summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2011-09-06 08:39:24 +0200
committerMartin Kosek <mkosek@redhat.com>2011-09-07 13:03:09 +0200
commitf2fd7588e4efea1ad41a60930ca969802fb9ca42 (patch)
tree16047693187e42124e527eab5aa026f6c28fc92a /ipaserver
parent6f95ff8a4b87dbc1d5d49c5c7b8c8825ddf284f4 (diff)
downloadfreeipa-f2fd7588e4efea1ad41a60930ca969802fb9ca42.zip
freeipa-f2fd7588e4efea1ad41a60930ca969802fb9ca42.tar.gz
freeipa-f2fd7588e4efea1ad41a60930ca969802fb9ca42.tar.xz
Fix permissions in installers
Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/install/dsinstance.py15
-rw-r--r--ipaserver/install/httpinstance.py16
-rw-r--r--ipaserver/install/krbinstance.py6
3 files changed, 24 insertions, 13 deletions
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 09ef8c5..8ccb22c 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -356,13 +356,14 @@ class DsInstance(service.Service):
self.sub_dict['BASEDC'] = self.realm_name.split('.')[0].lower()
base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict)
logging.debug(base_txt)
- old_umask = os.umask(022) # must be readable for dirsrv
- try:
- base_fd = open("/var/lib/dirsrv/boot.ldif", "w")
- base_fd.write(base_txt)
- base_fd.close()
- finally:
- os.umask(old_umask)
+
+ target_fname = '/var/lib/dirsrv/boot.ldif'
+ base_fd = open(target_fname, "w")
+ base_fd.write(base_txt)
+ base_fd.close()
+
+ # Must be readable for dirsrv
+ os.chmod(target_fname, 0440)
inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict)
logging.debug("writing inf template")
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 04d1ed4..775d5a7 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -136,17 +136,21 @@ class HTTPInstance(service.Service):
os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
def __configure_http(self):
+ target_fname = '/etc/httpd/conf.d/ipa.conf'
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
self.fstore.backup_file("/etc/httpd/conf.d/ipa.conf")
- http_fd = open("/etc/httpd/conf.d/ipa.conf", "w")
+ http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
+ os.chmod(target_fname, 0644)
+ target_fname = '/etc/httpd/conf.d/ipa-rewrite.conf'
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict)
self.fstore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf")
- http_fd = open("/etc/httpd/conf.d/ipa-rewrite.conf", "w")
+ http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
+ os.chmod(target_fname, 0644)
def __disable_mod_ssl(self):
if os.path.exists(SSL_CONF):
@@ -227,10 +231,12 @@ class HTTPInstance(service.Service):
os.chmod(certs.CA_SERIALNO, 0664)
def __setup_autoconfig(self):
+ target_fname = '/usr/share/ipa/html/preferences.html'
prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict)
- prefs_fd = open("/usr/share/ipa/html/preferences.html", "w")
+ prefs_fd = open(target_fname, "w")
prefs_fd.write(prefs_txt)
prefs_fd.close()
+ os.chmod(target_fname, 0644)
# The signing cert is generated in __setup_ssl
db = certs.CertDB(self.realm, subject_base=self.subject_base)
@@ -240,12 +246,14 @@ class HTTPInstance(service.Service):
pwdfile.close()
tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+ target_fname = '/usr/share/ipa/html/configure.jar'
shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir)
db.run_signtool(["-k", "Signing-Cert",
- "-Z", "/usr/share/ipa/html/configure.jar",
+ "-Z", target_fname,
"-e", ".html", "-p", pwd,
tmpdir])
shutil.rmtree(tmpdir)
+ os.chmod(target_fname, 0755) # everyone can execute the jar
def __publish_ca_cert(self):
ca_db = certs.CertDB(self.realm)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 5326e2f..47fd520 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -316,16 +316,18 @@ class KrbInstance(service.Service):
def __create_replica_instance(self):
self.__create_instance(replica=True)
- def __template_file(self, path):
+ def __template_file(self, path, chmod=0644):
template = os.path.join(ipautil.SHARE_DIR, os.path.basename(path) + ".template")
conf = ipautil.template_file(template, self.sub_dict)
self.fstore.backup_file(path)
fd = open(path, "w+")
fd.write(conf)
fd.close()
+ if chmod is not None:
+ os.chmod(path, chmod)
def __create_instance(self, replica=False):
- self.__template_file("/var/kerberos/krb5kdc/kdc.conf")
+ self.__template_file("/var/kerberos/krb5kdc/kdc.conf", chmod=None)
self.__template_file("/etc/krb5.conf")
self.__template_file("/usr/share/ipa/html/krb5.ini")
self.__template_file("/usr/share/ipa/html/krb.con")