Added file permissions option to IPAChangeConf.newConf()

Also added information about why os.chmod is called sometimes after newConf() calls. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-11-03 12:29:45 +01:00
parent 990e1acb1a
commit b068d3336a
3 changed files with 8 additions and 3 deletions
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -360,6 +360,7 @@ def configure_ipa_conf(
    target_fname = paths.IPA_DEFAULT_CONF
    fstore.backup_file(target_fname)
    ipaconf.newConf(target_fname, opts)
+    # umask applies when creating a new file but we want 0o644 here
    os.chmod(target_fname, 0o644)


@@ -746,6 +747,7 @@ def configure_krb5_conf(
    root_logger.debug("%s", krbconf.dump(opts))

    krbconf.newConf(filename, opts)
+    # umask applies when creating a new file but we want 0o644 here
    os.chmod(filename, 0o644)


--- a/ipaclient/ipachangeconf.py
+++ b/ipaclient/ipachangeconf.py
@@ -508,12 +508,13 @@ class IPAChangeConf(object):
                pass
        return True

-    def newConf(self, file, options):
+    def newConf(self, file, options, file_perms=0o644):
        """"
        Write settings to a new file, backup the old
        :param file: path to the file
        :param options: a set of dictionaries in the form:
             {'name': 'foo', 'value': 'bar', 'action': 'set/comment'}
+        :param file_perms: number defining the new file's permissions
        """
        output = ""
        f = None
@@ -525,7 +526,7 @@ class IPAChangeConf(object):
                    # The orign file did not exist
                    pass

-            f = openLocked(file, 0o644)
+            f = openLocked(file, file_perms)

            # Trunkate
            f.seek(0)
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -264,7 +264,9 @@ def create_ipa_conf(fstore, config, ca_enabled):
        {'name': 'empty', 'type': 'empty'}
    ]
    ipaconf.newConf(target_fname, opts)
-    os.chmod(target_fname, 0o644)   # must be readable for httpd
+    # the new file must be readable for httpd
+    # Also, umask applies when creating a new file but we want 0o644 here
+    os.chmod(target_fname, 0o644)


 def check_dirsrv():