ipa-{server,replica}-install: add too-restritive mask detection

If the mask used during the installation is "too restrictive", ie.0027,
installing FreeIPA results in a broken server or replica.
Check for too-restrictive mask at install time and error out.

Fixes: https://pagure.io/freeipa/issue/7193
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
François Cami 2019-03-12 22:30:39 +01:00
parent f2e7c3f68b
commit f90a4b9554
3 changed files with 28 additions and 2 deletions

View File

@ -1389,3 +1389,14 @@ def default_subject_base(realm_name):
def default_ca_subject_dn(subject_base):
return DN(('CN', 'Certificate Authority'), subject_base)
def validate_mask():
try:
mask = os.umask(0)
finally:
os.umask(mask)
mask_str = None
if mask & 0b111101101 > 0:
mask_str = "{:04o}".format(mask)
return mask_str

View File

@ -42,7 +42,7 @@ from ipaserver.install import (
from ipaserver.install.installutils import (
IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address,
is_ipa_configured, load_pkcs12, read_password, verify_fqdn,
update_hosts_file)
update_hosts_file, validate_mask)
if six.PY3:
unicode = str
@ -316,6 +316,16 @@ def install_check(installer):
tasks.check_selinux_status()
check_ldap_conf()
mask_str = validate_mask()
if mask_str:
print("Unexpected system mask: %s, expected 0022" % mask_str)
if installer.interactive:
if not user_input("Do you want to continue anyway?", True):
raise ScriptError(
"Unexpected system mask: %s" % mask_str)
else:
raise ScriptError("Unexpected system mask: %s" % mask_str)
if options.master_password:
msg = ("WARNING:\noption '-P/--master-password' is deprecated. "
"KDC master password of sufficient strength is autogenerated "

View File

@ -41,7 +41,7 @@ from ipaserver.install import (
adtrust, bindinstance, ca, dns, dsinstance, httpinstance,
installutils, kra, krbinstance, otpdinstance, custodiainstance, service)
from ipaserver.install.installutils import (
ReplicaConfig, load_pkcs12, is_ipa_configured)
ReplicaConfig, load_pkcs12, is_ipa_configured, validate_mask)
from ipaserver.install.replication import (
ReplicationManager, replica_conn_check)
from ipaserver.masters import find_providing_servers, find_providing_server
@ -570,6 +570,11 @@ def common_check(no_ntp):
tasks.check_selinux_status()
check_ldap_conf()
mask_str = validate_mask()
if mask_str:
raise ScriptError(
"Unexpected system mask: %s, expected 0022" % mask_str)
if is_ipa_configured():
raise ScriptError(
"IPA server is already configured on this system.\n"