mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
ipa-{server,replica}-install: add too-restritive mask detection
If the mask used during the installation is "too restrictive", ie.0027, installing FreeIPA results in a broken server or replica. Check for too-restrictive mask at install time and error out. Fixes: https://pagure.io/freeipa/issue/7193 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
parent
f2e7c3f68b
commit
f90a4b9554
@ -1389,3 +1389,14 @@ def default_subject_base(realm_name):
|
||||
|
||||
def default_ca_subject_dn(subject_base):
|
||||
return DN(('CN', 'Certificate Authority'), subject_base)
|
||||
|
||||
|
||||
def validate_mask():
|
||||
try:
|
||||
mask = os.umask(0)
|
||||
finally:
|
||||
os.umask(mask)
|
||||
mask_str = None
|
||||
if mask & 0b111101101 > 0:
|
||||
mask_str = "{:04o}".format(mask)
|
||||
return mask_str
|
||||
|
@ -42,7 +42,7 @@ from ipaserver.install import (
|
||||
from ipaserver.install.installutils import (
|
||||
IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address,
|
||||
is_ipa_configured, load_pkcs12, read_password, verify_fqdn,
|
||||
update_hosts_file)
|
||||
update_hosts_file, validate_mask)
|
||||
|
||||
if six.PY3:
|
||||
unicode = str
|
||||
@ -316,6 +316,16 @@ def install_check(installer):
|
||||
tasks.check_selinux_status()
|
||||
check_ldap_conf()
|
||||
|
||||
mask_str = validate_mask()
|
||||
if mask_str:
|
||||
print("Unexpected system mask: %s, expected 0022" % mask_str)
|
||||
if installer.interactive:
|
||||
if not user_input("Do you want to continue anyway?", True):
|
||||
raise ScriptError(
|
||||
"Unexpected system mask: %s" % mask_str)
|
||||
else:
|
||||
raise ScriptError("Unexpected system mask: %s" % mask_str)
|
||||
|
||||
if options.master_password:
|
||||
msg = ("WARNING:\noption '-P/--master-password' is deprecated. "
|
||||
"KDC master password of sufficient strength is autogenerated "
|
||||
|
@ -41,7 +41,7 @@ from ipaserver.install import (
|
||||
adtrust, bindinstance, ca, dns, dsinstance, httpinstance,
|
||||
installutils, kra, krbinstance, otpdinstance, custodiainstance, service)
|
||||
from ipaserver.install.installutils import (
|
||||
ReplicaConfig, load_pkcs12, is_ipa_configured)
|
||||
ReplicaConfig, load_pkcs12, is_ipa_configured, validate_mask)
|
||||
from ipaserver.install.replication import (
|
||||
ReplicationManager, replica_conn_check)
|
||||
from ipaserver.masters import find_providing_servers, find_providing_server
|
||||
@ -570,6 +570,11 @@ def common_check(no_ntp):
|
||||
tasks.check_selinux_status()
|
||||
check_ldap_conf()
|
||||
|
||||
mask_str = validate_mask()
|
||||
if mask_str:
|
||||
raise ScriptError(
|
||||
"Unexpected system mask: %s, expected 0022" % mask_str)
|
||||
|
||||
if is_ipa_configured():
|
||||
raise ScriptError(
|
||||
"IPA server is already configured on this system.\n"
|
||||
|
Loading…
Reference in New Issue
Block a user