Add a new user to run the framework code

Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>

1 files changed, 2 insertions, 4 deletions

diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py
index 3d1ce9506..d7d28fd7d 100644
--- a/ipaserver/install/plugins/update_ra_cert_store.py
+++ b/ipaserver/install/plugins/update_ra_cert_store.py
@@ -7,8 +7,8 @@ import os
 
 from ipalib import Registry
 from ipalib import Updater
+from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP
 from ipalib.install import certmonger
-from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipapython import certdb
 
@@ -37,9 +37,7 @@ class update_ra_cert_store(Updater):
                 return False, []
         else:
             # Create the DB
-            newdb.create_db(user=constants.HTTPD_USER,
-                            group=constants.HTTPD_GROUP,
-                            mode=0o751, backup=True)
+            newdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True)
 
         # Import cert chain (ignore errors, as certs may already be imported)
         certlist = olddb.list_certs()