Move Custodia secrets handler to scripts

Implement the import and export handlers for Custodia keys as external scripts. It's a prerequisite to drop DAC override permission and proper SELinux rules for ipa-custodia. Except for DMLDAP, handlers no longer run as root but as handler specific users with reduced privileges. The Dogtag-related handlers run as pkiuser, which also help with HSM support. The export and import handles are designed to be executed by sudo, too. In the future, ipa-custodia could be executed as an unprivileged process that runs the minimal helper scripts with higher privileges. Fixes: https://pagure.io/freeipa/issue/6888 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-01-30 14:08:38 +01:00
parent d2c5ce1a82
commit beffa7bcda
18 changed files with 641 additions and 184 deletions
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -39,6 +39,7 @@ if __name__ == '__main__':
            'ipaserver.dnssec',
            'ipaserver.plugins',
            'ipaserver.secrets',
+            'ipaserver.secrets.handlers',
            'ipaserver.install',
            'ipaserver.install.plugins',
            'ipaserver.install.server',