certdb: Move chdir into subprocess call

According to a comment, certutil may create files in the current working
directory. Rather than changing the cwd of the current process,
FreeIPA's certutil wrapper now changes cwd for the subprocess only.

See: https://pagure.io/freeipa/issue/7416
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

ipapython/certdb.py

@@ -297,7 +297,9 @@ class NSSDatabase(object):
         ]
         new_args.extend(args)
         new_args.extend(['-f', self.pwd_file])
-        return ipautil.run(new_args, stdin, **kwargs)
+        # When certutil makes a request it creates a file in the cwd, make
+        # sure we are in a unique place when this happens.
+        return ipautil.run(new_args, stdin, cwd=self.secdir, **kwargs)
 
     def run_pk12util(self, args, stdin=None, **kwargs):
         self._check_db()
@@ -306,7 +308,7 @@ class NSSDatabase(object):
             "-d", '{}:{}'.format(self.dbtype, self.secdir)
         ]
         new_args.extend(args)
-        return ipautil.run(new_args, stdin, **kwargs)
+        return ipautil.run(new_args, stdin, cwd=self.secdir, **kwargs)
 
     def exists(self):
         """Check DB exists (all files are present)
@@ -360,14 +362,15 @@ class NSSDatabase(object):
             dbdir = self.secdir
         else:
             dbdir = '{}:{}'.format(self.dbtype, self.secdir)
-        ipautil.run([
+        args = [
             paths.CERTUTIL,
             '-d', dbdir,
             '-N',
             '-f', self.pwd_file,
             # -@ in case it's an old db and it must be migrated
             '-@', self.pwd_file,
-        ])
+        ]
+        ipautil.run(args, stdin=None, cwd=self.secdir)
         self._set_filenames(self._detect_dbtype())
         if self.filenames is None:
             # something went wrong...
@@ -415,7 +418,7 @@ class NSSDatabase(object):
             '-d', 'sql:{}'.format(self.secdir), '-N',
             '-f', self.pwd_file, '-@', self.pwd_file
         ]
-        ipautil.run(args)
+        ipautil.run(args, stdin=None, cwd=self.secdir)
 
         # retain file ownership and permission, backup old files
         migration = (

ipaserver/install/certs.py

@@ -168,12 +168,6 @@ class CertDB(object):
         self.ca_subject = ca_subject
         self.subject_base = subject_base
 
-        try:
-            self.cwd = os.path.abspath(os.getcwd())
-        except OSError as e:
-            raise RuntimeError(
-                "Unable to determine the current directory: %s" % str(e))
-
         self.cacert_name = get_ca_nickname(self.realm)
 
         self.user = user
@@ -245,10 +239,6 @@ class CertDB(object):
             shutil.rmtree(self.reqdir, ignore_errors=True)
             self.reqdir = None
         self.nssdb.close()
-        try:
-            os.chdir(self.cwd)
-        except OSError:
-            pass
 
     def setup_cert_request(self):
         """
@@ -265,10 +255,6 @@ class CertDB(object):
         self.certreq_fname = self.reqdir + "/tmpcertreq"
         self.certder_fname = self.reqdir + "/tmpcert.der"
 
-        # When certutil makes a request it creates a file in the cwd, make
-        # sure we are in a unique place when this happens
-        os.chdir(self.reqdir)
-
     def set_perms(self, fname, write=False):
         perms = stat.S_IRUSR
         if write: