diff options
author | Martin Kosek <mkosek@redhat.com> | 2011-06-17 14:19:45 +0200 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-06-21 23:45:00 -0400 |
commit | b227208d010bf88a11c46149ac5844c4a55ab9ad (patch) | |
tree | 5bbfe6b3f803995394de1b089c5d09bbf9bf2f8b /install/tools/ipa-replica-install | |
parent | ba42b700eb98978fa5403bf5e39f9c9e31338fb4 (diff) | |
download | freeipa-b227208d010bf88a11c46149ac5844c4a55ab9ad.tar.gz freeipa-b227208d010bf88a11c46149ac5844c4a55ab9ad.tar.xz freeipa-b227208d010bf88a11c46149ac5844c4a55ab9ad.zip |
Fix IPA install for secure umask
Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.
https://fedorahosted.org/freeipa/ticket/1282
Diffstat (limited to 'install/tools/ipa-replica-install')
-rwxr-xr-x | install/tools/ipa-replica-install | 28 |
1 files changed, 16 insertions, 12 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index c39d992de..16f849567 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -443,18 +443,22 @@ def main(): # Create the management framework config file # Note: We must do this before bootstraping and finalizing ipalib.api - fd = open("/etc/ipa/default.conf", "w") - fd.write("[global]\n") - fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n") - fd.write("realm=" + config.realm_name + "\n") - fd.write("domain=" + config.domain_name + "\n") - fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name) - fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name)) - if ipautil.file_exists(config.dir + "/cacert.p12"): - fd.write("enable_ra=True\n") - fd.write("ra_plugin=dogtag\n") - fd.write("mode=production\n") - fd.close() + old_umask = os.umask(022) # must be readable for httpd + try: + fd = open("/etc/ipa/default.conf", "w") + fd.write("[global]\n") + fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n") + fd.write("realm=" + config.realm_name + "\n") + fd.write("domain=" + config.domain_name + "\n") + fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name) + fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name)) + if ipautil.file_exists(config.dir + "/cacert.p12"): + fd.write("enable_ra=True\n") + fd.write("ra_plugin=dogtag\n") + fd.write("mode=production\n") + fd.close() + finally: + os.umask(old_umask) api.bootstrap(in_server=True) api.finalize() |