diff options
author | Simo Sorce <simo@redhat.com> | 2016-08-16 09:03:19 -0400 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-15 07:13:37 +0100 |
commit | 4fd89833ee5421b05c10329d627d0e0fc8496046 (patch) | |
tree | f6b6eb3492859af483d3e9542253f0894ca11043 /ipaserver | |
parent | c2b1b2a36200b50babfda1eca37fb4b51fefa9c6 (diff) | |
download | freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.gz freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.tar.xz freeipa-4fd89833ee5421b05c10329d627d0e0fc8496046.zip |
Add a new user to run the framework code
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/dogtaginstance.py | 5 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 6 | ||||
-rw-r--r-- | ipaserver/install/installutils.py | 13 | ||||
-rw-r--r-- | ipaserver/install/plugins/update_ra_cert_store.py | 6 | ||||
-rw-r--r-- | ipaserver/install/server/install.py | 3 | ||||
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 4 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 1 |
7 files changed, 26 insertions, 12 deletions
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 32772db21..968f4b292 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -31,6 +31,7 @@ import pki.system from ipalib import api, errors +from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger from ipaplatform import services from ipaplatform.constants import constants @@ -44,8 +45,6 @@ from ipaserver.install import replication from ipaserver.install.installutils import stopped_service from ipapython.ipa_log_manager import log_mgr -HTTPD_USER = constants.HTTPD_USER - def get_security_domain(): """ @@ -87,7 +86,7 @@ def export_kra_agent_pem(): "--client-cert", filename] ipautil.run(args) - pent = pwd.getpwnam(HTTPD_USER) + pent = pwd.getpwnam(IPAAPI_USER) os.chown(filename, 0, pent.pw_gid) os.chmod(filename, 0o440) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index f08bb68d1..3ca2300b8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -30,6 +30,7 @@ import locale import six +from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP from ipalib.install import certmonger from ipaserver.install import service from ipaserver.install import certs @@ -317,8 +318,7 @@ class HTTPInstance(service.Service): nssdb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR) nssdb.create_db(user="root", group=constants.HTTPD_GROUP, backup=True) nssdb = certdb.NSSDatabase(nssdir=paths.IPA_RADB_DIR) - nssdb.create_db(user=constants.HTTPD_USER, group=constants.HTTPD_GROUP, - mode=0o751, backup=True) + nssdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True) def request_anon_keytab(self): parent = os.path.dirname(paths.ANON_KEYTAB) @@ -326,7 +326,7 @@ class HTTPInstance(service.Service): os.makedirs(parent, 0o755) self.run_getkeytab(self.api.env.ldap_uri, paths.ANON_KEYTAB, ANON_USER) - pent = pwd.getpwnam(self.service_user) + pent = pwd.getpwnam(IPAAPI_USER) os.chmod(parent, 0o700) os.chown(parent, pent.pw_uid, pent.pw_gid) os.chown(paths.ANON_KEYTAB, pent.pw_uid, pent.pw_gid) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 9230e7005..ef6a399ad 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -44,6 +44,7 @@ import six from six.moves.configparser import SafeConfigParser, NoOptionError # pylint: enable=import-error +from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP from ipalib.install import sysrestore from ipalib.install.kinit import kinit_password import ipaplatform @@ -55,6 +56,7 @@ from ipalib import api, errors, x509 from ipapython.dn import DN from ipaserver.install import certs, service, sysupgrade from ipaplatform import services +from ipaplatform.constants import constants from ipaplatform.paths import paths from ipaplatform.tasks import tasks @@ -1513,3 +1515,14 @@ def default_subject_base(realm_name): def default_ca_subject_dn(subject_base): return DN(('CN', 'Certificate Authority'), subject_base) + + +def create_ipaapi_user(): + """Create IPA API user/group if it doesn't exist yet.""" + tasks.create_system_user( + name=IPAAPI_USER, + group=IPAAPI_GROUP, + homedir=paths.VAR_LIB, + shell=paths.NOLOGIN + ) + tasks.add_user_to_group(constants.HTTPD_USER, IPAAPI_GROUP) diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py index 3d1ce9506..d7d28fd7d 100644 --- a/ipaserver/install/plugins/update_ra_cert_store.py +++ b/ipaserver/install/plugins/update_ra_cert_store.py @@ -7,8 +7,8 @@ import os from ipalib import Registry from ipalib import Updater +from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP from ipalib.install import certmonger -from ipaplatform.constants import constants from ipaplatform.paths import paths from ipapython import certdb @@ -37,9 +37,7 @@ class update_ra_cert_store(Updater): return False, [] else: # Create the DB - newdb.create_db(user=constants.HTTPD_USER, - group=constants.HTTPD_GROUP, - mode=0o751, backup=True) + newdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True) # Import cert chain (ignore errors, as certs may already be imported) certlist = olddb.list_certs() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 666e2a536..0b3ea4786 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -38,7 +38,7 @@ from ipaserver.install import ( from ipaserver.install.installutils import ( IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address, is_ipa_configured, load_pkcs12, read_password, verify_fqdn, - update_hosts_file) + update_hosts_file, create_ipaapi_user) if six.PY3: unicode = str @@ -710,6 +710,7 @@ def install(installer): update_hosts_file(ip_addresses, host_name, fstore) # Make sure tmpfiles dir exist before installing components + create_ipaapi_user() tasks.create_tmpfiles_dirs() # create NSS Databases diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index f0b04523c..018cebcd9 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -40,7 +40,8 @@ from ipaserver.install import ( installutils, kra, krbinstance, ntpinstance, otpdinstance, custodiainstance, service) from ipaserver.install.installutils import ( - create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured) + create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured, + create_ipaapi_user) from ipaserver.install.replication import ( ReplicationManager, replica_conn_check) import SSSDConfig @@ -1305,6 +1306,7 @@ def install(installer): ccache = os.environ['KRB5CCNAME'] # Make sure tmpfiles dir exist before installing components + create_ipaapi_user() tasks.create_tmpfiles_dirs() if promote: diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index f116e856a..509f19647 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1807,6 +1807,7 @@ def upgrade_check(options): def upgrade(): # Do this early so that any code depending on these dirs will not fail + installutils.create_ipaapi_user() tasks.create_tmpfiles_dirs() tasks.configure_tmpfiles() |