diff options
-rw-r--r-- | install/conf/ipa.conf | 5 | ||||
-rw-r--r-- | install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf | 2 | ||||
-rw-r--r-- | install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf | 2 | ||||
-rw-r--r-- | install/oddjob/etc/oddjobd.conf.d/ipa-server.conf | 2 | ||||
-rw-r--r-- | install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf | 2 | ||||
-rw-r--r-- | install/share/gssproxy.conf.template | 8 | ||||
-rw-r--r-- | install/share/ipa.conf.tmpfiles | 4 | ||||
-rw-r--r-- | ipalib/constants.py | 4 | ||||
-rw-r--r-- | ipaplatform/base/paths.py | 1 | ||||
-rw-r--r-- | ipaplatform/base/tasks.py | 15 | ||||
-rw-r--r-- | ipaplatform/redhat/tasks.py | 16 | ||||
-rw-r--r-- | ipaserver/install/dogtaginstance.py | 5 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 6 | ||||
-rw-r--r-- | ipaserver/install/installutils.py | 13 | ||||
-rw-r--r-- | ipaserver/install/plugins/update_ra_cert_store.py | 6 | ||||
-rw-r--r-- | ipaserver/install/server/install.py | 3 | ||||
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 4 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 1 |
18 files changed, 73 insertions, 26 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index c1b10d035..f0330c544 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 22 - DO NOT REMOVE THIS LINE +# VERSION 23 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -42,7 +42,7 @@ WSGISocketPrefix /run/httpd/wsgi # Configure mod_wsgi handler for /ipa WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \ - display-name=%{GROUP} socket-timeout=2147483647 + user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py WSGIScriptReloading Off @@ -70,6 +70,7 @@ WSGIScriptReloading Off GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiDelegCcacheDir /var/run/ipa/ccaches + GssapiDelegCcachePerms mode:0660 gid:ipaapi GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Require valid-user diff --git a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf index 2e4c1367b..a1955d6b7 100644 --- a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf +++ b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf @@ -30,7 +30,7 @@ send_member="Get"/> </policy> - <policy user="apache"> + <policy user="ipaapi"> <allow send_destination="com.redhat.idm.trust" send_path="/" send_interface="com.redhat.idm.trust" diff --git a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf index b2cbf746f..577611f01 100644 --- a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf +++ b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf @@ -10,7 +10,7 @@ <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/> </policy> - <policy user="apache"> + <policy user="ipaapi"> <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/> </policy> diff --git a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf index 3f806966b..012e3cbe3 100644 --- a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf +++ b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf @@ -2,7 +2,7 @@ <oddjobconfig> <service name="org.freeipa.server"> <allow user="root"/> - <allow user="apache"/> + <allow user="ipaapi"/> <object name="/"> <interface name="org.freeipa.server"> <method name="conncheck"> diff --git a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf index bc2e8d191..630a4e6cd 100644 --- a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf +++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf @@ -2,7 +2,7 @@ <oddjobconfig> <service name="com.redhat.idm.trust"> <allow user="root"/> - <allow user="apache"/> + <allow user="ipaapi"/> <object name="/"> <interface name="org.freedesktop.DBus.Introspectable"> <allow min_uid="0" max_uid="0"/> diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index cb5775de6..fbb158a68 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -6,3 +6,11 @@ allow_protocol_transition = true cred_usage = both euid = $HTTPD_USER + +[service/ipa-api] + mechs = krb5 + cred_store = keytab:$HTTP_KEYTAB + cred_store = client_keytab:$HTTP_KEYTAB + allow_constrained_delegation = true + cred_usage = initiate + euid = $IPAAPI_USER diff --git a/install/share/ipa.conf.tmpfiles b/install/share/ipa.conf.tmpfiles index 3037787da..573139bf2 100644 --- a/install/share/ipa.conf.tmpfiles +++ b/install/share/ipa.conf.tmpfiles @@ -1,2 +1,2 @@ -d /var/run/ipa 0700 root root -d /var/run/ipa/ccaches 0700 apache apache +d /var/run/ipa 0711 root root +d /var/run/ipa/ccaches 0770 ipaapi ipaapi diff --git a/ipalib/constants.py b/ipalib/constants.py index c67340751..fa2062458 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -279,3 +279,7 @@ PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$' # Kerberos