Fix IPA install for secure umask

Make sure that IPA can be installed with root umask set to secure value 077. ipa-server-install was failing in DS configuration phase when dirsrv tried to read boot.ldif created during installation. https://fedorahosted.org/freeipa/ticket/1282
2025-02-25 18:55:28 -06:00 · 2011-06-17 14:19:45 +02:00
parent ba42b700eb
commit b227208d01
4 changed files with 60 additions and 41 deletions
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -443,18 +443,22 @@ def main():

    # Create the management framework config file
    # Note: We must do this before bootstraping and finalizing ipalib.api
-    fd = open("/etc/ipa/default.conf", "w")
-    fd.write("[global]\n")
-    fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
-    fd.write("realm=" + config.realm_name + "\n")
-    fd.write("domain=" + config.domain_name + "\n")
-    fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name)
-    fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name))
-    if ipautil.file_exists(config.dir + "/cacert.p12"):
-        fd.write("enable_ra=True\n")
-        fd.write("ra_plugin=dogtag\n")
-    fd.write("mode=production\n")
-    fd.close()
+    old_umask = os.umask(022)   # must be readable for httpd
+    try:
+        fd = open("/etc/ipa/default.conf", "w")
+        fd.write("[global]\n")
+        fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
+        fd.write("realm=" + config.realm_name + "\n")
+        fd.write("domain=" + config.domain_name + "\n")
+        fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name)
+        fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name))
+        if ipautil.file_exists(config.dir + "/cacert.p12"):
+            fd.write("enable_ra=True\n")
+            fd.write("ra_plugin=dogtag\n")
+        fd.write("mode=production\n")
+        fd.close()
+    finally:
+        os.umask(old_umask)

    api.bootstrap(in_server=True)
    api.finalize()
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -676,18 +676,22 @@ def main():
    logging.debug("will use dns_forwarders: %s\n" % str(dns_forwarders))

    # Create the management framework config file and finalize api
-    fd = open("/etc/ipa/default.conf", "w")
-    fd.write("[global]\n")
-    fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
-    fd.write("realm=" + realm_name + "\n")
-    fd.write("domain=" + domain_name + "\n")
-    fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name)
-    fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
-    fd.write("enable_ra=True\n")
-    if not options.selfsign:
-        fd.write("ra_plugin=dogtag\n")
-    fd.write("mode=production\n")
-    fd.close()
+    old_umask = os.umask(022)   # must be readable for httpd
+    try:
+        fd = open("/etc/ipa/default.conf", "w")
+        fd.write("[global]\n")
+        fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
+        fd.write("realm=" + realm_name + "\n")
+        fd.write("domain=" + domain_name + "\n")
+        fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name)
+        fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
+        fd.write("enable_ra=True\n")
+        if not options.selfsign:
+            fd.write("ra_plugin=dogtag\n")
+        fd.write("mode=production\n")
+        fd.close()
+    finally:
+        os.umask(old_umask)

    api.bootstrap(**cfg)
    api.finalize()
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -114,7 +114,11 @@ def check_certs():
    if not os.path.exists("/usr/share/ipa/html/ca.crt"):
        ca_file = "/etc/httpd/alias/cacert.asc"
        if os.path.exists(ca_file):
-            shutil.copyfile(ca_file, "/usr/share/ipa/html/ca.crt")
+            old_umask = os.umask(022)   # make sure its readable by httpd
+            try:
+                shutil.copyfile(ca_file, "/usr/share/ipa/html/ca.crt")
+            finally:
+                os.umask(old_umask)
        else:
            print "Missing Certification Authority file."
            print "You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt"
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -358,10 +358,13 @@ class DsInstance(service.Service):
        self.sub_dict['BASEDC'] = self.realm_name.split('.')[0].lower()
        base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict)
        logging.debug(base_txt)
-        base_fd = file("/var/lib/dirsrv/boot.ldif", "w")
-        base_fd.write(base_txt)
-        base_fd.flush()
-        base_fd.close()
+        old_umask = os.umask(022)   # must be readable for dirsrv
+        try:
+            base_fd = open("/var/lib/dirsrv/boot.ldif", "w")
+            base_fd.write(base_txt)
+            base_fd.close()
+        finally:
+            os.umask(old_umask)

        inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict)
        logging.debug("writing inf template")
@@ -394,21 +397,25 @@ class DsInstance(service.Service):
        os.remove("/var/lib/dirsrv/boot.ldif")

    def __add_default_schemas(self):
-        shutil.copyfile(ipautil.SHARE_DIR + "60kerberos.ldif",
-                        schema_dirname(self.serverid) + "60kerberos.ldif")
-        shutil.copyfile(ipautil.SHARE_DIR + "60samba.ldif",
-                        schema_dirname(self.serverid) + "60samba.ldif")
-        shutil.copyfile(ipautil.SHARE_DIR + "60ipaconfig.ldif",
-                        schema_dirname(self.serverid) + "60ipaconfig.ldif")
-        shutil.copyfile(ipautil.SHARE_DIR + "60basev2.ldif",
-                        schema_dirname(self.serverid) + "60basev2.ldif")
-        shutil.copyfile(ipautil.SHARE_DIR + "60ipasudo.ldif",
-                        schema_dirname(self.serverid) + "60ipasudo.ldif")
+        pent = pwd.getpwnam(DS_USER)
+        for schema_fname in ("60kerberos.ldif",
+                             "60samba.ldif",
+                             "60ipaconfig.ldif",
+                             "60basev2.ldif",
+                             "60ipasudo.ldif"):
+            target_fname = schema_dirname(self.serverid) + schema_fname
+            shutil.copyfile(ipautil.SHARE_DIR + schema_fname, target_fname)
+            os.chmod(target_fname, 0440)    # read access for dirsrv user/group
+            os.chown(target_fname, pent.pw_uid, pent.pw_gid)
+
        try:
            shutil.move(schema_dirname(self.serverid) + "05rfc2247.ldif",
                            schema_dirname(self.serverid) + "05rfc2247.ldif.old")
-            shutil.copyfile(ipautil.SHARE_DIR + "05rfc2247.ldif",
-                            schema_dirname(self.serverid) + "05rfc2247.ldif")
+
+            target_fname = schema_dirname(self.serverid) + "05rfc2247.ldif"
+            shutil.copyfile(ipautil.SHARE_DIR + "05rfc2247.ldif", target_fname)
+            os.chmod(target_fname, 0440)
+            os.chown(target_fname, pent.pw_uid, pent.pw_gid)
        except IOError:
            # Does not apply with newer DS releases
            pass