From 1753780b47c6935816d5419dafcea667fb01fed4 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 21 Aug 2020 10:15:53 -0400
Subject: [PATCH] Fix permissions when installing clone
When pkispawn runs, it executes as root. However, rarely is PKI
installed as root. The resulting permissions on ca.crt are 600,
preventing later pki-server migrate command from running, as it
runs as pkiuser, who doesn't have access to ca.crt. Fix the
permissions when we initially create ca.crt to be owned by pkiuser.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
.../deployment/scriptlets/security_databases.py | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 613ffdc17..80a5856e9 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -198,10 +198,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# Export CA certificate to PEM file; same command as in
# PKIServer.setup_cert_authentication().
# openssl pkcs12 -in <p12_file_path> -out /tmp/auth.pem -nodes -nokeys
+ pki_ca_crt_path = os.path.join(pki_server_database_path, 'ca.crt')
cmd_export_ca = [
'openssl', 'pkcs12',
'-in', pki_clone_pkcs12_path,
- '-out', os.path.join(pki_server_database_path, 'ca.crt'),
+ '-out', pki_ca_crt_path,
'-nodes',
'-nokeys',
'-passin', 'pass:' + pki_clone_pkcs12_password
@@ -210,6 +211,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
stderr=subprocess.STDOUT).decode('utf-8')
logger.debug('Result of CA certificate export: %s', res_ca)
+ # At this point, we're running as root. However, the subsystem
+ # will eventually start up as non-root and will attempt to do a
+ # migration. If we don't fix the permissions now, migration will
+ # fail and subsystem won't start up.
+ pki.util.chmod(pki_ca_crt_path, 0o644)
+ pki.util.chown(pki_ca_crt_path, deployer.mdict['pki_uid'],
+ deployer.mdict['pki_gid'])
+
ca_cert_path = deployer.mdict.get('pki_cert_chain_path')
if ca_cert_path and os.path.exists(ca_cert_path):
destination = os.path.join(instance.nssdb_dir, "ca.crt")
--
2.26.2