diff options
author | Simo Sorce <simo@redhat.com> | 2016-08-16 09:03:19 -0400 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-15 07:13:37 +0100 |
commit | 4fd89833ee5421b05c10329d627d0e0fc8496046 (patch) | |
tree | f6b6eb3492859af483d3e9542253f0894ca11043 | |
parent | c2b1b2a36200b50babfda1eca37fb4b51fefa9c6 (diff) | |
download | freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.gz freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.xz freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.zip |
Add a new user to run the framework code
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
-rw-r--r-- | install/conf/ipa.conf | 5 | ||||
-rw-r--r-- | install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf | 2 | ||||
-rw-r--r-- | install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf | 2 | ||||
-rw-r--r-- | install/oddjob/etc/oddjobd.conf.d/ipa-server.conf | 2 | ||||
-rw-r--r-- | install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf | 2 | ||||
-rw-r--r-- | install/share/gssproxy.conf.template | 8 | ||||
-rw-r--r-- | install/share/ipa.conf.tmpfiles | 4 | ||||
-rw-r--r-- | ipalib/constants.py | 4 | ||||
-rw-r--r-- | ipaplatform/base/paths.py | 1 | ||||
-rw-r--r-- | ipaplatform/base/tasks.py | 15 | ||||
-rw-r--r-- | ipaplatform/redhat/tasks.py | 16 | ||||
-rw-r--r-- | ipaserver/install/dogtaginstance.py | 5 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 6 | ||||
-rw-r--r-- | ipaserver/install/installutils.py | 13 | ||||
-rw-r--r-- | ipaserver/install/plugins/update_ra_cert_store.py | 6 | ||||
-rw-r--r-- | ipaserver/install/server/install.py | 3 | ||||
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 4 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 1 |
18 files changed, 73 insertions, 26 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index c1b10d035..f0330c544 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 22 - DO NOT REMOVE THIS LINE +# VERSION 23 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -42,7 +42,7 @@ WSGISocketPrefix /run/httpd/wsgi # Configure mod_wsgi handler for /ipa WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \ - display-name=%{GROUP} socket-timeout=2147483647 + user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py WSGIScriptReloading Off @@ -70,6 +70,7 @@ WSGIScriptReloading Off GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiDelegCcacheDir /var/run/ipa/ccaches + GssapiDelegCcachePerms mode:0660 gid:ipaapi GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Require valid-user diff --git a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf index 2e4c1367b..a1955d6b7 100644 --- a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf +++ b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf @@ -30,7 +30,7 @@ send_member="Get"/> </policy> - <policy user="apache"> + <policy user="ipaapi"> <allow send_destination="com.redhat.idm.trust" send_path="/" send_interface="com.redhat.idm.trust" diff --git a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf index b2cbf746f..577611f01 100644 --- a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf +++ b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf @@ -10,7 +10,7 @@ <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/> </policy> - <policy user="apache"> + <policy user="ipaapi"> <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/> </policy> diff --git a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf index 3f806966b..012e3cbe3 100644 --- a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf +++ b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf @@ -2,7 +2,7 @@ <oddjobconfig> <service name="org.freeipa.server"> <allow user="root"/> - <allow user="apache"/> + <allow user="ipaapi"/> <object name="/"> <interface name="org.freeipa.server"> <method name="conncheck"> diff --git a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf index bc2e8d191..630a4e6cd 100644 --- a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf +++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf @@ -2,7 +2,7 @@ <oddjobconfig> <service name="com.redhat.idm.trust"> <allow user="root"/> - <allow user="apache"/> + <allow user="ipaapi"/> <object name="/"> <interface name="org.freedesktop.DBus.Introspectable"> <allow min_uid="0" max_uid="0"/> diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index cb5775de6..fbb158a68 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -6,3 +6,11 @@ allow_protocol_transition = true cred_usage = both euid = $HTTPD_USER + +[service/ipa-api] + mechs = krb5 + cred_store = keytab:$HTTP_KEYTAB + cred_store = client_keytab:$HTTP_KEYTAB + allow_constrained_delegation = true + cred_usage = initiate + euid = $IPAAPI_USER diff --git a/install/share/ipa.conf.tmpfiles b/install/share/ipa.conf.tmpfiles index 3037787da..573139bf2 100644 --- a/install/share/ipa.conf.tmpfiles +++ b/install/share/ipa.conf.tmpfiles @@ -1,2 +1,2 @@ -d /var/run/ipa 0700 root root -d /var/run/ipa/ccaches 0700 apache apache +d /var/run/ipa 0711 root root +d /var/run/ipa/ccaches 0770 ipaapi ipaapi diff --git a/ipalib/constants.py b/ipalib/constants.py index c67340751..fa2062458 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -279,3 +279,7 @@ PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$' # Kerberos Anonymous principal name ANON_USER = 'WELLKNOWN/ANONYMOUS' + +# IPA API Framework user +IPAAPI_USER = 'ipaapi' +IPAAPI_GROUP = 'ipaapi' diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index b8cd5ca5e..8db9e61f5 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -203,6 +203,7 @@ class BasePathNamespace(object): DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11" GETSEBOOL = "/usr/sbin/getsebool" GROUPADD = "/usr/sbin/groupadd" + USERMOD = "/usr/sbin/usermod" HTTPD = "/usr/sbin/httpd" IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install" IPA_DNS_INSTALL = "/usr/sbin/ipa-dns-install" diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 49b87613f..5806e7504 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -181,7 +181,9 @@ class BaseTaskNamespace(object): raise NotImplementedError() - def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, comment=None, create_homedir=False): + def create_system_user(self, name, group, homedir, shell, + uid=None, gid=None, comment=None, + create_homedir=False, groups=None): """Create a system user with a corresponding group""" try: grp.getgrnam(group) @@ -218,6 +220,8 @@ class BaseTaskNamespace(object): args += ['-m'] else: args += ['-M'] + if groups is not None: + args += ['-G', groups.join(',')] try: ipautil.run(args) log.debug('Done adding user') @@ -261,3 +265,12 @@ class BaseTaskNamespace(object): def is_fips_enabled(self): return False + + def add_user_to_group(self, user, group): + log.debug('Adding user %s to group %s', user, group) + args = [paths.USERMOD, '-a', '-G', group, user] + try: + ipautil.run(args) + log.debug('Done adding user to group') + except ipautil.CalledProcessError as e: + log.debug('Failed to add user to group: %s', e) diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index c9b1c49aa..5bddd1469 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -51,6 +51,8 @@ from ipaplatform.paths import paths from ipaplatform.redhat.authconfig import RedHatAuthConfig from ipaplatform.base.tasks import BaseTaskNamespace +from ipalib.constants import IPAAPI_USER + _ffi = FFI() _ffi.cdef(""" int rpmvercmp (const char *a, const char *b); @@ -411,7 +413,9 @@ class RedHatTaskNamespace(BaseTaskNamespace): return True - def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, comment=None, create_homedir=False): + def create_system_user(self, name, group, homedir, shell, + uid=None, gid=None, comment=None, + create_homedir=False, groups=None): """ Create a system user with a corresponding group @@ -431,8 +435,9 @@ class RedHatTaskNamespace(BaseTaskNamespace): if comment is None: comment = 'DS System User' - super(RedHatTaskNamespace, self).create_system_user(name, group, - homedir, shell, uid, gid, comment, create_homedir) + super(RedHatTaskNamespace, self).create_system_user( + name, group, homedir, shell, uid, gid, comment, create_homedir, + groups) def parse_ipa_version(self, version): """ @@ -467,7 +472,8 @@ class RedHatTaskNamespace(BaseTaskNamespace): dict( HTTP_KEYTAB=paths.HTTP_KEYTAB, HTTP_CCACHE=paths.HTTP_CCACHE, - HTTPD_USER=constants.HTTPD_USER + HTTPD_USER=constants.HTTPD_USER, + IPAAPI_USER=IPAAPI_USER, ) ) @@ -520,7 +526,7 @@ class RedHatTaskNamespace(BaseTaskNamespace): def create_tmpfiles_dirs(self): parent = os.path.dirname(paths.IPA_CCACHES) - pent = pwd.getpwnam(constants.HTTPD_USER) + pent = pwd.getpwnam(IPAAPI_USER) self._create_tmpfiles_dir(parent, 0o711, 0, 0) self._create_tmpfiles_dir(paths.IPA_CCACHES, 0o770, pent.pw_uid, pent.pw_gid) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 32772db21..968f4b292 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -31,6 +31,7 @@ import pki.system from ipalib import api, errors +from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger from ipaplatform import services from ipaplatform.constants import constants @@ -44,8 +45,6 @@ from ipaserver.install import replication from ipaserver.install.installutils import stopped_service from ipapython.ipa_log_manager import log_mgr -HTTPD_USER = constants.HTTPD_USER - def get_security_domain(): """ @@ -87,7 +86,7 @@ def export_kra_agent_pem(): "--client-cert", filename] ipautil.run(args) - pent = pwd.getpwnam(HTTPD_USER) + pent = pwd.getpwnam(IPAAPI_USER) os.chown(filename, 0, pent.pw_gid) os.chmod(filename, 0o440) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index f08bb68d1..3ca2300b8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -30,6 +30,7 @@ import locale import six +from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP from ipalib.install import certmonger from ipaserver.install import service from ipaserver.install import certs @@ -317,8 +318,7 @@ class HTTPInstance(service.Service): nssdb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR) nssdb.create_db(user="root", group=constants.HTTPD_GROUP, backup=True) nssdb = certdb.NSSDatabase(nssdir=paths.IPA_RADB_DIR) - nssdb.create_db(user=constants.HTTPD_USER, group=constants.HTTPD_GROUP, - mode=0o751, backup=True) + nssdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True) def request_anon_keytab(self): parent = os.path.dirname(paths.ANON_KEYTAB) @@ -326,7 +326,7 @@ class HTTPInstance(service.Service): os.makedirs(parent, 0o755) self.run_getkeytab(self.api.env.ldap_uri, paths.ANON_KEYTAB, ANON_USER) - pent = pwd.getpwnam(self.service_user) + pent = pwd.getpwnam(IPAAPI_USER) os.chmod(parent, 0o700) os.chown(parent, pent.pw_uid, pent.pw_gid) os.chown(paths.ANON_KEYTAB, pent.pw_uid, pent.pw_gid) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 9230e7005..ef6a399ad 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -44,6 +44,7 @@ import six from six.moves.configparser import SafeConfigParser, NoOptionError # pylint: enable=import-error +from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP from ipalib.install import sysrestore from ipalib.install.kinit import kinit_password import ipaplatform @@ -55,6 +56,7 @@ from ipalib import api, errors, x509 from ipapython.dn import DN from ipaserver.install import certs, service, sysupgrade from ipaplatform import services +from ipaplatform.constants import constants from ipaplatform.paths import paths from ipaplatform.tasks import tasks @@ -1513,3 +1515,14 @@ def default_subject_base(realm_name): def default_ca_subject_dn(subject_base): return DN(('CN', 'Certificate Authority'), subject_base) + + +def create_ipaapi_user(): + """Create IPA API user/group if it doesn't exist yet.""" + tasks.create_system_user( + name=IPAAPI_USER, + group=IPAAPI_GROUP, + homedir=paths.VAR_LIB, + shell=paths.NOLOGIN + ) + tasks.add_user_to_group(constants.HTTPD_USER, IPAAPI_GROUP) diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py index 3d1ce9506..d7d28fd7d 100644 --- a/ipaserver/install/plugins/update_ra_cert_store.py +++ b/ipaserver/install/plugins/update_ra_cert_store.py @@ -7,8 +7,8 @@ import os from ipalib import Registry from ipalib import Updater +from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP from ipalib.install import certmonger -from ipaplatform.constants import constants from ipaplatform.paths import paths from ipapython import certdb @@ -37,9 +37,7 @@ class update_ra_cert_store(Updater): return False, [] else: # Create the DB - newdb.create_db(user=constants.HTTPD_USER, - group=constants.HTTPD_GROUP, - mode=0o751, backup=True) + newdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True) # Import cert chain (ignore errors, as certs may already be imported) certlist = olddb.list_certs() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 666e2a536..0b3ea4786 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -38,7 +38,7 @@ from ipaserver.install import ( from ipaserver.install.installutils import ( IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address, is_ipa_configured, load_pkcs12, read_password, verify_fqdn, - update_hosts_file) + update_hosts_file, create_ipaapi_user) if six.PY3: unicode = str @@ -710,6 +710,7 @@ def install(installer): update_hosts_file(ip_addresses, host_name, fstore) # Make sure tmpfiles dir exist before installing components + create_ipaapi_user() tasks.create_tmpfiles_dirs() # create NSS Databases diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index f0b04523c..018cebcd9 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -40,7 +40,8 @@ from ipaserver.install import ( installutils, kra, krbinstance, ntpinstance, otpdinstance, custodiainstance, service) from ipaserver.install.installutils import ( - create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured) + create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured, + create_ipaapi_user) from ipaserver.install.replication import ( ReplicationManager, replica_conn_check) import SSSDConfig @@ -1305,6 +1306,7 @@ def install(installer): ccache = os.environ['KRB5CCNAME'] # Make sure tmpfiles dir exist before installing components + create_ipaapi_user() tasks.create_tmpfiles_dirs() if promote: diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index f116e856a..509f19647 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1807,6 +1807,7 @@ def upgrade_check(options): def upgrade(): # Do this early so that any code depending on these dirs will not fail + installutils.create_ipaapi_user() tasks.create_tmpfiles_dirs() tasks.configure_tmpfiles() |