Issue #1282: Directory server does not check the file permissions during install - freeipa

freeipa

#1282 Directory server does not check the file permissions during install

Closed: Fixed None Opened 12 years ago by dpal.

The installer is a bit sloppy and makes some bad assumptions. The problem turns out to be that the directory server setup seems to be running as dirsrv, not root. Ipa-server-install (more specifically dsinstance.py) writes out the file /var/lib/dirsrv/boot.ldif. But it does so as root, using root’s umask. It doesn’t do a check to make sure dirsrv can read this file before spawning an external process to create the directory server. Part of security best practices recommended by the CIS group as well as others is to set root’s umask to 0077. With this setting in place, dirsrv is unable to read /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when executed from ipa-server-install.

mkosek commented 12 years ago

How to test:

- login as root
- set root umask to `0077`
- install IPA server
- quick-check that you can kinit, control LDAP database etc.

rcritten commented 12 years ago

master: b227208

ipa-2-0: 9ce56a6

Metadata Update from @dpal:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 2.1 - 2011/06

7 years ago

Metadata

Assignee

mkosek

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 2.1 - 2011/06

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#1282 Directory server does not check the file permissions during install Closed: Fixed None Opened 12 years ago by dpal.

Metadata

#1282 Directory server does not check the file permissions during install

Closed: Fixed None Opened 12 years ago by dpal.