Add a new user to run the framework code

Add the apache user the ipawebui group. Make the ccaches directory owned by the ipawebui group and make mod_auth_gssapi write the ccache files as r/w by the apache user and the ipawebui group. Fix tmpfiles creation ownership and permissions to allow the user to access ccaches files. The webui framework now works as a separate user than apache, so the certs used to access the dogtag instance need to be usable by this new user as well. Both apache and the webui user are in the ipawebui group, so use that. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
author: Simo Sorce <simo@redhat.com> 2016-08-16 09:03:19 -0400
committer: Jan Cholasta <jcholast@redhat.com> 2017-02-15 07:13:37 +0100
commit: 4fd89833ee5421b05c10329d627d0e0fc8496046 (patch)
tree: f6b6eb3492859af483d3e9542253f0894ca11043 /ipaplatform
parent: c2b1b2a36200b50babfda1eca37fb4b51fefa9c6 (diff)
download: freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.gz
freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.xz
freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.zip
3 files changed, 26 insertions, 6 deletions
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index b8cd5ca5e..8db9e61f5 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -203,6 +203,7 @@ class BasePathNamespace(object):
     DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
     GETSEBOOL = "/usr/sbin/getsebool"
     GROUPADD = "/usr/sbin/groupadd"
+    USERMOD = "/usr/sbin/usermod"
     HTTPD = "/usr/sbin/httpd"
     IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install"
     IPA_DNS_INSTALL = "/usr/sbin/ipa-dns-install"
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 49b87613f..5806e7504 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -181,7 +181,9 @@ class BaseTaskNamespace(object):
 
         raise NotImplementedError()
 
-    def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, comment=None, create_homedir=False):
+    def create_system_user(self, name, group, homedir, shell,
+                           uid=None, gid=None, comment=None,
+                           create_homedir=False, groups=None):
         """Create a system user with a corresponding group"""
         try:
             grp.getgrnam(group)
@@ -218,6 +220,8 @@ class BaseTaskNamespace(object):
                 args += ['-m']
             else:
                 args += ['-M']
+            if groups is not None:
+                args += ['-G', groups.join(',')]
             try:
                 ipautil.run(args)
                 log.debug('Done adding user')
@@ -261,3 +265,12 @@ class BaseTaskNamespace(object):
 
     def is_fips_enabled(self):
         return False
+
+    def add_user_to_group(self, user, group):
+        log.debug('Adding user %s to group %s', user, group)
+        args = [paths.USERMOD, '-a', '-G', group, user]
+        try:
+            ipautil.run(args)
+            log.debug('Done adding user to group')
+        except ipautil.CalledProcessError as e:
+            log.debug('Failed to add user to group: %s', e)
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index c9b1c49aa..5bddd1469 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -51,6 +51,8 @@ from ipaplatform.paths import paths
 from ipaplatform.redhat.authconfig import RedHatAuthConfig
 from ipaplatform.base.tasks import BaseTaskNamespace
 
+from ipalib.constants import IPAAPI_USER
+
 _ffi = FFI()
 _ffi.cdef("""
 int rpmvercmp (const char *a, const char *b);
@@ -411,7 +413,9 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 
         return True
 
-    def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, comment=None, create_homedir=False):
+    def create_system_user(self, name, group, homedir, shell,
+                           uid=None, gid=None, comment=None,
+                           create_homedir=False, groups=None):
         """
         Create a system user with a corresponding group
 
@@ -431,8 +435,9 @@ class RedHatTaskNamespace(BaseTaskNamespace):
             if comment is None:
                 comment = 'DS System User'
 
-        super(RedHatTaskNamespace, self).create_system_user(name, group,
-            homedir, shell, uid, gid, comment, create_homedir)
+        super(RedHatTaskNamespace, self).create_system_user(
+            name, group, homedir, shell, uid, gid, comment, create_homedir,
+            groups)
 
     def parse_ipa_version(self, version):
         """
@@ -467,7 +472,8 @@ class RedHatTaskNamespace(BaseTaskNamespace):
             dict(
                 HTTP_KEYTAB=paths.HTTP_KEYTAB,
                 HTTP_CCACHE=paths.HTTP_CCACHE,
-                HTTPD_USER=constants.HTTPD_USER
+                HTTPD_USER=constants.HTTPD_USER,
+                IPAAPI_USER=IPAAPI_USER,
             )
         )
 
@@ -520,7 +526,7 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 
     def create_tmpfiles_dirs(self):
         parent = os.path.dirname(paths.IPA_CCACHES)
-        pent = pwd.getpwnam(constants.HTTPD_USER)
+        pent = pwd.getpwnam(IPAAPI_USER)
         self._create_tmpfiles_dir(parent, 0o711, 0, 0)
         self._create_tmpfiles_dir(paths.IPA_CCACHES, 0o770,
                                   pent.pw_uid, pent.pw_gid)
author	Simo Sorce <simo@redhat.com>	2016-08-16 09:03:19 -0400
committer	Jan Cholasta <jcholast@redhat.com>	2017-02-15 07:13:37 +0100
commit	4fd89833ee5421b05c10329d627d0e0fc8496046 (patch)
tree	f6b6eb3492859af483d3e9542253f0894ca11043 /ipaplatform
parent	c2b1b2a36200b50babfda1eca37fb4b51fefa9c6 (diff)
download	freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.gz freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.xz freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.zip