From d82388bc6e211b7cb98d629c925e84f06cfb4e71 Mon Sep 17 00:00:00 2001 From: François Cami Date: Mar 14 2019 13:59:02 +0000 Subject: ipa-{server,replica}-install: add too-restritive mask detection If the mask used during the installation is "too restrictive", ie.0027, installing FreeIPA results in a broken server or replica. Check for too-restrictive mask at install time and error out. Fixes: https://pagure.io/freeipa/issue/7193 Signed-off-by: François Cami Reviewed-By: Florence Blanc-Renaud Reviewed-By: Florence Blanc-Renaud --- diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index c006ebe..ca1f2c4 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -1387,3 +1387,14 @@ def default_subject_base(realm_name): def default_ca_subject_dn(subject_base): return DN(('CN', 'Certificate Authority'), subject_base) + + +def validate_mask(): + try: + mask = os.umask(0) + finally: + os.umask(mask) + mask_str = None + if mask & 0b111101101 > 0: + mask_str = "{:04o}".format(mask) + return mask_str diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index efccca7..d0bf17c 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -41,7 +41,7 @@ from ipaserver.install import ( from ipaserver.install.installutils import ( IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address, is_ipa_configured, load_pkcs12, read_password, verify_fqdn, - update_hosts_file) + update_hosts_file, validate_mask) if six.PY3: unicode = str @@ -315,6 +315,16 @@ def install_check(installer): tasks.check_selinux_status() check_ldap_conf() + mask_str = validate_mask() + if mask_str: + print("Unexpected system mask: %s, expected 0022" % mask_str) + if installer.interactive: + if not user_input("Do you want to continue anyway?", True): + raise ScriptError( + "Unexpected system mask: %s" % mask_str) + else: + raise ScriptError("Unexpected system mask: %s" % mask_str) + if options.master_password: msg = ("WARNING:\noption '-P/--master-password' is deprecated. " "KDC master password of sufficient strength is autogenerated " diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index d3e28a1..02f522e 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -41,7 +41,7 @@ from ipaserver.install import ( adtrust, bindinstance, ca, dns, dsinstance, httpinstance, installutils, kra, krbinstance, otpdinstance, custodiainstance, service) from ipaserver.install.installutils import ( - ReplicaConfig, load_pkcs12, is_ipa_configured) + ReplicaConfig, load_pkcs12, is_ipa_configured, validate_mask) from ipaserver.install.replication import ( ReplicationManager, replica_conn_check) import SSSDConfig @@ -570,6 +570,11 @@ def common_check(no_ntp): tasks.check_selinux_status() check_ldap_conf() + mask_str = validate_mask() + if mask_str: + raise ScriptError( + "Unexpected system mask: %s, expected 0022" % mask_str) + if is_ipa_configured(): raise ScriptError( "IPA server is already configured on this system.\n"