rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity
da888bc1a9
ipa/0001-Fix-named-working-directory-permissions.patch
Simo Sorce da888bc1a9 Patch blokers and feature freze exceptions 
- Resolves: bz1165674
- Resolves: bz1165856 (CVE-2014-7850)
- Fixes DNS install issue that prevents the server from working
2014-11-21 13:18:37 +01:00

177 lines
7.4 KiB
Diff
Raw Blame History

From ba124045b9f39f8264a974c977beba6f15b1b1fb Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Tue, 11 Nov 2014 13:00:18 +0100
Subject: [PATCH] Fix named working directory permissions
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.
Ticket: https://fedorahosted.org/freeipa/ticket/4716
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
freeipa.spec.in | 3 +--
install/tools/ipa-upgradeconfig | 14 +++++++++++++
ipaplatform/base/paths.py | 1 +
ipaserver/install/dnskeysyncinstance.py | 36 +++++++++++++++++++++++++++------
4 files changed, 46 insertions(+), 8 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b2ff97a11dcbb675940086ab9af9aea9bf7988be..af367037eee27d45f0c825ad4518f269b2798045 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -426,7 +426,6 @@ mkdir -p %{buildroot}%{_usr}/share/ipa/html/
/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
mkdir -p %{buildroot}%{_initrddir}
mkdir %{buildroot}%{_sysconfdir}/sysconfig/
-mkdir -p %{buildroot}%{_localstatedir}/named/dyndb-ldap/ipa/
install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd
install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter
@@ -666,7 +665,6 @@ fi
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
-%dir %attr(0770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa/
# NOTE: systemd specific section
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa.service
@@ -780,6 +778,7 @@ fi
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
+%ghost %{_localstatedir}/named/dyndb-ldap/ipa
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1.gz
%{_mandir}/man1/ipa-replica-install.1.gz
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 6556d8f313d3a9efeb32d4cba97cb82796459652..b0b574476ffc5ce6f075cf46177cc059483551ab 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -30,6 +30,7 @@ import shutil
import pwd
import fileinput
import ConfigParser
+import grp
from ipalib import api
import SSSDConfig
@@ -1161,6 +1162,18 @@ def mask_named_regular():
return False
+def fix_dyndb_ldap_workdir_permissions():
+ """Fix dyndb-ldap working dir permissions. DNSSEC daemons requires it"""
+ if sysupgrade.get_upgrade_state('dns', 'dyndb_ipa_workdir_perm'):
+ return
+
+ if bindinstance.named_conf_exists():
+ root_logger.info('[Fix bind-dyndb-ldap IPA working directory]')
+ dnskeysync = dnskeysyncinstance.DNSKeySyncInstance()
+ dnskeysync.set_dyndb_ldap_workdir_permissions()
+
+ sysupgrade.set_upgrade_state('dns', 'dyndb_ipa_workdir_perm', True)
+
def fix_schema_file_syntax():
"""Fix syntax errors in schema files
@@ -1433,6 +1446,7 @@ def main():
named_managed_keys_dir_option(),
named_root_key_include(),
mask_named_regular(),
+ fix_dyndb_ldap_workdir_permissions(),
)
if any(named_conf_changes):
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index e28147ab4aa1faa3859c38665a83f57fb67e96b2..c4cdc58d61caca7a0d80546bdd69915ac47a23bd 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -189,6 +189,7 @@ class BasePathNamespace(object):
BIN_WGET = "/usr/bin/wget"
ZIP = "/usr/bin/zip"
BIND_LDAP_SO = "/usr/lib/bind/ldap.so"
+ BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/"
USR_LIB_DIRSRV = "/usr/lib/dirsrv"
USR_LIB_SLAPD_INSTANCE_TEMPLATE = "/usr/lib/dirsrv/slapd-%s"
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 1dd9a0983fb689f14656431496dfd4b2bb2e30a9..5da65d87b1471710b762f90b9a33c453c7d809b7 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -60,7 +60,6 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
return ret
-
class DNSKeySyncInstance(service.Service):
def __init__(self, fstore=None, dm_password=None, logger=root_logger,
ldapi=False):
@@ -84,6 +83,23 @@ class DNSKeySyncInstance(service.Service):
suffix = ipautil.dn_attribute_property('_suffix')
+ def set_dyndb_ldap_workdir_permissions(self):
+ """
+ Setting up correct permissions to allow write/read access for daemons
+ """
+ if self.named_uid is None:
+ self.named_uid = self.__get_named_uid()
+
+ if self.named_gid is None:
+ self.named_gid = self.__get_named_gid()
+
+ if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
+ os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
+ # dnssec daemons require to have access into the directory
+ os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
+ os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, self.named_uid,
+ self.named_gid)
+
def remove_replica_public_keys(self, replica_fqdn):
ldap = api.Backend.ldap2
dn_base = DN(('cn', 'keys'), ('cn', 'sec'), ('cn', 'dns'), api.env.basedn)
@@ -119,6 +135,8 @@ class DNSKeySyncInstance(service.Service):
self.ldap_connect()
# checking status step must be first
self.step("checking status", self.__check_dnssec_status)
+ self.step("setting up bind-dyndb-ldap working directory",
+ self.set_dyndb_ldap_workdir_permissions)
self.step("setting up kerberos principal", self.__setup_principal)
self.step("setting up SoftHSM", self.__setup_softhsm)
self.step("adding DNSSEC containers", self.__setup_dnssec_containers)
@@ -127,20 +145,26 @@ class DNSKeySyncInstance(service.Service):
# we need restart named after setting up this service
self.start_creation()
- def __check_dnssec_status(self):
+ def __get_named_uid(self):
named = services.knownservices.named
- ods_enforcerd = services.knownservices.ods_enforcerd
-
try:
- self.named_uid = pwd.getpwnam(named.get_user_name()).pw_uid
+ return pwd.getpwnam(named.get_user_name()).pw_uid
except KeyError:
raise RuntimeError("Named UID not found")
+ def __get_named_gid(self):
+ named = services.knownservices.named
try:
- self.named_gid = grp.getgrnam(named.get_group_name()).gr_gid
+ return grp.getgrnam(named.get_group_name()).gr_gid
except KeyError:
raise RuntimeError("Named GID not found")
+ def __check_dnssec_status(self):
+ ods_enforcerd = services.knownservices.ods_enforcerd
+
+ self.named_uid = self.__get_named_uid()
+ self.named_gid = self.__get_named_gid()
+
try:
self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
except KeyError:
--
2.1.0
Reference in New Issue View Git Blame Copy Permalink