From a5a55ceff3822ede55ad817ede0da5712fb75651 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 28 Feb 2012 23:05:06 -0500 Subject: Don't delete system users that are added during installation. We don't want to run the risk of adding a user, uninstalling it, the system adding a new user (for another package install for example) and then re-installing IPA. This wreaks havoc with file and directory ownership. https://fedorahosted.org/freeipa/ticket/2423 --- install/tools/ipa-server-install | 13 ------------- ipaserver/install/cainstance.py | 24 ++++++------------------ ipaserver/install/dsinstance.py | 15 +++------------ 3 files changed, 9 insertions(+), 43 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 47f999b4..c379dd77 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -475,16 +475,6 @@ def uninstall(): sstore._load() group_exists = sstore.restore_state("install", "group_exists") - if group_exists == False: - try: - grp.getgrnam(dsinstance.DS_GROUP) - try: - ipautil.run(["/usr/sbin/groupdel", dsinstance.DS_GROUP]) - except ipautil.CalledProcessError, e: - root_logger.critical("failed to delete group %s" % e) - rv = 1 - except KeyError: - root_logger.info("Group %s already removed", dsinstance.DS_GROUP) ipaservices.knownservices.ipa.disable() @@ -855,16 +845,13 @@ def main(): try: grp.getgrnam(dsinstance.DS_GROUP) root_logger.debug("ds group %s exists" % dsinstance.DS_GROUP) - group_exists = True except KeyError: - group_exists = False args = ["/usr/sbin/groupadd", "-r", dsinstance.DS_GROUP] try: ipautil.run(args) root_logger.debug("done adding DS group") except ipautil.CalledProcessError, e: root_logger.critical("failed to add DS group: %s" % e) - sstore.backup_state("install", "group_exists", group_exists) # Configure ntpd if options.conf_ntp: diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index d2c8d057..345a8c2d 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -274,12 +274,10 @@ class CADSInstance(service.Service): GROUP=dsinstance.DS_GROUP) def __create_ds_user(self): - user_exists = True try: pwd.getpwnam(PKI_DS_USER) root_logger.debug("ds user %s exists" % PKI_DS_USER) except KeyError: - user_exists = False root_logger.debug("adding ds user %s" % PKI_DS_USER) args = ["/usr/sbin/useradd", "-g", dsinstance.DS_GROUP, "-c", "PKI DS System User", @@ -292,8 +290,6 @@ class CADSInstance(service.Service): except ipautil.CalledProcessError, e: root_logger.critical("failed to add user %s" % e) - self.backup_state("user_exists", user_exists) - def __create_instance(self): self.backup_state("running", dsinstance.is_ds_running()) self.backup_state("serverid", self.serverid) @@ -406,11 +402,9 @@ class CADSInstance(service.Service): user_exists = self.restore_state("user_exists") - if user_exists == False: - try: - ipautil.run(["/usr/sbin/userdel", PKI_DS_USER]) - except ipautil.CalledProcessError, e: - root_logger.critical("failed to delete user %s" % e) + # At one time we removed this user on uninstall. That can potentially + # orphan files, or worse, if another useradd runs in the intermim, + # cause files to have a new owner. class CAInstance(service.Service): """ @@ -566,12 +560,10 @@ class CAInstance(service.Service): # so actual enablement is delayed. def __create_ca_user(self): - user_exists = True try: pwd.getpwnam(PKI_USER) root_logger.debug("ca user %s exists" % PKI_USER) except KeyError: - user_exists = False root_logger.debug("adding ca user %s" % PKI_USER) args = ["/usr/sbin/useradd", "-c", "CA System User", "-d", "/var/lib", @@ -583,8 +575,6 @@ class CAInstance(service.Service): except ipautil.CalledProcessError, e: root_logger.critical("failed to add user %s" % e) - self.backup_state("user_exists", user_exists) - def __configure_instance(self): preop_pin = get_preop_pin(self.server_root, PKI_INSTANCE_NAME) @@ -1064,12 +1054,10 @@ class CAInstance(service.Service): except ipautil.CalledProcessError, e: root_logger.critical("failed to uninstall CA instance %s" % e) + # At one time we removed this user on uninstall. That can potentially + # orphan files, or worse, if another useradd runs in the intermim, + # cause files to have a new owner. user_exists = self.restore_state("user_exists") - if user_exists == False: - try: - ipautil.run(["/usr/sbin/userdel", PKI_USER]) - except ipautil.CalledProcessError, e: - root_logger.critical("failed to delete user %s" % e) def publish_ca_cert(self, location): args = ["-L", "-n", self.canickname, "-a"] diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index c66f2a7f..5b5b24ca 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -288,12 +288,10 @@ class DsInstance(service.Service): ) def __create_ds_user(self): - user_exists = True try: pwd.getpwnam(DS_USER) root_logger.debug("ds user %s exists" % DS_USER) except KeyError: - user_exists = False root_logger.debug("adding ds user %s" % DS_USER) args = ["/usr/sbin/useradd", "-g", DS_GROUP, "-c", "DS System User", @@ -306,8 +304,6 @@ class DsInstance(service.Service): except ipautil.CalledProcessError, e: root_logger.critical("failed to add user %s" % e) - self.backup_state("user_exists", user_exists) - def __create_instance(self): self.backup_state("running", is_ds_running()) self.backup_state("serverid", self.serverid) @@ -624,16 +620,11 @@ class DsInstance(service.Service): dsdb.untrack_server_cert("Server-Cert") erase_ds_instance_data(serverid) + # At one time we removed this user on uninstall. That can potentially + # orphan files, or worse, if another useradd runs in the intermim, + # cause files to have a new owner. user_exists = self.restore_state("user_exists") - if user_exists == False: - pent = pwd.getpwnam(DS_USER) - installutils.remove_file("/var/tmp/ldap_%d" % pent.pw_uid) - try: - ipautil.run(["/usr/sbin/userdel", DS_USER]) - except ipautil.CalledProcessError, e: - root_logger.critical("failed to delete user %s" % e) - # Make sure some upgrade-related state is removed. This could cause # re-installation problems. self.restore_state('nsslapd-port') -- cgit