mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
Fix expected file permissions for ghost files
File permissions from the rpm freeipa-server-common and freeipa-client-common do not match the runtime permissions. This results in mode failures on rpm -Va. Fix the expected file permissions on rpm spec file for /var/lib/ipa/pki-ca/publish /var/named/dyndb-ldap/ipa /etc/ipa/pwdfile.txt /etc/pki/ca-trust/source/ipa.p11-kit (new format SQLite) /etc/ipa/nssdb/cert9.db /etc/ipa/nssdb/key4.db /etc/ipa/pkcs11.txt (old format DBM) /etc/ipa/cert8.db /etc/ipa/key3.db /etc/ipa/secmod.db The commit also fixes the file permissions for /etc/httpd/conf.d/ipa-pki-proxy.conf (644) during server installation, and the group ownership. Fixes: https://pagure.io/freeipa/issue/7934 Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
parent
2d22fdafaa
commit
a425448914
@ -1129,15 +1129,15 @@ fi
|
||||
%dir %{_sysconfdir}/ipa/html
|
||||
%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
|
||||
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
|
||||
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
|
||||
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
|
||||
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
|
||||
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
|
||||
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
|
||||
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
|
||||
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
|
||||
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
|
||||
%ghost %attr(0644,root,root) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
|
||||
%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb.con
|
||||
%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb5.ini
|
||||
%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krbrealm.con
|
||||
%dir %{_usr}/share/ipa/updates/
|
||||
%{_usr}/share/ipa/updates/*
|
||||
%dir %{_localstatedir}/lib/ipa
|
||||
@ -1149,8 +1149,8 @@ fi
|
||||
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs
|
||||
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private
|
||||
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds
|
||||
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
|
||||
%ghost %{_localstatedir}/named/dyndb-ldap/ipa
|
||||
%ghost %attr(775,root,pkiuser) %{_localstatedir}/lib/ipa/pki-ca/publish
|
||||
%ghost %attr(770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa
|
||||
%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
|
||||
%dir %{_usr}/share/ipa/schema.d
|
||||
%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README
|
||||
@ -1239,19 +1239,19 @@ fi
|
||||
%doc README.md Contributors.txt
|
||||
%license COPYING
|
||||
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
|
||||
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/default.conf
|
||||
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
|
||||
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
|
||||
# old dbm format
|
||||
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
|
||||
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
|
||||
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
|
||||
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
|
||||
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
|
||||
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
|
||||
# new sql format
|
||||
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db
|
||||
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db
|
||||
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt
|
||||
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
|
||||
%ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
|
||||
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db
|
||||
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db
|
||||
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt
|
||||
%ghost %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
|
||||
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
|
||||
%dir %{_localstatedir}/lib/ipa-client
|
||||
%dir %{_localstatedir}/lib/ipa-client/pki
|
||||
%dir %{_localstatedir}/lib/ipa-client/sysrestore
|
||||
|
@ -278,6 +278,7 @@ class DogtagInstance(service.Service):
|
||||
template = ipautil.template_file(template_filename, sub_dict)
|
||||
with open(paths.HTTPD_IPA_PKI_PROXY_CONF, "w") as fd:
|
||||
fd.write(template)
|
||||
os.fchmod(fd.fileno(), 0o644)
|
||||
|
||||
def configure_certmonger_renewal(self):
|
||||
"""
|
||||
|
Loading…
Reference in New Issue
Block a user