certdb: Move chdir into subprocess call

According to a comment, certutil may create files in the current working directory. Rather than changing the cwd of the current process, FreeIPA's certutil wrapper now changes cwd for the subprocess only. See: https://pagure.io/freeipa/issue/7416 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-04-05 13:00:53 +02:00
parent 8246d0cd5a
commit 807a5cbe7c
2 changed files with 8 additions and 19 deletions
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -297,7 +297,9 @@ class NSSDatabase(object):
        ]
        new_args.extend(args)
        new_args.extend(['-f', self.pwd_file])
-        return ipautil.run(new_args, stdin, **kwargs)
+        # When certutil makes a request it creates a file in the cwd, make
+        # sure we are in a unique place when this happens.
+        return ipautil.run(new_args, stdin, cwd=self.secdir, **kwargs)

    def run_pk12util(self, args, stdin=None, **kwargs):
        self._check_db()
@@ -306,7 +308,7 @@ class NSSDatabase(object):
            "-d", '{}:{}'.format(self.dbtype, self.secdir)
        ]
        new_args.extend(args)
-        return ipautil.run(new_args, stdin, **kwargs)
+        return ipautil.run(new_args, stdin, cwd=self.secdir, **kwargs)

    def exists(self):
        """Check DB exists (all files are present)
@@ -360,14 +362,15 @@ class NSSDatabase(object):
            dbdir = self.secdir
        else:
            dbdir = '{}:{}'.format(self.dbtype, self.secdir)
-        ipautil.run([
+        args = [
            paths.CERTUTIL,
            '-d', dbdir,
            '-N',
            '-f', self.pwd_file,
            # -@ in case it's an old db and it must be migrated
            '-@', self.pwd_file,
-        ])
+        ]
+        ipautil.run(args, stdin=None, cwd=self.secdir)
        self._set_filenames(self._detect_dbtype())
        if self.filenames is None:
            # something went wrong...
@@ -415,7 +418,7 @@ class NSSDatabase(object):
            '-d', 'sql:{}'.format(self.secdir), '-N',
            '-f', self.pwd_file, '-@', self.pwd_file
        ]
-        ipautil.run(args)
+        ipautil.run(args, stdin=None, cwd=self.secdir)

        # retain file ownership and permission, backup old files
        migration = (