diff options
| author | Martin Basti <mbasti@redhat.com> | 2017-01-31 20:27:11 +0100 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-10 14:03:04 +0100 |
| commit | 69072cb80f8c4b7f6eff0c7cdfe6545fe59ea7b5 (patch) | |
| tree | 01fa8695700478f5f98e3d73e6e1c8c082f6e200 /ipaserver/install | |
| parent | 488d01ced715929d47f6766a63b7d6c597125562 (diff) | |
| download | freeipa-69072cb80f8c4b7f6eff0c7cdfe6545fe59ea7b5.tar.gz freeipa-69072cb80f8c4b7f6eff0c7cdfe6545fe59ea7b5.tar.xz freeipa-69072cb80f8c4b7f6eff0c7cdfe6545fe59ea7b5.zip | |
py3: change_admin_password: use textual mode
Convert function to NamedTemporaryFile with textual mode, because
passwords are text. Using `with` and NamedTemporaryFile gives more
security agains leaking password from tempfiles.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver/install')
| -rw-r--r-- | ipaserver/install/dsinstance.py | 24 |
1 files changed, 8 insertions, 16 deletions
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index ceb7bf3fe..8e979a7aa 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -951,21 +951,19 @@ class DsInstance(service.Service): def change_admin_password(self, password): root_logger.debug("Changing admin password") - dmpwdfile = "" - admpwdfile = "" - try: - (dmpwdfd, dmpwdfile) = tempfile.mkstemp(dir=paths.VAR_LIB_IPA) - os.write(dmpwdfd, self.dm_password) - os.close(dmpwdfd) + dir_ipa = paths.VAR_LIB_IPA + with tempfile.NamedTemporaryFile("w", dir=dir_ipa) as dmpwdfile, \ + tempfile.NamedTemporaryFile("w", dir=dir_ipa) as admpwdfile: + dmpwdfile.write(self.dm_password) + dmpwdfile.flush() - (admpwdfd, admpwdfile) = tempfile.mkstemp(dir=paths.VAR_LIB_IPA) - os.write(admpwdfd, password) - os.close(admpwdfd) + admpwdfile.write(password) + admpwdfile.flush() args = [paths.LDAPPASSWD, "-h", self.fqdn, "-ZZ", "-x", "-D", str(DN(('cn', 'Directory Manager'))), - "-y", dmpwdfile, "-T", admpwdfile, + "-y", dmpwdfile.name, "-T", admpwdfile.name, str(DN(('uid', 'admin'), ('cn', 'users'), ('cn', 'accounts'), self.suffix))] try: env = {'LDAPTLS_CACERTDIR': os.path.dirname(paths.IPA_CA_CRT), @@ -976,12 +974,6 @@ class DsInstance(service.Service): print("Unable to set admin password", e) root_logger.debug("Unable to set admin password %s" % e) - finally: - if os.path.isfile(dmpwdfile): - os.remove(dmpwdfile) - if os.path.isfile(admpwdfile): - os.remove(admpwdfile) - def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring directory server") |