From 3098b67cec262f38f945156f302e1cb98ab1199f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 23 Sep 2019 18:23:04 +0200 Subject: [PATCH] Don't create log files from help scripts Helper scripts now use api.bootstrap(log=None) to avoid the creation of log files. Helper scripts are typically executed from daemons which perform their own logging. The helpers still log to stderr/stdout. This also gets rid of some SELinux AVCs when the script tries to write to /root/.ipa/. Fixes: https://pagure.io/freeipa/issue/8075 Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy Reviewed-By: Rob Crittenden --- install/certmonger/dogtag-ipa-ca-renew-agent-submit.in | 4 +++- install/restart_scripts/renew_ca_cert.in | 4 +++- install/restart_scripts/renew_ra_cert.in | 4 +++- install/restart_scripts/restart_dirsrv.in | 4 +++- install/restart_scripts/stop_pkicad.in | 4 +++- install/tools/ipa-custodia-check.in | 2 +- install/tools/ipa-httpd-kdcproxy.in | 6 ++++-- install/tools/ipa-pki-wait-running.in | 2 +- ipaserver/secrets/handlers/dmldap.py | 6 +++--- 9 files changed, 24 insertions(+), 12 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in index a9f17db3a..10efb4cf3 100644 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in @@ -477,7 +477,9 @@ def main(): if operation not in ('SUBMIT', 'POLL'): return OPERATION_NOT_SUPPORTED_BY_HELPER - api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA) + api.bootstrap( + in_server=True, context='renew', confdir=paths.ETC_IPA, log=None + ) api.finalize() tmpdir = tempfile.mkdtemp(prefix="tmp-") diff --git a/install/restart_scripts/renew_ca_cert.in b/install/restart_scripts/renew_ca_cert.in index 6d1ae6253..b265e62d5 100644 --- a/install/restart_scripts/renew_ca_cert.in +++ b/install/restart_scripts/renew_ca_cert.in @@ -43,7 +43,9 @@ from ipapython.certdb import TrustFlags def _main(): nickname = sys.argv[1] - api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) + api.bootstrap( + in_server=True, context='restart', confdir=paths.ETC_IPA, log=None + ) api.finalize() dogtag_service = services.knownservices['pki_tomcatd'] diff --git a/install/restart_scripts/renew_ra_cert.in b/install/restart_scripts/renew_ra_cert.in index 2a0416d21..02f2f5e23 100644 --- a/install/restart_scripts/renew_ra_cert.in +++ b/install/restart_scripts/renew_ra_cert.in @@ -34,7 +34,9 @@ from ipaplatform.paths import paths def _main(): - api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) + api.bootstrap( + in_server=True, context='restart', confdir=paths.ETC_IPA, log=None + ) api.finalize() tmpdir = tempfile.mkdtemp(prefix="tmp-") diff --git a/install/restart_scripts/restart_dirsrv.in b/install/restart_scripts/restart_dirsrv.in index 77c2409a3..56cfa104f 100644 --- a/install/restart_scripts/restart_dirsrv.in +++ b/install/restart_scripts/restart_dirsrv.in @@ -34,7 +34,9 @@ def _main(): except IndexError: instance = "" - api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) + api.bootstrap( + in_server=True, context='restart', confdir=paths.ETC_IPA, log=None + ) api.finalize() syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance) diff --git a/install/restart_scripts/stop_pkicad.in b/install/restart_scripts/stop_pkicad.in index a51c31226..c1b1a0aca 100644 --- a/install/restart_scripts/stop_pkicad.in +++ b/install/restart_scripts/stop_pkicad.in @@ -28,7 +28,9 @@ from ipaserver.install import certs def main(): - api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) + api.bootstrap( + in_server=True, context='restart', confdir=paths.ETC_IPA, log=None + ) api.finalize() dogtag_service = services.knownservices['pki_tomcatd'] diff --git a/install/tools/ipa-custodia-check.in b/install/tools/ipa-custodia-check.in index b496ef387..7fdfbff52 100644 --- a/install/tools/ipa-custodia-check.in +++ b/install/tools/ipa-custodia-check.in @@ -102,7 +102,7 @@ class IPACustodiaTester: self.args = args if not api.isdone('bootstrap'): # bootstrap to initialize api.env - api.bootstrap() + api.bootstrap(log=None) self.debug("IPA API bootstrapped") self.realm = api.env.realm self.host = api.env.host diff --git a/install/tools/ipa-httpd-kdcproxy.in b/install/tools/ipa-httpd-kdcproxy.in index 49c473e2e..5988421d3 100644 --- a/install/tools/ipa-httpd-kdcproxy.in +++ b/install/tools/ipa-httpd-kdcproxy.in @@ -186,8 +186,10 @@ class KDCProxyConfig: def main(debug=DEBUG, time_limit=TIME_LIMIT): # initialize API without file logging if not api.isdone('bootstrap'): - api.bootstrap(context='server', confdir=paths.ETC_IPA, - log=None, debug=debug) + api.bootstrap( + context='server', confdir=paths.ETC_IPA, log=None, + debug=debug + ) standard_logging_setup(verbose=True, debug=debug) try: diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in index 7fab309f0..69f5ec296 100644 --- a/install/tools/ipa-pki-wait-running.in +++ b/install/tools/ipa-pki-wait-running.in @@ -88,7 +88,7 @@ def main(): sys.exit(EXIT_SUCCESS) # bootstrap ipalib.api to parse config file - api.bootstrap(confdir=paths.ETC_IPA) + api.bootstrap(confdir=paths.ETC_IPA, log=None) timeout = api.env.startup_timeout conn = get_conn(api.env.host, subsystem=SUBSYSTEM) diff --git a/ipaserver/secrets/handlers/dmldap.py b/ipaserver/secrets/handlers/dmldap.py index 876440f16..c45348cfe 100644 --- a/ipaserver/secrets/handlers/dmldap.py +++ b/ipaserver/secrets/handlers/dmldap.py @@ -8,9 +8,9 @@ import os from ipalib import api from ipalib import errors +from ipaplatform.paths import paths from ipapython.dn import DN -from ipapython.ipaldap import LDAPClient -from ipaserver.install.installutils import realm_to_ldapi_uri +from ipapython.ipaldap import LDAPClient, realm_to_ldapi_uri from . import common CN_CONFIG = DN(('cn', 'config')) @@ -46,7 +46,7 @@ def main(): # create LDAP connection using LDAPI and EXTERNAL bind as root if not api.isdone('bootstrap'): - api.bootstrap() + api.bootstrap(confdir=paths.ETC_IPA, log=None) realm = api.env.realm ldap_uri = realm_to_ldapi_uri(realm) conn = LDAPClient(ldap_uri=ldap_uri, no_schema=True)