ipaserver/install/krainstance.py: chown after write

When fs.protected_regular=1 root cannot open temp files that
are owned by other users read-write.
So move os.chown after write.

Refactoring suggested by Christian Heimes.

Fixes: https://pagure.io/freeipa/issue/7906
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
François Cami 2019-04-10 10:12:07 +02:00
parent f2826da24b
commit cf42dc1f29

View File

@ -146,11 +146,6 @@ class KRAInstance(DogtagInstance):
parameters and passes it to the base class to call pkispawn
"""
# Create an empty and secured file
(cfg_fd, cfg_file) = tempfile.mkstemp()
os.close(cfg_fd)
pent = pwd.getpwnam(self.service_user)
os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
self.tmp_agent_db = tempfile.mkdtemp(
prefix="tmp-", dir=paths.VAR_LIB_IPA)
tmp_agent_pwd = ipautil.ipa_generate_password()
@ -208,9 +203,12 @@ class KRAInstance(DogtagInstance):
)
# Generate configuration file
pent = pwd.getpwnam(self.service_user)
config = self._create_spawn_config(cfg)
with open(cfg_file, "w") as f:
with tempfile.NamedTemporaryFile('w', delete=False) as f:
config.write(f)
os.fchown(f.fileno(), pent.pw_uid, pent.pw_gid)
cfg_file = f.name
nolog_list = [
self.dm_password, self.admin_password, pki_pin, tmp_agent_pwd