IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Change group ownership of CRL publish directory

Browse Source 
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.

This ensures proper creation/removeal, group ownership
and SELinux context.

https://fedorahosted.org/freeipa/ticket/3727
This commit is contained in:
Tomas Babej 2013-07-16 12:10:54 +02:00 committed by Martin Kosek
parent 0fa42af840
commit 7a105604e2
4 changed files with 22 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
freeipa.spec.in
View File

@ -383,7 +383,6 @@ rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
mkdir -p %{buildroot}/%{_sysconfdir}/ipa/html mkdir -p %{buildroot}/%{_sysconfdir}/ipa/html
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysrestore mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysrestore
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/pki-ca/publish
mkdir %{buildroot}%{_usr}/share/ipa/html/ mkdir %{buildroot}%{_usr}/share/ipa/html/
ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig.js \ ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig.js \
%{buildroot}%{_usr}/share/ipa/html/ffconfig.js %{buildroot}%{_usr}/share/ipa/html/ffconfig.js
@ -712,7 +711,7 @@ fi
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca/publish %ghost %{_localstatedir}/lib/ipa/pki-ca/publish
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1.gz %{_mandir}/man1/ipa-replica-conncheck.1.gz
%{_mandir}/man1/ipa-replica-install.1.gz %{_mandir}/man1/ipa-replica-install.1.gz
@ -821,6 +820,9 @@ fi
%endif # ! %{ONLY_CLIENT} %endif # ! %{ONLY_CLIENT}
%changelog %changelog
* Tue Jul 16 2013 Tomas Babej <tbabej@redhat.com> - 3.2.99-6
- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost
* Thu Jul 11 2013 Martin Kosek <mkosek@redhat.com> - 3.2.99-5 * Thu Jul 11 2013 Martin Kosek <mkosek@redhat.com> - 3.2.99-5
- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency
issues when there are still old parts of software (like entitlements plugin) issues when there are still old parts of software (like entitlements plugin)

3
install/Makefile.am
View File

@ -24,9 +24,8 @@ install-exec-local:
chmod 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore chmod 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade
chmod 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade chmod 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade
mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca/publish mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca
chmod 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca chmod 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca
chmod 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca/publish
uninstall-local: uninstall-local:
-rmdir $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore -rmdir $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore

7
install/tools/ipa-upgradeconfig
View File

@ -690,15 +690,16 @@ def migrate_crl_publish_dir(ca):
caconfig.CS_CFG_PATH, e) caconfig.CS_CFG_PATH, e)
return False return False
# Prepare target publish dir (creation, permissions, SELinux context)
# Run this every update to ensure proper values
publishdir = ca.prepare_crl_publish_dir()
if old_publish_dir == caconfig.CRL_PUBLISH_PATH: if old_publish_dir == caconfig.CRL_PUBLISH_PATH:
# publish dir is already updated # publish dir is already updated
root_logger.info('Publish directory already set to new location') root_logger.info('Publish directory already set to new location')
sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True) sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True)
return False return False
# Prepare target publish dir (permissions, SELinux context)
publishdir = ca.prepare_crl_publish_dir()
# Copy all CRLs to new directory # Copy all CRLs to new directory
root_logger.info('Copy all CRLs to new publish directory') root_logger.info('Copy all CRLs to new publish directory')
try: try:

13
ipaserver/install/cainstance.py
View File

@ -1107,6 +1107,10 @@ class CAInstance(service.Service):
Returns a path to the CRL publishing directory Returns a path to the CRL publishing directory
""" """
publishdir = self.dogtag_constants.CRL_PUBLISH_PATH publishdir = self.dogtag_constants.CRL_PUBLISH_PATH
if not os.path.exists(publishdir):
os.mkdir(publishdir)
os.chmod(publishdir, 0775) os.chmod(publishdir, 0775)
pent = pwd.getpwnam(PKI_USER) pent = pwd.getpwnam(PKI_USER)
os.chown(publishdir, 0, pent.pw_gid) os.chown(publishdir, 0, pent.pw_gid)
@ -1334,6 +1338,15 @@ class CAInstance(service.Service):
root_logger.debug("Remove %s", f) root_logger.debug("Remove %s", f)
installutils.remove_file(f) installutils.remove_file(f)
# remove CRL directory
root_logger.info("Remove CRL directory")
if os.path.exists(self.dogtag_constants.CRL_PUBLISH_PATH):
try:
shutil.rmtree(self.dogtag_constants.CRL_PUBLISH_PATH)
except OSError, e:
root_logger.warning("Error while removing CRL publish "
"directory: %s" % e)
def publish_ca_cert(self, location): def publish_ca_cert(self, location):
args = ["-L", "-n", self.canickname, "-a"] args = ["-L", "-n", self.canickname, "-a"]
(cert, err, returncode) = self.__run_certutil(args) (cert, err, returncode) = self.__run_certutil(args)