mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
ipaserver/install/cainstance.py: unlink before creating new file in /tmp
When fs.protected_regular=1 root cannot open temp files that are owned by other users read-write. So unlink temporary file before shutil.copy to it. Fixes: https://pagure.io/freeipa/issue/7907 Signed-off-by: François Cami fcami@redhat.com Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
parent
536e7da6d2
commit
d68fe6b981
@ -69,6 +69,7 @@ from ipaserver.install import sysupgrade
|
||||
from ipaserver.install.dogtaginstance import DogtagInstance
|
||||
from ipaserver.plugins import ldap2
|
||||
from ipaserver.masters import ENABLED_SERVICE
|
||||
from ipaserver.install.installutils import remove_file
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
@ -514,6 +515,11 @@ class CAInstance(DogtagInstance):
|
||||
)
|
||||
|
||||
cafile = self.pkcs12_info[0]
|
||||
|
||||
# if paths.TMP_CA_P12 exists and is not owned by root,
|
||||
# shutil.copy will fail if when fs.protected_regular=1
|
||||
# so remove the file first
|
||||
remove_file(paths.TMP_CA_P12)
|
||||
shutil.copy(cafile, paths.TMP_CA_P12)
|
||||
pent = pwd.getpwnam(self.service_user)
|
||||
os.chown(paths.TMP_CA_P12, pent.pw_uid, pent.pw_gid)
|
||||
|
Loading…
Reference in New Issue
Block a user