diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2017-02-16 10:57:14 +0100 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-20 13:00:50 +0000 |
| commit | b4fa354f500bcf3ac23ee3805f2c166c6a635b92 (patch) | |
| tree | afe46ffaeb2dbc1c4bd71cb57b4fbaf69e6f75fc | |
| parent | 6c6c68df544ac1046741d91dfdc59ef8d96b863c (diff) | |
| download | freeipa-b4fa354f500bcf3ac23ee3805f2c166c6a635b92.tar.gz freeipa-b4fa354f500bcf3ac23ee3805f2c166c6a635b92.tar.xz freeipa-b4fa354f500bcf3ac23ee3805f2c166c6a635b92.zip | |
client install: create /etc/ipa/nssdb with correct mode
The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.
Create the directory with mode 644 to fix the issue.
https://fedorahosted.org/freeipa/ticket/5959
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
| -rw-r--r-- | ipaclient/install/client.py | 2 | ||||
| -rw-r--r-- | ipapython/certdb.py | 10 |
2 files changed, 9 insertions, 3 deletions
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index e43ec7bb6..f951770e5 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2284,7 +2284,7 @@ def install_check(options): def create_ipa_nssdb(): db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) - db.create_db(backup=True) + db.create_db(mode=0o755, backup=True) os.chmod(db.pwd_file, 0o600) os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644) os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 73387cf58..b22c3c1ad 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -124,9 +124,11 @@ class NSSDatabase(object): """ dirmode = 0o750 filemode = 0o640 + pwdfilemode = 0o640 if mode is not None: dirmode = mode filemode = mode & 0o666 + pwdfilemode = mode & 0o660 uid = -1 gid = -1 @@ -147,7 +149,7 @@ class NSSDatabase(object): # Create the password file for this db with io.open(os.open(self.pwd_file, os.O_CREAT | os.O_WRONLY, - filemode), 'w', closefd=True) as f: + pwdfilemode), 'w', closefd=True) as f: f.write(ipautil.ipa_generate_password()) f.flush() @@ -162,7 +164,11 @@ class NSSDatabase(object): if os.path.exists(path): if uid != -1 or gid != -1: os.chown(path, uid, gid) - os.chmod(path, filemode) + if path == self.pwd_file: + new_mode = pwdfilemode + else: + new_mode = filemode + os.chmod(path, new_mode) tasks.restore_context(path) def list_certs(self): |