From 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 5 Apr 2018 13:00:53 +0200 Subject: [PATCH] certdb: Move chdir into subprocess call According to a comment, certutil may create files in the current working directory. Rather than changing the cwd of the current process, FreeIPA's certutil wrapper now changes cwd for the subprocess only. See: https://pagure.io/freeipa/issue/7416 Signed-off-by: Christian Heimes Reviewed-By: Rob Crittenden --- ipapython/certdb.py | 13 ++++++++----- ipaserver/install/certs.py | 14 -------------- 2 files changed, 8 insertions(+), 19 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index ffd4a6616..360482eac 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -297,7 +297,9 @@ class NSSDatabase(object): ] new_args.extend(args) new_args.extend(['-f', self.pwd_file]) - return ipautil.run(new_args, stdin, **kwargs) + # When certutil makes a request it creates a file in the cwd, make + # sure we are in a unique place when this happens. + return ipautil.run(new_args, stdin, cwd=self.secdir, **kwargs) def run_pk12util(self, args, stdin=None, **kwargs): self._check_db() @@ -306,7 +308,7 @@ class NSSDatabase(object): "-d", '{}:{}'.format(self.dbtype, self.secdir) ] new_args.extend(args) - return ipautil.run(new_args, stdin, **kwargs) + return ipautil.run(new_args, stdin, cwd=self.secdir, **kwargs) def exists(self): """Check DB exists (all files are present) @@ -360,14 +362,15 @@ class NSSDatabase(object): dbdir = self.secdir else: dbdir = '{}:{}'.format(self.dbtype, self.secdir) - ipautil.run([ + args = [ paths.CERTUTIL, '-d', dbdir, '-N', '-f', self.pwd_file, # -@ in case it's an old db and it must be migrated '-@', self.pwd_file, - ]) + ] + ipautil.run(args, stdin=None, cwd=self.secdir) self._set_filenames(self._detect_dbtype()) if self.filenames is None: # something went wrong... @@ -415,7 +418,7 @@ class NSSDatabase(object): '-d', 'sql:{}'.format(self.secdir), '-N', '-f', self.pwd_file, '-@', self.pwd_file ] - ipautil.run(args) + ipautil.run(args, stdin=None, cwd=self.secdir) # retain file ownership and permission, backup old files migration = ( diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index e2b3c4fc7..448ca8cc0 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -168,12 +168,6 @@ class CertDB(object): self.ca_subject = ca_subject self.subject_base = subject_base - try: - self.cwd = os.path.abspath(os.getcwd()) - except OSError as e: - raise RuntimeError( - "Unable to determine the current directory: %s" % str(e)) - self.cacert_name = get_ca_nickname(self.realm) self.user = user @@ -245,10 +239,6 @@ class CertDB(object): shutil.rmtree(self.reqdir, ignore_errors=True) self.reqdir = None self.nssdb.close() - try: - os.chdir(self.cwd) - except OSError: - pass def setup_cert_request(self): """ @@ -265,10 +255,6 @@ class CertDB(object): self.certreq_fname = self.reqdir + "/tmpcertreq" self.certder_fname = self.reqdir + "/tmpcert.der" - # When certutil makes a request it creates a file in the cwd, make - # sure we are in a unique place when this happens - os.chdir(self.reqdir) - def set_perms(self, fname, write=False): perms = stat.S_IRUSR if write: