IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix named working directory permissions

Browse Source 
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.

Ticket: https://fedorahosted.org/freeipa/ticket/4716
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Martin Basti 2014-11-11 13:00:18 +01:00 committed by Jan Cholasta
parent 4c670919a5
commit 7c176b708e
4 changed files with 46 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
freeipa.spec.in
View File

@ -428,7 +428,6 @@ mkdir -p %{buildroot}%{_usr}/share/ipa/html/
/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
mkdir -p %{buildroot}%{_initrddir}
mkdir %{buildroot}%{_sysconfdir}/sysconfig/
mkdir -p %{buildroot}%{_localstatedir}/named/dyndb-ldap/ipa/
install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd
install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter
@ -669,7 +668,6 @@ fi
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
%dir %attr(0770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa/
# NOTE: systemd specific section
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa.service
@ -783,6 +781,7 @@ fi
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
%ghost %{_localstatedir}/named/dyndb-ldap/ipa
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1.gz
%{_mandir}/man1/ipa-replica-install.1.gz

14
install/tools/ipa-upgradeconfig
View File

@ -30,6 +30,7 @@ import shutil
import pwd
import fileinput
import ConfigParser
import grp
from ipalib import api
import SSSDConfig
@ -1101,6 +1102,18 @@ def mask_named_regular():
return False
def fix_dyndb_ldap_workdir_permissions():
"""Fix dyndb-ldap working dir permissions. DNSSEC daemons requires it"""
if sysupgrade.get_upgrade_state('dns', 'dyndb_ipa_workdir_perm'):
return
if bindinstance.named_conf_exists():
root_logger.info('[Fix bind-dyndb-ldap IPA working directory]')
dnskeysync = dnskeysyncinstance.DNSKeySyncInstance()
dnskeysync.set_dyndb_ldap_workdir_permissions()
sysupgrade.set_upgrade_state('dns', 'dyndb_ipa_workdir_perm', True)
def fix_schema_file_syntax():
"""Fix syntax errors in schema files
@ -1373,6 +1386,7 @@ def main():
named_managed_keys_dir_option(),
named_root_key_include(),
mask_named_regular(),
fix_dyndb_ldap_workdir_permissions(),
)
if any(named_conf_changes):

1
ipaplatform/base/paths.py
View File

@ -190,6 +190,7 @@ class BasePathNamespace(object):
BIN_WGET = "/usr/bin/wget"
ZIP = "/usr/bin/zip"
BIND_LDAP_SO = "/usr/lib/bind/ldap.so"
BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/"
USR_LIB_DIRSRV = "/usr/lib/dirsrv"
USR_LIB_SLAPD_INSTANCE_TEMPLATE = "/usr/lib/dirsrv/slapd-%s"

36
ipaserver/install/dnskeysyncinstance.py
View File

@ -60,7 +60,6 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
return ret
class DNSKeySyncInstance(service.Service):
def __init__(self, fstore=None, dm_password=None, logger=root_logger,
ldapi=False):
@ -84,6 +83,23 @@ class DNSKeySyncInstance(service.Service):
suffix = ipautil.dn_attribute_property('_suffix')
def set_dyndb_ldap_workdir_permissions(self):
"""
Setting up correct permissions to allow write/read access for daemons
"""
if self.named_uid is None:
self.named_uid = self.__get_named_uid()
if self.named_gid is None:
self.named_gid = self.__get_named_gid()
if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
# dnssec daemons require to have access into the directory
os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, self.named_uid,
self.named_gid)
def remove_replica_public_keys(self, replica_fqdn):
ldap = api.Backend.ldap2
dn_base = DN(('cn', 'keys'), ('cn', 'sec'), ('cn', 'dns'), api.env.basedn)
@ -119,6 +135,8 @@ class DNSKeySyncInstance(service.Service):
self.ldap_connect()
# checking status step must be first
self.step("checking status", self.__check_dnssec_status)
self.step("setting up bind-dyndb-ldap working directory",
self.set_dyndb_ldap_workdir_permissions)
self.step("setting up kerberos principal", self.__setup_principal)
self.step("setting up SoftHSM", self.__setup_softhsm)
self.step("adding DNSSEC containers", self.__setup_dnssec_containers)
@ -127,20 +145,26 @@ class DNSKeySyncInstance(service.Service):
# we need restart named after setting up this service
self.start_creation()
def __check_dnssec_status(self):
def __get_named_uid(self):
named = services.knownservices.named
ods_enforcerd = services.knownservices.ods_enforcerd
try:
self.named_uid = pwd.getpwnam(named.get_user_name()).pw_uid
return pwd.getpwnam(named.get_user_name()).pw_uid
except KeyError:
raise RuntimeError("Named UID not found")
def __get_named_gid(self):
named = services.knownservices.named
try:
self.named_gid = grp.getgrnam(named.get_group_name()).gr_gid
return grp.getgrnam(named.get_group_name()).gr_gid
except KeyError:
raise RuntimeError("Named GID not found")
def __check_dnssec_status(self):
ods_enforcerd = services.knownservices.ods_enforcerd
self.named_uid = self.__get_named_uid()
self.named_gid = self.__get_named_gid()
try:
self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
except KeyError: