diff options
author | Martin Basti <mbasti@redhat.com> | 2014-11-11 13:00:18 +0100 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2014-11-18 18:49:42 +0000 |
commit | 7c176b708eb855ea8774ad36ba72fd31952a8895 (patch) | |
tree | f3dcea465d1cb229720e0a0275c8938545833d98 /ipaserver | |
parent | 4c670919a5b15b70ff6efb50e9bb60eb45cecdba (diff) | |
download | freeipa-7c176b708eb855ea8774ad36ba72fd31952a8895.tar.gz freeipa-7c176b708eb855ea8774ad36ba72fd31952a8895.tar.xz freeipa-7c176b708eb855ea8774ad36ba72fd31952a8895.zip |
Fix named working directory permissions
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.
Ticket: https://fedorahosted.org/freeipa/ticket/4716
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/dnskeysyncinstance.py | 36 |
1 files changed, 30 insertions, 6 deletions
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index 1dd9a0983..5da65d87b 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -60,7 +60,6 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False, return ret - class DNSKeySyncInstance(service.Service): def __init__(self, fstore=None, dm_password=None, logger=root_logger, ldapi=False): @@ -84,6 +83,23 @@ class DNSKeySyncInstance(service.Service): suffix = ipautil.dn_attribute_property('_suffix') + def set_dyndb_ldap_workdir_permissions(self): + """ + Setting up correct permissions to allow write/read access for daemons + """ + if self.named_uid is None: + self.named_uid = self.__get_named_uid() + + if self.named_gid is None: + self.named_gid = self.__get_named_gid() + + if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR): + os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770) + # dnssec daemons require to have access into the directory + os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770) + os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, self.named_uid, + self.named_gid) + def remove_replica_public_keys(self, replica_fqdn): ldap = api.Backend.ldap2 dn_base = DN(('cn', 'keys'), ('cn', 'sec'), ('cn', 'dns'), api.env.basedn) @@ -119,6 +135,8 @@ class DNSKeySyncInstance(service.Service): self.ldap_connect() # checking status step must be first self.step("checking status", self.__check_dnssec_status) + self.step("setting up bind-dyndb-ldap working directory", + self.set_dyndb_ldap_workdir_permissions) self.step("setting up kerberos principal", self.__setup_principal) self.step("setting up SoftHSM", self.__setup_softhsm) self.step("adding DNSSEC containers", self.__setup_dnssec_containers) @@ -127,20 +145,26 @@ class DNSKeySyncInstance(service.Service): # we need restart named after setting up this service self.start_creation() - def __check_dnssec_status(self): + def __get_named_uid(self): named = services.knownservices.named - ods_enforcerd = services.knownservices.ods_enforcerd - try: - self.named_uid = pwd.getpwnam(named.get_user_name()).pw_uid + return pwd.getpwnam(named.get_user_name()).pw_uid except KeyError: raise RuntimeError("Named UID not found") + def __get_named_gid(self): + named = services.knownservices.named try: - self.named_gid = grp.getgrnam(named.get_group_name()).gr_gid + return grp.getgrnam(named.get_group_name()).gr_gid except KeyError: raise RuntimeError("Named GID not found") + def __check_dnssec_status(self): + ods_enforcerd = services.knownservices.ods_enforcerd + + self.named_uid = self.__get_named_uid() + self.named_gid = self.__get_named_gid() + try: self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid except KeyError: |