Anonymous principal name ANON_USER = 'WELLKNOWN/ANONYMOUS' + +# IPA API Framework user +IPAAPI_USER = 'ipaapi' +IPAAPI_GROUP = 'ipaapi' diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index b8cd5ca5e..8db9e61f5 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -203,6 +203,7 @@ class BasePathNamespace(object): DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11" GETSEBOOL = "/usr/sbin/getsebool" GROUPADD = "/usr/sbin/groupadd" + USERMOD = "/usr/sbin/usermod" HTTPD = "/usr/sbin/httpd" IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install" IPA_DNS_INSTALL = "/usr/sbin/ipa-dns-install" diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 49b87613f..5806e7504 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -181,7 +181,9 @@ class BaseTaskNamespace(object): raise NotImplementedError() - def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, comment=None, create_homedir=False): + def create_system_user(self, name, group, homedir, shell, + uid=None, gid=None, comment=None, + create_homedir=False, groups=None): """Create a system user with a corresponding group""" try: grp.getgrnam(group) @@ -218,6 +220,8 @@ class BaseTaskNamespace(object): args += ['-m'] else: args += ['-M'] + if groups is not None: + args += ['-G', groups.join(',')] try: ipautil.run(args) log.debug('Done adding user') @@ -261,3 +265,12 @@ class BaseTaskNamespace(object): def is_fips_enabled(self): return False + + def add_user_to_group(self, user, group): + log.debug('Adding user %s to group %s', user, group) + args = [paths.USERMOD, '-a', '-G', group, user] + try: + ipautil.run(args) + log.debug('Done adding user to group') + except ipautil.CalledProcessError as e: + log.debug('Failed to add user to group: %s', e) diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index c9b1c49aa..5bddd1469 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -51,6 +51,8 @@ from ipaplatform.paths import paths from ipaplatform.redhat.authconfig import RedHatAuthConfig from ipaplatform.base.tasks import BaseTaskNamespace +from ipalib.constants import IPAAPI_USER + _ffi = FFI() _ffi.cdef(""" int rpmvercmp (const char *a, const char *b); @@ -411,7 +413,9 @@ class RedHatTaskNamespace(BaseTaskNamespace): return True - def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, comment=None, create_homedir=False): + def create_system_user(self, name, group, homedir, shell, + uid=None, gid=None, comment=None, + create_homedir=False, groups=None): """ Create a system user with a corresponding group @@ -431,8 +435,9 @@ class RedHatTaskNamespace(BaseTaskNamespace): if comment is None: comment = 'DS System User' - super(RedHatTaskNamespace, self).create_system_user(name, group, - homedir, shell, uid, gid, comment, create_homedir) + super(RedHatTaskNamespace, self).create_system_user( + name, group, homedir, shell, uid, gid, comment, create_homedir, + groups) def parse_ipa_version(self, version): """ @@ -467,7 +472,8 @@ class RedHatTaskNamespace(BaseTaskNamespace): dict( HTTP_KEYTAB=paths.HTTP_KEYTAB, HTTP_CCACHE=paths.HTTP_CCACHE, - HTTPD_USER=constants.HTTPD_USER + HTTPD_USER=constants.HTTPD_USER, + IPAAPI_USER=IPAAPI_USER, ) ) @@ -520,7 +526,7 @@ class RedHatTaskNamespace(BaseTaskNamespace): def create_tmpfiles_dirs(self): parent = os.path.dirname(paths.IPA_CCACHES) - pent = pwd.getpwnam(constants.HTTPD_USER) + pent = pwd.getpwnam(IPAAPI_USER) self._create_tmpfiles_dir(parent, 0o711, 0, 0) self._create_tmpfiles_dir(paths.IPA_CCACHES, 0o770, pent.pw_uid, pent.pw_gid) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 32772db21..968f4b292 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -31,6 +31,7 @@ import pki.system from ipalib import api, errors +from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger from ipaplatform import services from ipaplatform.constants import constants @@ -44,8 +45,6 @@ from ipaserver.install import replication from ipaserver.install.installutils import stopped_service from ipapython.ipa_log_manager import log_mgr -HTTPD_USER = constants.HTTPD_USER - def get_security_domain(): """ @@ -87,7 +86,7 @@ def export_kra_agent_pem(): "--client-cert", filename] ipautil.run(args) - pent = pwd.getpwnam(HTTPD_USER) + pent = pwd.getpwnam(IPAAPI_USER) os.chown(filename, 0, pent.pw_gid) os.chmod(filename, 0o440) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index f08bb68d1..3ca2300b8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -30,6 +30,7 @@ import locale import six +from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP from ipalib.install import certmonger from ipaserver.install import service from ipaserver.install