diff options
author | Simo Sorce <simo@redhat.com> | 2016-08-16 09:03:19 -0400 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-15 07:13:37 +0100 |
commit | 4fd89833ee5421b05c10329d627d0e0fc8496046 (patch) | |
tree | f6b6eb3492859af483d3e9542253f0894ca11043 /install/oddjob | |
parent | c2b1b2a36200b50babfda1eca37fb4b51fefa9c6 (diff) | |
download | freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.gz freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.xz freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.zip |
Add a new user to run the framework code
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'install/oddjob')
4 files changed, 4 insertions, 4 deletions
diff --git a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf index 2e4c1367b..a1955d6b7 100644 --- a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf +++ b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf @@ -30,7 +30,7 @@ send_member="Get"/> </policy> - <policy user="apache"> + <policy user="ipaapi"> <allow send_destination="com.redhat.idm.trust" send_path="/" send_interface="com.redhat.idm.trust" diff --git a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf index b2cbf746f..577611f01 100644 --- a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf +++ b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf @@ -10,7 +10,7 @@ <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/> </policy> - <policy user="apache"> + <policy user="ipaapi"> <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/> </policy> diff --git a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf index 3f806966b..012e3cbe3 100644 --- a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf +++ b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf @@ -2,7 +2,7 @@ <oddjobconfig> <service name="org.freeipa.server"> <allow user="root"/> - <allow user="apache"/> + <allow user="ipaapi"/> <object name="/"> <interface name="org.freeipa.server"> <method name="conncheck"> diff --git a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf index bc2e8d191..630a4e6cd 100644 --- a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf +++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf @@ -2,7 +2,7 @@ <oddjobconfig> <service name="com.redhat.idm.trust"> <allow user="root"/> - <allow user="apache"/> + <allow user="ipaapi"/> <object name="/"> <interface name="org.freedesktop.DBus.Introspectable"> <allow min_uid="0" max_uid="0"/> |