From b227208d010bf88a11c46149ac5844c4a55ab9ad Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 17 Jun 2011 14:19:45 +0200
Subject: Fix IPA install for secure umask

Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.

https://fedorahosted.org/freeipa/ticket/1282
---
 install/tools/ipa-replica-install | 28 ++++++++++++++++------------
 install/tools/ipa-server-install  | 28 ++++++++++++++++------------
 install/tools/ipa-upgradeconfig   |  6 +++++-
 ipaserver/install/dsinstance.py   | 39 +++++++++++++++++++++++----------------
 4 files changed, 60 insertions(+), 41 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index c39d992de..16f849567 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -443,18 +443,22 @@ def main():
 
     # Create the management framework config file
     # Note: We must do this before bootstraping and finalizing ipalib.api
-    fd = open("/etc/ipa/default.conf", "w")
-    fd.write("[global]\n")
-    fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
-    fd.write("realm=" + config.realm_name + "\n")
-    fd.write("domain=" + config.domain_name + "\n")
-    fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name)
-    fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name))
-    if ipautil.file_exists(config.dir + "/cacert.p12"):
-        fd.write("enable_ra=True\n")
-        fd.write("ra_plugin=dogtag\n")
-    fd.write("mode=production\n")
-    fd.close()
+    old_umask = os.umask(022)   # must be readable for httpd
+    try:
+        fd = open("/etc/ipa/default.conf", "w")
+        fd.write("[global]\n")
+        fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
+        fd.write("realm=" + config.realm_name + "\n")
+        fd.write("domain=" + config.domain_name + "\n")
+        fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name)
+        fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name))
+        if ipautil.file_exists(config.dir + "/cacert.p12"):
+            fd.write("enable_ra=True\n")
+            fd.write("ra_plugin=dogtag\n")
+        fd.write("mode=production\n")
+        fd.close()
+    finally:
+        os.umask(old_umask)
 
     api.bootstrap(in_server=True)
     api.finalize()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 7c81dbec6..019dfb1aa 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -676,18 +676,22 @@ def main():
     logging.debug("will use dns_forwarders: %s\n" % str(dns_forwarders))
 
     # Create the management framework config file and finalize api
-    fd = open("/etc/ipa/default.conf", "w")
-    fd.write("[global]\n")
-    fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
-    fd.write("realm=" + realm_name + "\n")
-    fd.write("domain=" + domain_name + "\n")
-    fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name)
-    fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
-    fd.write("enable_ra=True\n")
-    if not options.selfsign:
-        fd.write("ra_plugin=dogtag\n")
-    fd.write("mode=production\n")
-    fd.close()
+    old_umask = os.umask(022)   # must be readable for httpd
+    try:
+        fd = open("/etc/ipa/default.conf", "w")
+        fd.write("[global]\n")
+        fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
+        fd.write("realm=" + realm_name + "\n")
+        fd.write("domain=" + domain_name + "\n")
+        fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name)
+        fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
+        fd.write("enable_ra=True\n")
+        if not options.selfsign:
+            fd.write("ra_plugin=dogtag\n")
+        fd.write("mode=production\n")
+        fd.close()
+    finally:
+        os.umask(old_umask)
 
     api.bootstrap(**cfg)
     api.finalize()
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 0c8d7fcd8..4ac309288 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -114,7 +114,11 @@ def check_certs():
     if not os.path.exists("/usr/share/ipa/html/ca.crt"):
         ca_file = "/etc/httpd/alias/cacert.asc"
         if os.path.exists(ca_file):
-            shutil.copyfile(ca_file, "/usr/share/ipa/html/ca.crt")
+            old_umask = os.umask(022)   # make sure its readable by httpd
+            try:
+                shutil.copyfile(ca_file, "/usr/share/ipa/html/ca.crt")
+            finally:
+                os.umask(old_umask)
         else:
             print "Missing Certification Authority file."
             print "You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt"
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 574a5afd8..9033b7bfd 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -358,10 +358,13 @@ class DsInstance(service.Service):
         self.sub_dict['BASEDC'] = self.realm_name.split('.')[0].lower()
         base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict)
         logging.debug(base_txt)
-        base_fd = file("/var/lib/dirsrv/boot.ldif", "w")
-        base_fd.write(base_txt)
-        base_fd.flush()
-        base_fd.close()
+        old_umask = os.umask(022)   # must be readable for dirsrv
+        try:
+            base_fd = open("/var/lib/dirsrv/boot.ldif", "w")
+            base_fd.write(base_txt)
+            base_fd.close()
+        finally:
+            os.umask(old_umask)
 
         inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict)
         logging.debug("writing inf template")
@@ -394,21 +397,25 @@ class DsInstance(service.Service):
         os.remove("/var/lib/dirsrv/boot.ldif")
 
     def __add_default_schemas(self):
-        shutil.copyfile(ipautil.SHARE_DIR + "60kerberos.ldif",
-                        schema_dirname(self.serverid) + "60kerberos.ldif")
-        shutil.copyfile(ipautil.SHARE_DIR + "60samba.ldif",
-                        schema_dirname(self.serverid) + "60samba.ldif")
-        shutil.copyfile(ipautil.SHARE_DIR + "60ipaconfig.ldif",
-                        schema_dirname(self.serverid) + "60ipaconfig.ldif")
-        shutil.copyfile(ipautil.SHARE_DIR + "60basev2.ldif",
-                        schema_dirname(self.serverid) + "60basev2.ldif")
-        shutil.copyfile(ipautil.SHARE_DIR + "60ipasudo.ldif",
-                        schema_dirname(self.serverid) + "60ipasudo.ldif")
+        pent = pwd.getpwnam(DS_USER)
+        for schema_fname in ("60kerberos.ldif",
+                             "60samba.ldif",
+                             "60ipaconfig.ldif",
+                             "60basev2.ldif",
+                             "60ipasudo.ldif"):
+            target_fname = schema_dirname(self.serverid) + schema_fname
+            shutil.copyfile(ipautil.SHARE_DIR + schema_fname, target_fname)
+            os.chmod(target_fname, 0440)    # read access for dirsrv user/group
+            os.chown(target_fname, pent.pw_uid, pent.pw_gid)
+
         try:
             shutil.move(schema_dirname(self.serverid) + "05rfc2247.ldif",
                             schema_dirname(self.serverid) + "05rfc2247.ldif.old")
-            shutil.copyfile(ipautil.SHARE_DIR + "05rfc2247.ldif",
-                            schema_dirname(self.serverid) + "05rfc2247.ldif")
+
+            target_fname = schema_dirname(self.serverid) + "05rfc2247.ldif"
+            shutil.copyfile(ipautil.SHARE_DIR + "05rfc2247.ldif", target_fname)
+            os.chmod(target_fname, 0440)
+            os.chown(target_fname, pent.pw_uid, pent.pw_gid)
         except IOError:
             # Does not apply with newer DS releases
             pass
-- 
cgit