client install: create /etc/ipa/nssdb with correct mode

The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.

Create the directory with mode 644 to fix the issue.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

ipaclient/install/client.py

@@ -2284,7 +2284,7 @@ def install_check(options):
 
 def create_ipa_nssdb():
     db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-    db.create_db(backup=True)
+    db.create_db(mode=0o755, backup=True)
     os.chmod(db.pwd_file, 0o600)
     os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
     os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)

ipapython/certdb.py

@@ -124,9 +124,11 @@ class NSSDatabase(object):
         """
         dirmode = 0o750
         filemode = 0o640
+        pwdfilemode = 0o640
         if mode is not None:
             dirmode = mode
             filemode = mode & 0o666
+            pwdfilemode = mode & 0o660
 
         uid = -1
         gid = -1
@@ -147,7 +149,7 @@ class NSSDatabase(object):
             # Create the password file for this db
             with io.open(os.open(self.pwd_file,
                                  os.O_CREAT | os.O_WRONLY,
-                                 filemode), 'w', closefd=True) as f:
+                                 pwdfilemode), 'w', closefd=True) as f:
                 f.write(ipautil.ipa_generate_password())
                 f.flush()
 
@@ -162,7 +164,11 @@ class NSSDatabase(object):
             if os.path.exists(path):
                 if uid != -1 or gid != -1:
                     os.chown(path, uid, gid)
-                os.chmod(path, filemode)
+                if path == self.pwd_file:
+                    new_mode = pwdfilemode
+                else:
+                    new_mode = filemode
+                os.chmod(path, new_mode)
                 tasks.restore_context(path)
 
     def list_certs(self):