Add a new user to run the framework code

Add the apache user the ipawebui group. Make the ccaches directory owned by the ipawebui group and make mod_auth_gssapi write the ccache files as r/w by the apache user and the ipawebui group. Fix tmpfiles creation ownership and permissions to allow the user to access ccaches files. The webui framework now works as a separate user than apache, so the certs used to access the dogtag instance need to be usable by this new user as well. Both apache and the webui user are in the ipawebui group, so use that. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
author: Simo Sorce <simo@redhat.com> 2016-08-16 09:03:19 -0400
committer: Jan Cholasta <jcholast@redhat.com> 2017-02-15 07:13:37 +0100
commit: 4fd89833ee5421b05c10329d627d0e0fc8496046 (patch)
tree: f6b6eb3492859af483d3e9542253f0894ca11043 /install
parent: c2b1b2a36200b50babfda1eca37fb4b51fefa9c6 (diff)
download: freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.gz
freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.xz
freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.zip
7 files changed, 17 insertions, 8 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index c1b10d035..f0330c544 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 22 - DO NOT REMOVE THIS LINE
+# VERSION 23 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -42,7 +42,7 @@ WSGISocketPrefix /run/httpd/wsgi
 
 # Configure mod_wsgi handler for /ipa
 WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
- display-name=%{GROUP} socket-timeout=2147483647
+ user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647
 WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
 WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
 WSGIScriptReloading Off
@@ -70,6 +70,7 @@ WSGIScriptReloading Off
   GssapiSessionKey file:/etc/httpd/alias/ipasession.key
 
   GssapiDelegCcacheDir /var/run/ipa/ccaches
+  GssapiDelegCcachePerms mode:0660 gid:ipaapi
   GssapiUseS4U2Proxy on
   GssapiAllowedMech krb5
   Require valid-user
diff --git a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf
index 2e4c1367b..a1955d6b7 100644
--- a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf
+++ b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf
@@ -30,7 +30,7 @@
            send_member="Get"/>
   </policy>
 
-  <policy user="apache">
+  <policy user="ipaapi">
     <allow send_destination="com.redhat.idm.trust"
            send_path="/"
            send_interface="com.redhat.idm.trust"
diff --git a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
index b2cbf746f..577611f01 100644
--- a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
+++ b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
@@ -10,7 +10,7 @@
     <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/>
   </policy>
 
-  <policy user="apache">
+  <policy user="ipaapi">
     <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/>
   </policy>
 
diff --git a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
index 3f806966b..012e3cbe3 100644
--- a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
+++ b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
@@ -2,7 +2,7 @@
 <oddjobconfig>
   <service name="org.freeipa.server">
     <allow user="root"/>
-    <allow user="apache"/>
+    <allow user="ipaapi"/>
     <object name="/">
       <interface name="org.freeipa.server">
         <method name="conncheck">
diff --git a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
index bc2e8d191..630a4e6cd 100644
--- a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
+++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
@@ -2,7 +2,7 @@
 <oddjobconfig>
   <service name="com.redhat.idm.trust">
     <allow user="root"/>
-    <allow user="apache"/>
+    <allow user="ipaapi"/>
     <object name="/">
       <interface name="org.freedesktop.DBus.Introspectable">
         <allow min_uid="0" max_uid="0"/>
diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index cb5775de6..fbb158a68 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -6,3 +6,11 @@
   allow_protocol_transition = true
   cred_usage = both
   euid = $HTTPD_USER
+
+[service/ipa-api]
+  mechs = krb5
+  cred_store = keytab:$HTTP_KEYTAB
+  cred_store = client_keytab:$HTTP_KEYTAB
+  allow_constrained_delegation = true
+  cred_usage = initiate
+  euid = $IPAAPI_USER
diff --git a/install/share/ipa.conf.tmpfiles b/install/share/ipa.conf.tmpfiles
index 3037787da..573139bf2 100644
--- a/install/share/ipa.conf.tmpfiles
+++ b/install/share/ipa.conf.tmpfiles
@@ -1,2 +1,2 @@
-d /var/run/ipa 0700 root root
-d /var/run/ipa/ccaches 0700 apache apache
+d /var/run/ipa 0711 root root
+d /var/run/ipa/ccaches 0770 ipaapi ipaapi
author	Simo Sorce <simo@redhat.com>	2016-08-16 09:03:19 -0400
committer	Jan Cholasta <jcholast@redhat.com>	2017-02-15 07:13:37 +0100
commit	4fd89833ee5421b05c10329d627d0e0fc8496046 (patch)
tree	f6b6eb3492859af483d3e9542253f0894ca11043 /install
parent	c2b1b2a36200b50babfda1eca37fb4b51fefa9c6 (diff)
download	freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.gz freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.xz freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.zip