diff options
author | Simo Sorce <simo@redhat.com> | 2016-08-16 09:03:19 -0400 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-15 07:13:37 +0100 |
commit | 4fd89833ee5421b05c10329d627d0e0fc8496046 (patch) | |
tree | f6b6eb3492859af483d3e9542253f0894ca11043 /install | |
parent | c2b1b2a36200b50babfda1eca37fb4b51fefa9c6 (diff) | |
download | freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.gz freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.xz freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.zip |
Add a new user to run the framework code
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'install')
-rw-r--r-- | install/conf/ipa.conf | 5 | ||||
-rw-r--r-- | install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf | 2 | ||||
-rw-r--r-- | install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf | 2 | ||||
-rw-r--r-- | install/oddjob/etc/oddjobd.conf.d/ipa-server.conf | 2 | ||||
-rw-r--r-- | install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf | 2 | ||||
-rw-r--r-- | install/share/gssproxy.conf.template | 8 | ||||
-rw-r--r-- | install/share/ipa.conf.tmpfiles | 4 |
7 files changed, 17 insertions, 8 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index c1b10d035..f0330c544 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 22 - DO NOT REMOVE THIS LINE +# VERSION 23 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -42,7 +42,7 @@ WSGISocketPrefix /run/httpd/wsgi # Configure mod_wsgi handler for /ipa WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \ - display-name=%{GROUP} socket-timeout=2147483647 + user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py WSGIScriptReloading Off @@ -70,6 +70,7 @@ WSGIScriptReloading Off GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiDelegCcacheDir /var/run/ipa/ccaches + GssapiDelegCcachePerms mode:0660 gid:ipaapi GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Require valid-user diff --git a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf index 2e4c1367b..a1955d6b7 100644 --- a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf +++ b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf @@ -30,7 +30,7 @@ send_member="Get"/> </policy> - <policy user="apache"> + <policy user="ipaapi"> <allow send_destination="com.redhat.idm.trust" send_path="/" send_interface="com.redhat.idm.trust" diff --git a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf index b2cbf746f..577611f01 100644 --- a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf +++ b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf @@ -10,7 +10,7 @@ <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/> </policy> - <policy user="apache"> + <policy user="ipaapi"> <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/> </policy> diff --git a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf index 3f806966b..012e3cbe3 100644 --- a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf +++ b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf @@ -2,7 +2,7 @@ <oddjobconfig> <service name="org.freeipa.server"> <allow user="root"/> - <allow user="apache"/> + <allow user="ipaapi"/> <object name="/"> <interface name="org.freeipa.server"> <method name="conncheck"> diff --git a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf index bc2e8d191..630a4e6cd 100644 --- a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf +++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf @@ -2,7 +2,7 @@ <oddjobconfig> <service name="com.redhat.idm.trust"> <allow user="root"/> - <allow user="apache"/> + <allow user="ipaapi"/> <object name="/"> <interface name="org.freedesktop.DBus.Introspectable"> <allow min_uid="0" max_uid="0"/> diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index cb5775de6..fbb158a68 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -6,3 +6,11 @@ allow_protocol_transition = true cred_usage = both euid = $HTTPD_USER + +[service/ipa-api] + mechs = krb5 + cred_store = keytab:$HTTP_KEYTAB + cred_store = client_keytab:$HTTP_KEYTAB + allow_constrained_delegation = true + cred_usage = initiate + euid = $IPAAPI_USER diff --git a/install/share/ipa.conf.tmpfiles b/install/share/ipa.conf.tmpfiles index 3037787da..573139bf2 100644 --- a/install/share/ipa.conf.tmpfiles +++ b/install/share/ipa.conf.tmpfiles @@ -1,2 +1,2 @@ -d /var/run/ipa 0700 root root -d /var/run/ipa/ccaches 0700 apache apache +d /var/run/ipa 0711 root root +d /var/run/ipa/ccaches 0770 ipaapi ipaapi |