Fix named working directory permissions

Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.

Ticket: https://fedorahosted.org/freeipa/ticket/4716
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

4 files changed, 46 insertions, 8 deletions

diff --git a/freeipa.spec.in b/freeipa.spec.in
index b2ff97a11..af367037e 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -426,7 +426,6 @@ mkdir -p %{buildroot}%{_usr}/share/ipa/html/
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
 mkdir -p %{buildroot}%{_initrddir}
 mkdir %{buildroot}%{_sysconfdir}/sysconfig/
-mkdir -p %{buildroot}%{_localstatedir}/named/dyndb-ldap/ipa/
 install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
 install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd
 install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter
@@ -666,7 +665,6 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
 %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
 %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
-%dir %attr(0770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa/
 # NOTE: systemd specific section
 %{_tmpfilesdir}/%{name}.conf
 %attr(644,root,root) %{_unitdir}/ipa.service
@@ -780,6 +778,7 @@ fi
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
 %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
 %ghost %{_localstatedir}/lib/ipa/pki-ca/publish
+%ghost %{_localstatedir}/named/dyndb-ldap/ipa
 %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
 %{_mandir}/man1/ipa-replica-conncheck.1.gz
 %{_mandir}/man1/ipa-replica-install.1.gz
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 6556d8f31..b0b574476 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -30,6 +30,7 @@ import shutil
 import pwd
 import fileinput
 import ConfigParser
+import grp
 
 from ipalib import api
 import SSSDConfig
@@ -1161,6 +1162,18 @@ def mask_named_regular():
     return False
 
 
+def fix_dyndb_ldap_workdir_permissions():
+    """Fix dyndb-ldap working dir permissions. DNSSEC daemons requires it"""
+    if sysupgrade.get_upgrade_state('dns', 'dyndb_ipa_workdir_perm'):
+        return
+
+    if bindinstance.named_conf_exists():
+        root_logger.info('[Fix bind-dyndb-ldap IPA working directory]')
+        dnskeysync = dnskeysyncinstance.DNSKeySyncInstance()
+        dnskeysync.set_dyndb_ldap_workdir_permissions()
+
+    sysupgrade.set_upgrade_state('dns', 'dyndb_ipa_workdir_perm', True)
+
 
 def fix_schema_file_syntax():
     """Fix syntax errors in schema files
@@ -1433,6 +1446,7 @@ def main():
                           named_managed_keys_dir_option(),
                           named_root_key_include(),
                           mask_named_regular(),
+                          fix_dyndb_ldap_workdir_permissions(),
                          )
 
     if any(named_conf_changes):
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index e28147ab4..c4cdc58d6 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -189,6 +189,7 @@ class BasePathNamespace(object):
     BIN_WGET = "/usr/bin/wget"
     ZIP = "/usr/bin/zip"
     BIND_LDAP_SO = "/usr/lib/bind/ldap.so"
+    BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/"
     BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/"
     USR_LIB_DIRSRV = "/usr/lib/dirsrv"
     USR_LIB_SLAPD_INSTANCE_TEMPLATE = "/usr/lib/dirsrv/slapd-%s"
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 1dd9a0983..5da65d87b 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -60,7 +60,6 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
 
     return ret
 
-
 class DNSKeySyncInstance(service.Service):
     def __init__(self, fstore=None, dm_password=None, logger=root_logger,
                  ldapi=False):
@@ -84,6 +83,23 @@ class DNSKeySyncInstance(service.Service):
 
     suffix = ipautil.dn_attribute_property('_suffix')
 
+    def set_dyndb_ldap_workdir_permissions(self):
+        """
+        Setting up correct permissions to allow write/read access for daemons
+        """
+        if self.named_uid is None:
+            self.named_uid = self.__get_named_uid()
+
+        if self.named_gid is None:
+            self.named_gid = self.__get_named_gid()
+
+        if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
+            os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
+        # dnssec daemons require to have access into the directory
+        os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
+        os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, self.named_uid,
+                 self.named_gid)
+
     def remove_replica_public_keys(self, replica_fqdn):
         ldap = api.Backend.ldap2
         dn_base = DN(('cn', 'keys'), ('cn', 'sec'), ('cn', 'dns'), api.env.basedn)
@@ -119,6 +135,8 @@ class DNSKeySyncInstance(service.Service):
         self.ldap_connect()
         # checking status step must be first
         self.step("checking status", self.__check_dnssec_status)
+        self.step("setting up bind-dyndb-ldap working directory",
+                  self.set_dyndb_ldap_workdir_permissions)
         self.step("setting up kerberos principal", self.__setup_principal)
         self.step("setting up SoftHSM", self.__setup_softhsm)
         self.step("adding DNSSEC containers", self.__setup_dnssec_containers)
@@ -127,20 +145,26 @@ class DNSKeySyncInstance(service.Service):
         # we need restart named after setting up this service
         self.start_creation()
 
-    def __check_dnssec_status(self):
+    def __get_named_uid(self):
         named = services.knownservices.named
-        ods_enforcerd = services.knownservices.ods_enforcerd
-
         try:
-            self.named_uid = pwd.getpwnam(named.get_user_name()).pw_uid
+            return pwd.getpwnam(named.get_user_name()).pw_uid
         except KeyError:
             raise RuntimeError("Named UID not found")
 
+    def __get_named_gid(self):
+        named = services.knownservices.named
         try:
-            self.named_gid = grp.getgrnam(named.get_group_name()).gr_gid
+            return grp.getgrnam(named.get_group_name()).gr_gid
         except KeyError:
             raise RuntimeError("Named GID not found")
 
+    def __check_dnssec_status(self):
+        ods_enforcerd = services.knownservices.ods_enforcerd
+
+        self.named_uid = self.__get_named_uid()
+        self.named_gid = self.__get_named_gid()
+
         try:
             self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
         except KeyError: