Don't create log files from the helper scripts

Fixes rhbz#1754189
2019-10-20 13:18:47 +03:00 · 2019-10-20 13:18:47 +03:00 · 44e6cfb46a
commit 44e6cfb46a
parent 341de25783
2 changed files with 180 additions and 1 deletions
--- a/0002-dont-create-log-files-from-help-scripts.patch
+++ b/0002-dont-create-log-files-from-help-scripts.patch
@ -0,0 +1,174 @@
 From 90f72324549f2bceba3e051efb2a1b43c467ff8a Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
 Date: Mon, 23 Sep 2019 18:23:04 +0200
 Subject: [PATCH] Don't create log files from help scripts
 Helper scripts now use api.bootstrap(log=None) to avoid the creation of
 log files. Helper scripts are typically executed from daemons which
 perform their own logging. The helpers still log to stderr/stdout.
 This also gets rid of some SELinux AVCs when the script tries to write
 to /root/.ipa/.
 Fixes: https://pagure.io/freeipa/issue/8075
 Signed-off-by: Christian Heimes <cheimes@redhat.com>
 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 ---
 install/certmonger/dogtag-ipa-ca-renew-agent-submit.in | 4 +++-
 install/restart_scripts/renew_ca_cert.in               | 4 +++-
 install/restart_scripts/renew_ra_cert.in               | 4 +++-
 install/restart_scripts/restart_dirsrv.in              | 4 +++-
 install/restart_scripts/stop_pkicad.in                 | 4 +++-
 install/tools/ipa-custodia-check.in                    | 2 +-
 install/tools/ipa-httpd-kdcproxy.in                    | 6 ++++--
 install/tools/ipa-pki-wait-running.in                  | 2 +-
 ipaserver/secrets/handlers/dmldap.py                   | 6 +++---
 9 files changed, 24 insertions(+), 12 deletions(-)
 diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
 index a9f17db3a..10efb4cf3 100644
 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
 +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
@@ -477,7 +477,9 @@ def main():
     if operation not in ('SUBMIT', 'POLL'):
         return OPERATION_NOT_SUPPORTED_BY_HELPER
 -    api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)
 +    api.bootstrap(
 +        in_server=True, context='renew', confdir=paths.ETC_IPA, log=None
 +    )
     api.finalize()
     tmpdir = tempfile.mkdtemp(prefix="tmp-")
 diff --git a/install/restart_scripts/renew_ca_cert.in b/install/restart_scripts/renew_ca_cert.in
 index 6d1ae6253..b265e62d5 100644
 --- a/install/restart_scripts/renew_ca_cert.in
 +++ b/install/restart_scripts/renew_ca_cert.in
@@ -43,7 +43,9 @@ from ipapython.certdb import TrustFlags
 def _main():
     nickname = sys.argv[1]
 -    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
 +    api.bootstrap(
 +        in_server=True, context='restart', confdir=paths.ETC_IPA, log=None
 +    )
     api.finalize()
     dogtag_service = services.knownservices['pki_tomcatd']
 diff --git a/install/restart_scripts/renew_ra_cert.in b/install/restart_scripts/renew_ra_cert.in
 index 2a0416d21..02f2f5e23 100644
 --- a/install/restart_scripts/renew_ra_cert.in
 +++ b/install/restart_scripts/renew_ra_cert.in
@@ -34,7 +34,9 @@ from ipaplatform.paths import paths
 def _main():
 -    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
 +    api.bootstrap(
 +        in_server=True, context='restart', confdir=paths.ETC_IPA, log=None
 +    )
     api.finalize()
     tmpdir = tempfile.mkdtemp(prefix="tmp-")
 diff --git a/install/restart_scripts/restart_dirsrv.in b/install/restart_scripts/restart_dirsrv.in
 index 77c2409a3..56cfa104f 100644
 --- a/install/restart_scripts/restart_dirsrv.in
 +++ b/install/restart_scripts/restart_dirsrv.in
@@ -34,7 +34,9 @@ def _main():
     except IndexError:
         instance = ""
 -    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
 +    api.bootstrap(
 +        in_server=True, context='restart', confdir=paths.ETC_IPA, log=None
 +    )
     api.finalize()
     syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance)
 diff --git a/install/restart_scripts/stop_pkicad.in b/install/restart_scripts/stop_pkicad.in
 index a51c31226..c1b1a0aca 100644
 --- a/install/restart_scripts/stop_pkicad.in
 +++ b/install/restart_scripts/stop_pkicad.in
@@ -28,7 +28,9 @@ from ipaserver.install import certs
 def main():
 -    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
 +    api.bootstrap(
 +        in_server=True, context='restart', confdir=paths.ETC_IPA, log=None
 +    )
     api.finalize()
     dogtag_service = services.knownservices['pki_tomcatd']
 diff --git a/install/tools/ipa-custodia-check.in b/install/tools/ipa-custodia-check.in
 index b496ef387..7fdfbff52 100644
 --- a/install/tools/ipa-custodia-check.in
 +++ b/install/tools/ipa-custodia-check.in
@@ -102,7 +102,7 @@ class IPACustodiaTester:
         self.args = args
         if not api.isdone('bootstrap'):
             # bootstrap to initialize api.env
 -            api.bootstrap()
 +            api.bootstrap(log=None)
             self.debug("IPA API bootstrapped")
         self.realm = api.env.realm
         self.host = api.env.host
 diff --git a/install/tools/ipa-httpd-kdcproxy.in b/install/tools/ipa-httpd-kdcproxy.in
 index 49c473e2e..5988421d3 100644
 --- a/install/tools/ipa-httpd-kdcproxy.in
 +++ b/install/tools/ipa-httpd-kdcproxy.in
@@ -186,8 +186,10 @@ class KDCProxyConfig:
 def main(debug=DEBUG, time_limit=TIME_LIMIT):
     # initialize API without file logging
     if not api.isdone('bootstrap'):
 -        api.bootstrap(context='server', confdir=paths.ETC_IPA,
 -                      log=None, debug=debug)
 +        api.bootstrap(
 +            context='server', confdir=paths.ETC_IPA, log=None,
 +            debug=debug
 +        )
         standard_logging_setup(verbose=True, debug=debug)
     try:
 diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in
 index 7fab309f0..69f5ec296 100644
 --- a/install/tools/ipa-pki-wait-running.in
 +++ b/install/tools/ipa-pki-wait-running.in
@@ -88,7 +88,7 @@ def main():
         sys.exit(EXIT_SUCCESS)
     # bootstrap ipalib.api to parse config file
 -    api.bootstrap(confdir=paths.ETC_IPA)
 +    api.bootstrap(confdir=paths.ETC_IPA, log=None)
     timeout = api.env.startup_timeout
     conn = get_conn(api.env.host, subsystem=SUBSYSTEM)
 diff --git a/ipaserver/secrets/handlers/dmldap.py b/ipaserver/secrets/handlers/dmldap.py
 index 876440f16..c45348cfe 100644
 --- a/ipaserver/secrets/handlers/dmldap.py
 +++ b/ipaserver/secrets/handlers/dmldap.py
@@ -8,9 +8,9 @@ import os
 from ipalib import api
 from ipalib import errors
 +from ipaplatform.paths import paths
 from ipapython.dn import DN
 -from ipapython.ipaldap import LDAPClient
 -from ipaserver.install.installutils import realm_to_ldapi_uri
 +from ipapython.ipaldap import LDAPClient, realm_to_ldapi_uri
 from . import common
 CN_CONFIG = DN(('cn', 'config'))
@@ -46,7 +46,7 @@ def main():
     # create LDAP connection using LDAPI and EXTERNAL bind as root
     if not api.isdone('bootstrap'):
 -        api.bootstrap()
 +        api.bootstrap(confdir=paths.ETC_IPA, log=None)
     realm = api.env.realm
     ldap_uri = realm_to_ldapi_uri(realm)
     conn = LDAPClient(ldap_uri=ldap_uri, no_schema=True)
 -- 
 2.21.0
--- a/freeipa.spec
+++ b/freeipa.spec
@ -135,7 +135,7 @@
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        The Identity, Policy and Audit system
 License:        GPLv3+
@ -144,6 +144,7 @@ Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
 Patch1:         freeipa-samba-4.11-unixid-fixes.patch
 Patch2:         0001-Don-t-install-a-preexec_fn-by-default.patch
 Patch3:         0002-dont-create-log-files-from-help-scripts.patch
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@ -1335,6 +1336,10 @@ fi
 %changelog
 * Sun Oct 20 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.1-5
 - Don't create log files from helper scripts
 - Fixes: rhbz#1754189
 * Tue Oct 08 2019 Christian Heimes <cheimes@redhat.com> - 4.8.1-4
 - Fix compatibility issue with preexec_fn in Python 3.8
 - Fixes: rhbz#1759290