import certs @@ -317,8 +318,7 @@ class HTTPInstance(service.Service): nssdb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR) nssdb.create_db(user="root", group=constants.HTTPD_GROUP, backup=True) nssdb = certdb.NSSDatabase(nssdir=paths.IPA_RADB_DIR) - nssdb.create_db(user=constants.HTTPD_USER, group=constants.HTTPD_GROUP, - mode=0o751, backup=True) + nssdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True) def request_anon_keytab(self): parent = os.path.dirname(paths.ANON_KEYTAB) @@ -326,7 +326,7 @@ class HTTPInstance(service.Service): os.makedirs(parent, 0o755) self.run_getkeytab(self.api.env.ldap_uri, paths.ANON_KEYTAB, ANON_USER) - pent = pwd.getpwnam(self.service_user) + pent = pwd.getpwnam(IPAAPI_USER) os.chmod(parent, 0o700) os.chown(parent, pent.pw_uid, pent.pw_gid) os.chown(paths.ANON_KEYTAB, pent.pw_uid, pent.pw_gid) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 9230e7005..ef6a399ad 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -44,6 +44,7 @@ import six from six.moves.configparser import SafeConfigParser, NoOptionError # pylint: enable=import-error +from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP from ipalib.install import sysrestore from ipalib.install.kinit import kinit_password import ipaplatform @@ -55,6 +56,7 @@ from ipalib import api, errors, x509 from ipapython.dn import DN from ipaserver.install import certs, service, sysupgrade from ipaplatform import services +from ipaplatform.constants import constants from ipaplatform.paths import paths from ipaplatform.tasks import tasks @@ -1513,3 +1515,14 @@ def default_subject_base(realm_name): def default_ca_subject_dn(subject_base): return DN(('CN', 'Certificate Authority'), subject_base) + + +def create_ipaapi_user(): + """Create IPA API user/group if it doesn't exist yet.""" + tasks.create_system_user( + name=IPAAPI_USER, + group=IPAAPI_GROUP, + homedir=paths.VAR_LIB, + shell=paths.NOLOGIN + ) + tasks.add_user_to_group(constants.HTTPD_USER, IPAAPI_GROUP) diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py index 3d1ce9506..d7d28fd7d 100644 --- a/ipaserver/install/plugins/update_ra_cert_store.py +++ b/ipaserver/install/plugins/update_ra_cert_store.py @@ -7,8 +7,8 @@ import os from ipalib import Registry from ipalib import Updater +from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP from ipalib.install import certmonger -from ipaplatform.constants import constants from ipaplatform.paths import paths from ipapython import certdb @@ -37,9 +37,7 @@ class update_ra_cert_store(Updater): return False, [] else: # Create the DB - newdb.create_db(user=constants.HTTPD_USER, - group=constants.HTTPD_GROUP, - mode=0o751, backup=True) + newdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True) # Import cert chain (ignore errors, as certs may already be imported) certlist = olddb.list_certs() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 666e2a536..0b3ea4786 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -38,7 +38,7 @@ from ipaserver.install import ( from ipaserver.install.installutils import ( IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address, is_ipa_configured, load_pkcs12, read_password, verify_fqdn, - update_hosts_file) + update_hosts_file, create_ipaapi_user) if six.PY3: unicode = str @@ -710,6 +710,7 @@ def install(installer): update_hosts_file(ip_addresses, host_name, fstore) # Make sure tmpfiles dir exist before installing components + create_ipaapi_user() tasks.create_tmpfiles_dirs() # create NSS Databases diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index f0b04523c..018cebcd9 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -40,7 +40,8 @@ from ipaserver.install import ( installutils, kra, krbinstance, ntpinstance, otpdinstance, custodiainstance, service) from ipaserver.install.installutils import ( - create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured) + create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured, + create_ipaapi_user) from ipaserver.install.replication import ( ReplicationManager, replica_conn_check) import SSSDConfig @@ -1305,6 +1306,7 @@ def install(installer): ccache = os.environ['KRB5CCNAME'] # Make sure tmpfiles dir exist before installing components + create_ipaapi_user() tasks.create_tmpfiles_dirs() if promote: diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index f116e856a..509f19647 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1807,6 +1807,7 @@ def upgrade_check(options): def upgrade(): # Do this early so that any code depending on these dirs will not fail + installutils.create_ipaapi_user() tasks.create_tmpfiles_dirs() tasks.configure_tmpfiles() |