diff options
author | Martin Kosek <mkosek@redhat.com> | 2011-08-30 16:32:40 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2011-09-07 13:02:43 +0200 |
commit | d0ce604b4d69d7f6fa5e0bb81647f839abd6291d (patch) | |
tree | e26f64ecdf6335410fe588eb8601a522943aeed8 /ipaserver | |
parent | 95beb84464b59813c050aa87fb39aea5a0bf6c39 (diff) | |
download | freeipa-d0ce604b4d69d7f6fa5e0bb81647f839abd6291d.tar.gz freeipa-d0ce604b4d69d7f6fa5e0bb81647f839abd6291d.tar.xz freeipa-d0ce604b4d69d7f6fa5e0bb81647f839abd6291d.zip |
Fix permissions in installers
Fix permissions for (configuration) files produced by
ipa-server-install or ipa-client-install. This patch is needed
when root has a umask preventing files from being world readable.
https://fedorahosted.org/freeipa/ticket/1644
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/dsinstance.py | 15 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 16 | ||||
-rw-r--r-- | ipaserver/install/krbinstance.py | 6 |
3 files changed, 24 insertions, 13 deletions
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index fdbddb0ee..2b996b5c8 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -356,13 +356,14 @@ class DsInstance(service.Service): self.sub_dict['BASEDC'] = self.realm_name.split('.')[0].lower() base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict) logging.debug(base_txt) - old_umask = os.umask(022) # must be readable for dirsrv - try: - base_fd = open("/var/lib/dirsrv/boot.ldif", "w") - base_fd.write(base_txt) - base_fd.close() - finally: - os.umask(old_umask) + + target_fname = '/var/lib/dirsrv/boot.ldif' + base_fd = open(target_fname, "w") + base_fd.write(base_txt) + base_fd.close() + + # Must be readable for dirsrv + os.chmod(target_fname, 0440) inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict) logging.debug("writing inf template") diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 04d1ed402..775d5a781 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -136,17 +136,21 @@ class HTTPInstance(service.Service): os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) def __configure_http(self): + target_fname = '/etc/httpd/conf.d/ipa.conf' http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) self.fstore.backup_file("/etc/httpd/conf.d/ipa.conf") - http_fd = open("/etc/httpd/conf.d/ipa.conf", "w") + http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() + os.chmod(target_fname, 0644) + target_fname = '/etc/httpd/conf.d/ipa-rewrite.conf' http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict) self.fstore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf") - http_fd = open("/etc/httpd/conf.d/ipa-rewrite.conf", "w") + http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() + os.chmod(target_fname, 0644) def __disable_mod_ssl(self): if os.path.exists(SSL_CONF): @@ -227,10 +231,12 @@ class HTTPInstance(service.Service): os.chmod(certs.CA_SERIALNO, 0664) def __setup_autoconfig(self): + target_fname = '/usr/share/ipa/html/preferences.html' prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict) - prefs_fd = open("/usr/share/ipa/html/preferences.html", "w") + prefs_fd = open(target_fname, "w") prefs_fd.write(prefs_txt) prefs_fd.close() + os.chmod(target_fname, 0644) # The signing cert is generated in __setup_ssl db = certs.CertDB(self.realm, subject_base=self.subject_base) @@ -240,12 +246,14 @@ class HTTPInstance(service.Service): pwdfile.close() tmpdir = tempfile.mkdtemp(prefix = "tmp-") + target_fname = '/usr/share/ipa/html/configure.jar' shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir) db.run_signtool(["-k", "Signing-Cert", - "-Z", "/usr/share/ipa/html/configure.jar", + "-Z", target_fname, "-e", ".html", "-p", pwd, tmpdir]) shutil.rmtree(tmpdir) + os.chmod(target_fname, 0755) # everyone can execute the jar def __publish_ca_cert(self): ca_db = certs.CertDB(self.realm) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 8f2cf2c05..dcf10a7cd 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -282,13 +282,15 @@ class KrbInstance(service.Service): def __add_default_acis(self): self._ldap_mod("default-aci.ldif", self.sub_dict) - def __template_file(self, path): + def __template_file(self, path, chmod=0644): template = os.path.join(ipautil.SHARE_DIR, os.path.basename(path) + ".template") conf = ipautil.template_file(template, self.sub_dict) self.fstore.backup_file(path) fd = open(path, "w+") fd.write(conf) fd.close() + if chmod is not None: + os.chmod(path, chmod) def __init_ipa_kdb(self): #populate the directory with the realm structure @@ -301,7 +303,7 @@ class KrbInstance(service.Service): print "Failed to initialize the realm container" def __configure_instance(self): - self.__template_file("/var/kerberos/krb5kdc/kdc.conf") + self.__template_file("/var/kerberos/krb5kdc/kdc.conf", chmod=None) self.__template_file("/etc/krb5.conf") self.__template_file("/usr/share/ipa/html/krb5.ini") self.__template_file("/usr/share/ipa/html/krb.con") |