Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations

It was previously being set to 0444 which triggered a warning
in freeipa-healthcheck.

Even root needs DAC_OVERRIDE capability to write to a 0o444 file
which may not be available in some environments.

https://pagure.io/freeipa/issue/8441

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Rob Crittenden 2020-08-04 15:09:56 -04:00 committed by Florence Blanc-Renaud
parent 07341990d9
commit ec367aa479
2 changed files with 3 additions and 4 deletions

View File

@ -322,7 +322,7 @@ class CertDB:
ipautil.backup_file(cacert_fname)
root_nicknames = self.find_root_cert(nickname)[:-1]
with open(cacert_fname, "w") as f:
os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
os.fchmod(f.fileno(), 0o644)
for root in root_nicknames:
result = self.run_certutil(["-L", "-n", root, "-a"],
capture_output=True)

View File

@ -904,9 +904,8 @@ def install(installer):
ca.install_step_0(False, None, options, custodia=custodia)
else:
# Put the CA cert where other instances expect it
x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
os.chmod(paths.IPA_CA_CRT, 0o444)
# /etc/ipa/ca.crt is created as a side-effect of
# dsinstance::enable_ssl() via export_ca_cert()
if not options.no_pkinit:
x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM)