Fix permissions in installers

Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644
2025-02-25 18:55:28 -06:00 · 2011-08-30 16:32:40 +02:00
parent 95beb84464
commit d0ce604b4d
5 changed files with 47 additions and 33 deletions
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -820,23 +820,23 @@ def main():
    logging.debug("will use dns_forwarders: %s\n" % str(dns_forwarders))

    # Create the management framework config file and finalize api
-    old_umask = os.umask(022)   # must be readable for httpd
-    try:
-        fd = open("/etc/ipa/default.conf", "w")
-        fd.write("[global]\n")
-        fd.write("host=" + host_name + "\n")
-        fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
-        fd.write("realm=" + realm_name + "\n")
-        fd.write("domain=" + domain_name + "\n")
-        fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name)
-        fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
-        fd.write("enable_ra=True\n")
-        if not options.selfsign:
-            fd.write("ra_plugin=dogtag\n")
-        fd.write("mode=production\n")
-        fd.close()
-    finally:
-        os.umask(old_umask)
+    target_fname = '/etc/ipa/default.conf'
+    fd = open(target_fname, "w")
+    fd.write("[global]\n")
+    fd.write("host=" + host_name + "\n")
+    fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
+    fd.write("realm=" + realm_name + "\n")
+    fd.write("domain=" + domain_name + "\n")
+    fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name)
+    fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
+    fd.write("enable_ra=True\n")
+    if not options.selfsign:
+        fd.write("ra_plugin=dogtag\n")
+    fd.write("mode=production\n")
+    fd.close()
+
+    # Must be readable for everyone
+    os.chmod(target_fname, 0644)

    api.bootstrap(**cfg)
    api.finalize()
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -345,8 +345,10 @@ def configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server):
    opts.append({'name':'global', 'type':'section', 'value':defopts})
    opts.append({'name':'empty', 'type':'empty'})

-    fstore.backup_file("/etc/ipa/default.conf")
-    ipaconf.newConf("/etc/ipa/default.conf", opts)
+    target_fname = '/etc/ipa/default.conf'
+    fstore.backup_file(target_fname)
+    ipaconf.newConf(target_fname, opts)
+    os.chmod(target_fname, 0644)

    return 0

@@ -519,7 +521,8 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, c
    logging.debug("Writing Kerberos configuration to %s:\n%s"
            % (filename, krbconf.dump(opts)))

-    krbconf.newConf(filename, opts);
+    krbconf.newConf(filename, opts)
+    os.chmod(filename, 0644)

    return 0

--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -356,13 +356,14 @@ class DsInstance(service.Service):
        self.sub_dict['BASEDC'] = self.realm_name.split('.')[0].lower()
        base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict)
        logging.debug(base_txt)
-        old_umask = os.umask(022)   # must be readable for dirsrv
-        try:
-            base_fd = open("/var/lib/dirsrv/boot.ldif", "w")
-            base_fd.write(base_txt)
-            base_fd.close()
-        finally:
-            os.umask(old_umask)
+
+        target_fname = '/var/lib/dirsrv/boot.ldif'
+        base_fd = open(target_fname, "w")
+        base_fd.write(base_txt)
+        base_fd.close()
+
+        # Must be readable for dirsrv
+        os.chmod(target_fname, 0440)

        inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict)
        logging.debug("writing inf template")
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -136,17 +136,21 @@ class HTTPInstance(service.Service):
        os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)

    def __configure_http(self):
+        target_fname = '/etc/httpd/conf.d/ipa.conf'
        http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
        self.fstore.backup_file("/etc/httpd/conf.d/ipa.conf")
-        http_fd = open("/etc/httpd/conf.d/ipa.conf", "w")
+        http_fd = open(target_fname, "w")
        http_fd.write(http_txt)
        http_fd.close()
+        os.chmod(target_fname, 0644)

+        target_fname = '/etc/httpd/conf.d/ipa-rewrite.conf'
        http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict)
        self.fstore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf")
-        http_fd = open("/etc/httpd/conf.d/ipa-rewrite.conf", "w")
+        http_fd = open(target_fname, "w")
        http_fd.write(http_txt)
        http_fd.close()
+        os.chmod(target_fname, 0644)

    def __disable_mod_ssl(self):
        if os.path.exists(SSL_CONF):
@@ -227,10 +231,12 @@ class HTTPInstance(service.Service):
            os.chmod(certs.CA_SERIALNO, 0664)

    def __setup_autoconfig(self):
+        target_fname = '/usr/share/ipa/html/preferences.html'
        prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict)
-        prefs_fd = open("/usr/share/ipa/html/preferences.html", "w")
+        prefs_fd = open(target_fname, "w")
        prefs_fd.write(prefs_txt)
        prefs_fd.close()
+        os.chmod(target_fname, 0644)

        # The signing cert is generated in __setup_ssl
        db = certs.CertDB(self.realm, subject_base=self.subject_base)
@@ -240,12 +246,14 @@ class HTTPInstance(service.Service):
        pwdfile.close()

        tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+        target_fname = '/usr/share/ipa/html/configure.jar'
        shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir)
        db.run_signtool(["-k", "Signing-Cert",
-                         "-Z", "/usr/share/ipa/html/configure.jar",
+                         "-Z", target_fname,
                         "-e", ".html", "-p", pwd,
                         tmpdir])
        shutil.rmtree(tmpdir)
+        os.chmod(target_fname, 0755)    # everyone can execute the jar

    def __publish_ca_cert(self):
        ca_db = certs.CertDB(self.realm)
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -282,13 +282,15 @@ class KrbInstance(service.Service):
    def __add_default_acis(self):
        self._ldap_mod("default-aci.ldif", self.sub_dict)

-    def __template_file(self, path):
+    def __template_file(self, path, chmod=0644):
        template = os.path.join(ipautil.SHARE_DIR, os.path.basename(path) + ".template")
        conf = ipautil.template_file(template, self.sub_dict)
        self.fstore.backup_file(path)
        fd = open(path, "w+")
        fd.write(conf)
        fd.close()
+        if chmod is not None:
+            os.chmod(path, chmod)

    def __init_ipa_kdb(self):
        #populate the directory with the realm structure
@@ -301,7 +303,7 @@ class KrbInstance(service.Service):
            print "Failed to initialize the realm container"

    def __configure_instance(self):
-        self.__template_file("/var/kerberos/krb5kdc/kdc.conf")
+        self.__template_file("/var/kerberos/krb5kdc/kdc.conf", chmod=None)
        self.__template_file("/etc/krb5.conf")
        self.__template_file("/usr/share/ipa/html/krb5.ini")
        self.__template_file("/usr/share/ipa/html/krb.con")