mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
ipaserver/install/krainstance.py: chown after write
When fs.protected_regular=1 root cannot open temp files that are owned by other users read-write. So move os.chown after write. Refactoring suggested by Christian Heimes. Fixes: https://pagure.io/freeipa/issue/7906 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
parent
f2826da24b
commit
cf42dc1f29
@ -146,11 +146,6 @@ class KRAInstance(DogtagInstance):
|
||||
parameters and passes it to the base class to call pkispawn
|
||||
"""
|
||||
|
||||
# Create an empty and secured file
|
||||
(cfg_fd, cfg_file) = tempfile.mkstemp()
|
||||
os.close(cfg_fd)
|
||||
pent = pwd.getpwnam(self.service_user)
|
||||
os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
|
||||
self.tmp_agent_db = tempfile.mkdtemp(
|
||||
prefix="tmp-", dir=paths.VAR_LIB_IPA)
|
||||
tmp_agent_pwd = ipautil.ipa_generate_password()
|
||||
@ -208,9 +203,12 @@ class KRAInstance(DogtagInstance):
|
||||
)
|
||||
|
||||
# Generate configuration file
|
||||
pent = pwd.getpwnam(self.service_user)
|
||||
config = self._create_spawn_config(cfg)
|
||||
with open(cfg_file, "w") as f:
|
||||
with tempfile.NamedTemporaryFile('w', delete=False) as f:
|
||||
config.write(f)
|
||||
os.fchown(f.fileno(), pent.pw_uid, pent.pw_gid)
|
||||
cfg_file = f.name
|
||||
|
||||
nolog_list = [
|
||||
self.dm_password, self.admin_password, pki_pin, tmp_agent_pwd
|
||||
|
Loading…
Reference in New Issue
Block a user