From 341de257835015161d91a826ef3a8107dfc398a3 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Oct 08 2019 08:37:26 +0000
Subject: Fix compat issue with preexec_fn in Python 3.8


Fixes: rhbz#1759290

---

diff --git a/0001-Don-t-install-a-preexec_fn-by-default.patch b/0001-Don-t-install-a-preexec_fn-by-default.patch
new file mode 100644
index 0000000..f42779d
--- /dev/null
+++ b/0001-Don-t-install-a-preexec_fn-by-default.patch
@@ -0,0 +1,50 @@
+From 7ee24413f0945b7d582a33795cdfc7c59471cb69 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Mon, 7 Oct 2019 21:58:00 +0200
+Subject: [PATCH] Don't install a preexec_fn by default
+
+ipautil.run() now only installs a preexec_fn when it is actually needed.
+This addresses a compatibility issue with mod_wsgi subinterpreters under
+Python 3.8.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1759290
+See: https://bugs.python.org/issue37951
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+---
+ ipapython/ipautil.py | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
+index d87b9e3c1..e047324d3 100644
+--- a/ipapython/ipautil.py
++++ b/ipapython/ipautil.py
+@@ -515,14 +515,18 @@ def run(args, stdin=None, raiseonerr=True, nolog=(), env=None,
+             for group, gid in zip(suplementary_groups, suplementary_gids):
+                 logger.debug('suplementary_group=%s (GID %d)', group, gid)
+ 
+-    def preexec_fn():
+-        if runas is not None:
+-            os.setgroups(suplementary_gids)
+-            os.setregid(pent.pw_gid, pent.pw_gid)
+-            os.setreuid(pent.pw_uid, pent.pw_uid)
+-
+-        if umask:
+-            os.umask(umask)
++    if runas is not None or umask is not None:
++        # preexec function is not supported in WSGI environment
++        def preexec_fn():
++            if runas is not None:
++                os.setgroups(suplementary_gids)
++                os.setregid(pent.pw_gid, pent.pw_gid)
++                os.setreuid(pent.pw_uid, pent.pw_uid)
++
++            if umask is not None:
++                os.umask(umask)
++    else:
++        preexec_fn = None
+ 
+     try:
+         # pylint: disable=subprocess-popen-preexec-fn
+-- 
+2.20.1
+
diff --git a/freeipa.spec b/freeipa.spec
index 43956a5..59e6347 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -135,7 +135,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -143,6 +143,7 @@ URL:            http://www.freeipa.org/
 Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
 Patch1:         freeipa-samba-4.11-unixid-fixes.patch
+Patch2:         0001-Don-t-install-a-preexec_fn-by-default.patch
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -1334,6 +1335,10 @@ fi
 
 
 %changelog
+* Tue Oct 08 2019 Christian Heimes <cheimes@redhat.com> - 4.8.1-4
+- Fix compatibility issue with preexec_fn in Python 3.8
+- Fixes: rhbz#1759290
+
 * Tue Oct  1 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.1-3
 - Fix ipasam for compatibility with Samba 4.11
 - Fixes: rhbz#1757089