certdb: Move chdir into subprocess call

According to a comment, certutil may create files in the current working directory. Rather than changing the cwd of the current process, FreeIPA's certutil wrapper now changes cwd for the subprocess only. See: https://pagure.io/freeipa/issue/7416 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-04-05 13:00:53 +02:00 · 2018-04-05 13:00:53 +02:00 · 807a5cbe7c
commit 807a5cbe7c
parent 8246d0cd5a
2 changed files with 8 additions and 19 deletions
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@ -297,7 +297,9 @@ class NSSDatabase(object):
        ]
        new_args.extend(args)
        new_args.extend(['-f', self.pwd_file])
-        return ipautil.run(new_args, stdin, **kwargs)
+        # When certutil makes a request it creates a file in the cwd, make
+        # sure we are in a unique place when this happens.
+        return ipautil.run(new_args, stdin, cwd=self.secdir, **kwargs)

    def run_pk12util(self, args, stdin=None, **kwargs):
        self._check_db()
@ -306,7 +308,7 @@ class NSSDatabase(object):
            "-d", '{}:{}'.format(self.dbtype, self.secdir)
        ]
        new_args.extend(args)
-        return ipautil.run(new_args, stdin, **kwargs)
+        return ipautil.run(new_args, stdin, cwd=self.secdir, **kwargs)

    def exists(self):
        """Check DB exists (all files are present)
@ -360,14 +362,15 @@ class NSSDatabase(object):
            dbdir = self.secdir
        else:
            dbdir = '{}:{}'.format(self.dbtype, self.secdir)
-        ipautil.run([
+        args = [
            paths.CERTUTIL,
            '-d', dbdir,
            '-N',
            '-f', self.pwd_file,
            # -@ in case it's an old db and it must be migrated
            '-@', self.pwd_file,
-        ])
+        ]
+        ipautil.run(args, stdin=None, cwd=self.secdir)
        self._set_filenames(self._detect_dbtype())
        if self.filenames is None:
            # something went wrong...
@ -415,7 +418,7 @@ class NSSDatabase(object):
            '-d', 'sql:{}'.format(self.secdir), '-N',
            '-f', self.pwd_file, '-@', self.pwd_file
        ]
-        ipautil.run(args)
+        ipautil.run(args, stdin=None, cwd=self.secdir)

        # retain file ownership and permission, backup old files
        migration = (
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@ -168,12 +168,6 @@ class CertDB(object):
        self.ca_subject = ca_subject
        self.subject_base = subject_base

-        try:
-            self.cwd = os.path.abspath(os.getcwd())
-        except OSError as e:
-            raise RuntimeError(
-                "Unable to determine the current directory: %s" % str(e))
-
        self.cacert_name = get_ca_nickname(self.realm)

        self.user = user
@ -245,10 +239,6 @@ class CertDB(object):
            shutil.rmtree(self.reqdir, ignore_errors=True)
            self.reqdir = None
        self.nssdb.close()
-        try:
-            os.chdir(self.cwd)
-        except OSError:
-            pass

    def setup_cert_request(self):
        """
@ -265,10 +255,6 @@ class CertDB(object):
        self.certreq_fname = self.reqdir + "/tmpcertreq"
        self.certder_fname = self.reqdir + "/tmpcert.der"

-        # When certutil makes a request it creates a file in the cwd, make
-        # sure we are in a unique place when this happens
-        os.chdir(self.reqdir)
-
    def set_perms(self, fname, write=False):
        perms = stat.S_IRUSR
        if write: