IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
a2a006c74667155e5e4c4a1bb0bd9c12da9b4aed
freeipa/install/custodia/ipa-custodia-ra-agent.in

9 lines
187 B
Plaintext
Raw Normal View History

Move Custodia secrets handler to scripts Implement the import and export handlers for Custodia keys as external scripts. It's a prerequisite to drop DAC override permission and proper SELinux rules for ipa-custodia. Except for DMLDAP, handlers no longer run as root but as handler specific users with reduced privileges. The Dogtag-related handlers run as pkiuser, which also help with HSM support. The export and import handles are designed to be executed by sudo, too. In the future, ipa-custodia could be executed as an unprivileged process that runs the minimal helper scripts with higher privileges. Fixes: https://pagure.io/freeipa/issue/6888 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-30 14:08:38 +01:00
@PYTHONSHEBANG@
#
# Copyright (C) 2019 IPA Project Contributors, see COPYING for license
#
from ipaserver.secrets.handlers.pemfile import main, ra_agent_parser
main(ra_agent_parser())
Reference in New Issue Copy Permalink