summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2011-08-30 16:32:40 +0200
committerMartin Kosek <mkosek@redhat.com>2011-09-07 13:02:43 +0200
commitd0ce604b4d69d7f6fa5e0bb81647f839abd6291d (patch)
treee26f64ecdf6335410fe588eb8601a522943aeed8 /ipaserver
parent95beb84464b59813c050aa87fb39aea5a0bf6c39 (diff)
downloadfreeipa-d0ce604b4d69d7f6fa5e0bb81647f839abd6291d.tar.gz
freeipa-d0ce604b4d69d7f6fa5e0bb81647f839abd6291d.tar.xz
freeipa-d0ce604b4d69d7f6fa5e0bb81647f839abd6291d.zip
Fix permissions in installers
Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/install/dsinstance.py15
-rw-r--r--ipaserver/install/httpinstance.py16
-rw-r--r--ipaserver/install/krbinstance.py6
3 files changed, 24 insertions, 13 deletions
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index fdbddb0ee..2b996b5c8 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -356,13 +356,14 @@ class DsInstance(service.Service):
self.sub_dict['BASEDC'] = self.realm_name.split('.')[0].lower()
base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict)
logging.debug(base_txt)
- old_umask = os.umask(022) # must be readable for dirsrv
- try:
- base_fd = open("/var/lib/dirsrv/boot.ldif", "w")
- base_fd.write(base_txt)
- base_fd.close()
- finally:
- os.umask(old_umask)
+
+ target_fname = '/var/lib/dirsrv/boot.ldif'
+ base_fd = open(target_fname, "w")
+ base_fd.write(base_txt)
+ base_fd.close()
+
+ # Must be readable for dirsrv
+ os.chmod(target_fname, 0440)
inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict)
logging.debug("writing inf template")
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 04d1ed402..775d5a781 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -136,17 +136,21 @@ class HTTPInstance(service.Service):
os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
def __configure_http(self):
+ target_fname = '/etc/httpd/conf.d/ipa.conf'
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
self.fstore.backup_file("/etc/httpd/conf.d/ipa.conf")
- http_fd = open("/etc/httpd/conf.d/ipa.conf", "w")
+ http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
+ os.chmod(target_fname, 0644)
+ target_fname = '/etc/httpd/conf.d/ipa-rewrite.conf'
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict)
self.fstore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf")
- http_fd = open("/etc/httpd/conf.d/ipa-rewrite.conf", "w")
+ http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
+ os.chmod(target_fname, 0644)
def __disable_mod_ssl(self):
if os.path.exists(SSL_CONF):
@@ -227,10 +231,12 @@ class HTTPInstance(service.Service):
os.chmod(certs.CA_SERIALNO, 0664)
def __setup_autoconfig(self):
+ target_fname = '/usr/share/ipa/html/preferences.html'
prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict)
- prefs_fd = open("/usr/share/ipa/html/preferences.html", "w")
+ prefs_fd = open(target_fname, "w")
prefs_fd.write(prefs_txt)
prefs_fd.close()
+ os.chmod(target_fname, 0644)
# The signing cert is generated in __setup_ssl
db = certs.CertDB(self.realm, subject_base=self.subject_base)
@@ -240,12 +246,14 @@ class HTTPInstance(service.Service):
pwdfile.close()
tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+ target_fname = '/usr/share/ipa/html/configure.jar'
shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir)
db.run_signtool(["-k", "Signing-Cert",
- "-Z", "/usr/share/ipa/html/configure.jar",
+ "-Z", target_fname,
"-e", ".html", "-p", pwd,
tmpdir])
shutil.rmtree(tmpdir)
+ os.chmod(target_fname, 0755) # everyone can execute the jar
def __publish_ca_cert(self):
ca_db = certs.CertDB(self.realm)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 8f2cf2c05..dcf10a7cd 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -282,13 +282,15 @@ class KrbInstance(service.Service):
def __add_default_acis(self):
self._ldap_mod("default-aci.ldif", self.sub_dict)
- def __template_file(self, path):
+ def __template_file(self, path, chmod=0644):
template = os.path.join(ipautil.SHARE_DIR, os.path.basename(path) + ".template")
conf = ipautil.template_file(template, self.sub_dict)
self.fstore.backup_file(path)
fd = open(path, "w+")
fd.write(conf)
fd.close()
+ if chmod is not None:
+ os.chmod(path, chmod)
def __init_ipa_kdb(self):
#populate the directory with the realm structure
@@ -301,7 +303,7 @@ class KrbInstance(service.Service):
print "Failed to initialize the realm container"
def __configure_instance(self):
- self.__template_file("/var/kerberos/krb5kdc/kdc.conf")
+ self.__template_file("/var/kerberos/krb5kdc/kdc.conf", chmod=None)
self.__template_file("/etc/krb5.conf")
self.__template_file("/usr/share/ipa/html/krb5.ini")
self.__template_file("/usr/share/ipa/html/krb.con")