | 2 +- ipapython/certdb.py | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 2b01b0d..396b43c 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2295,7 +2295,7 @@ def create_ipa_nssdb(): f.write(ipautil.ipa_generate_password()) os.chmod(pwdfile, 0o600) - db.create_db(pwdfile) + db.create_db(pwdfile, mode=0o755) os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644) os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644) os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index a6bfcbc..c542cd9 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -126,9 +126,11 @@ def create_db(self, password_filename=None, user=None, group=None, """ dirmode = 0o750 filemode = 0o640 + pwdfilemode = 0o640 if mode is not None: dirmode = mode filemode = mode & 0o666 + pwdfilemode = mode & 0o660 uid = -1 gid = -1 @@ -153,7 +155,7 @@ def create_db(self, password_filename=None, user=None, group=None, hex_str = binascii.hexlify(os.urandom(10)) with io.open(os.open(password_filename, os.O_CREAT | os.O_WRONLY, - filemode), 'wb', closefd=True) as f: + pwdfilemode), 'wb', closefd=True) as f: f.write(hex_str) f.flush() @@ -168,7 +170,11 @@ def create_db(self, password_filename=None, user=None, group=None, if os.path.exists(path): if uid != -1 or gid != -1: os.chown(path, uid, gid) - os.chmod(path, filemode) + if path == os.path.abspath(self.pwd_file): + new_mode = pwdfilemode + else: + new_mode = filemode + os.chmod(path, new_mode) tasks.restore_context(path) def list_certs(self): From 0ed14b1e46dd08a5b66cfedcb41cd04af1055398 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 16 Feb 2017 11:09:04 +0100 Subject: [PATCH 2/4] server upgrade: fix upgrade in CA-less Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as /var/lib/ipa/radb is not populated in CA-less. Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in CA-less, as it might be an incorrect certificate from previous CA-ful install, and is not necessary anyway. https://fedorahosted.org/freeipa/ticket/5959 --- ipaserver/install/plugins/update_ra_cert_store.py | 4 ++++ ipaserver/install/plugins/upload_cacrt.py | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py index d7d28fd..c3aef6f 100644 --- a/ipaserver/install/plugins/update_ra_cert_store.py +++ b/ipaserver/install/plugins/update_ra_cert_store.py @@ -22,6 +22,10 @@ class update_ra_cert_store(Updater): """ def execute(self, **options): + ca_enabled = self.api.Command.ca_is_enabled()['result'] + if not ca_enabled: + return False, [] + olddb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR) if not olddb.has_nickname('ipaCert'): # Nothign to do diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py index 1a78108..425ea63 100644 --- a/ipaserver/install/plugins/upload_cacrt.py +++ b/ipaserver/install/plugins/upload_cacrt.py @@ -18,6 +18,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from ipalib.install import certstore +from ipaplatform.paths import paths from ipaserver.install import certs from ipalib import Registry, errors from ipalib import Updater @@ -34,7 +35,7 @@ class update_upload_cacrt(Updater): """ def execute(self, **options): - db = certs.CertDB(self.api.env.realm) + db = certs.CertDB(self.api.env.realm, paths.HTTPD_ALIAS_DIR) ca_cert = None ca_enabled = self.api.Command.ca_is_enabled()['result'] From 021ebdd68677bf646d8b652d4e5fd2a198f06812 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 16 Feb 2017 11:13:13 +0100 Subject: [PATCH 3/4] server upgrade: fix upgrade from pre-4.0 update_ca_renewal_master uses ipaCert certmonger tracking information to decide whether the local server is the CA renewal master or not. The information is lost when migrating from /etc/httpd/alias to /var/lib/ipa/radb in update_ra_cert_store. Make sure update_ra_cert_store is executed after update_ca_renewal_master so that correct information is used. https://fedorahosted.org/freeipa/ticket/5959 --- install/updates/05-pre_upgrade_plugins.update | 1 - install/updates/90-post_upgrade_plugins.update | 2 ++ ipaserver/install/plugins/ca_renewal_master.py | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/install/updates/05-pre_upgrade_plugins.update b/install/updates/05-pre_upgrade_plugins.update index 19918ef..d0e3eb7 100644 --- a/install/updates/05-pre_upgrade_plugins.update +++ b/install/updates/05-pre_upgrade_plugins.update @@ -8,4 +8,3 @@ plugin: update_referint plugin: update_uniqueness_plugins_to_new_syntax # last -plugin: update_ra_cert_store diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index 7c672e4..34069e7 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -15,6 +15,8 @@ plugin: update_idrange_type plugin: update_pacs plugin: update_service_principalalias plugin: update_upload_cacrt +# update_ra_cert_store has to be executed after update_ca_renewal_master +plugin: update_ra_cert_store # last # DNS version 1 diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py index 4fa4edb..2447a34 100644 --- a/ipaserver/install/plugins/ca_renewal_master.py +++ b/ipaserver/install/plugins/ca_renewal_master.py @@ -74,7 +74,7 @@ def execute(self, **options): return False, [] criteria = { - 'cert-database': paths.IPA_RADB_DIR, + 'cert-database': paths.HTTPD_ALIAS_DIR, 'cert-nickname': 'ipaCert', } request_id = certmonger.get_request_id(criteria) From a72a5abfe5a21ca05757c9705bc2a21fc04a8ffe Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 16 Feb 2017 11:19:09 +0100 Subject: [PATCH 4/4] server upgrade: always upgrade KRA agent PEM file Before the KRA agent PEM file is exported in server upgrade, the sysupgrade state file is consulted. This causes the KRA agent PEM file not to be exported to the new location if the upgrade was executed in the past. Do not consult the sysupgrade state file to decide whether to upgrade the KRA agent PEM file or not, the existence of the file is enough to make this decision. https://fedorahosted.org/freeipa/ticket/6675 --- ipaserver/install/server/upgrade.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 41da723..779fd26 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1386,7 +1386,9 @@ def fix_trust_flags(): def export_kra_agent_pem(): root_logger.info('[Exporting KRA agent PEM file]') - if sysupgrade.get_upgrade_state('http', 'export_kra_agent_pem'): + sysupgrade.remove_upgrade_state('http', 'export_kra_agent_pem') + + if os.path.exists(paths.KRA_AGENT_PEM): root_logger.info("KRA agent PEM file already exported") return @@ -1396,8 +1398,6 @@ def export_kra_agent_pem(): krainstance.export_kra_agent_pem() - sysupgrade.set_upgrade_state('http', 'export_kra_agent_pem', True) - def update_mod_nss_protocol(http): root_logger.info('[Updating mod_nss protocol versions]')
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code