From 1753780b47c6935816d5419dafcea667fb01fed4 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 21 Aug 2020 10:15:53 -0400
Subject: [PATCH] Fix permissions when installing clone

When pkispawn runs, it executes as root. However, rarely is PKI
installed as root. The resulting permissions on ca.crt are 600,
preventing later pki-server migrate command from running, as it
runs as pkiuser, who doesn't have access to ca.crt. Fix the
permissions when we initially create ca.crt to be owned by pkiuser.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
 .../deployment/scriptlets/security_databases.py       | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 613ffdc17..80a5856e9 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -198,10 +198,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             # Export CA certificate to PEM file; same command as in
             # PKIServer.setup_cert_authentication().
             # openssl pkcs12 -in <p12_file_path> -out /tmp/auth.pem -nodes -nokeys
+            pki_ca_crt_path = os.path.join(pki_server_database_path, 'ca.crt')
             cmd_export_ca = [
                 'openssl', 'pkcs12',
                 '-in', pki_clone_pkcs12_path,
-                '-out', os.path.join(pki_server_database_path, 'ca.crt'),
+                '-out', pki_ca_crt_path,
                 '-nodes',
                 '-nokeys',
                 '-passin', 'pass:' + pki_clone_pkcs12_password
@@ -210,6 +211,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                                              stderr=subprocess.STDOUT).decode('utf-8')
             logger.debug('Result of CA certificate export: %s', res_ca)
 
+            # At this point, we're running as root. However, the subsystem
+            # will eventually start up as non-root and will attempt to do a
+            # migration. If we don't fix the permissions now, migration will
+            # fail and subsystem won't start up.
+            pki.util.chmod(pki_ca_crt_path, 0o644)
+            pki.util.chown(pki_ca_crt_path, deployer.mdict['pki_uid'],
+                           deployer.mdict['pki_gid'])
+
         ca_cert_path = deployer.mdict.get('pki_cert_chain_path')
         if ca_cert_path and os.path.exists(ca_cert_path):
             destination = os.path.join(instance.nssdb_dir, "ca.crt")
-- 
2.26.2