mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations
It was previously being set to 0444 which triggered a warning in freeipa-healthcheck. Even root needs DAC_OVERRIDE capability to write to a 0o444 file which may not be available in some environments. https://pagure.io/freeipa/issue/8441 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
07341990d9
commit
ec367aa479
@ -322,7 +322,7 @@ class CertDB:
|
||||
ipautil.backup_file(cacert_fname)
|
||||
root_nicknames = self.find_root_cert(nickname)[:-1]
|
||||
with open(cacert_fname, "w") as f:
|
||||
os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
|
||||
os.fchmod(f.fileno(), 0o644)
|
||||
for root in root_nicknames:
|
||||
result = self.run_certutil(["-L", "-n", root, "-a"],
|
||||
capture_output=True)
|
||||
|
@ -904,9 +904,8 @@ def install(installer):
|
||||
|
||||
ca.install_step_0(False, None, options, custodia=custodia)
|
||||
else:
|
||||
# Put the CA cert where other instances expect it
|
||||
x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
|
||||
os.chmod(paths.IPA_CA_CRT, 0o444)
|
||||
# /etc/ipa/ca.crt is created as a side-effect of
|
||||
# dsinstance::enable_ssl() via export_ca_cert()
|
||||
|
||||
if not options.no_pkinit:
|
||||
x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM)
|
||||
|
Loading…
Reference in New Issue
Block a user