From b227208d010bf88a11c46149ac5844c4a55ab9ad Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 17 Jun 2011 14:19:45 +0200
Subject: Fix IPA install for secure umask

Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.

https://fedorahosted.org/freeipa/ticket/1282
---
 install/tools/ipa-server-install | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

(limited to 'install/tools/ipa-server-install')

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 7c81dbec6..019dfb1aa 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -676,18 +676,22 @@ def main():
     logging.debug("will use dns_forwarders: %s\n" % str(dns_forwarders))
 
     # Create the management framework config file and finalize api
-    fd = open("/etc/ipa/default.conf", "w")
-    fd.write("[global]\n")
-    fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
-    fd.write("realm=" + realm_name + "\n")
-    fd.write("domain=" + domain_name + "\n")
-    fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name)
-    fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
-    fd.write("enable_ra=True\n")
-    if not options.selfsign:
-        fd.write("ra_plugin=dogtag\n")
-    fd.write("mode=production\n")
-    fd.close()
+    old_umask = os.umask(022)   # must be readable for httpd
+    try:
+        fd = open("/etc/ipa/default.conf", "w")
+        fd.write("[global]\n")
+        fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
+        fd.write("realm=" + realm_name + "\n")
+        fd.write("domain=" + domain_name + "\n")
+        fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name)
+        fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
+        fd.write("enable_ra=True\n")
+        if not options.selfsign:
+            fd.write("ra_plugin=dogtag\n")
+        fd.write("mode=production\n")
+        fd.close()
+    finally:
+        os.umask(old_umask)
 
     api.bootstrap(**cfg)
     api.finalize()
-- 
cgit