From 874b6d9f28f29368ab5e4e4924136718fde9e2a8 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen <tjaalton@debian.org>
Date: Nov 04 2015 12:12:12 +0000
Subject: ipaplatform: Add HTTPD_USER to constants, and use it.


https://fedorahosted.org/freeipa/ticket/5343

Reviewed-By: Tomas Babej <tbabej@redhat.com>

---

diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index cef829e..3f78822 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -8,4 +8,5 @@ This base platform module exports platform dependant constants.
 
 
 class BaseConstantsNamespace(object):
+    HTTPD_USER = "apache"
     IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index f9315f4..23fdf30 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -48,6 +48,7 @@ from ipalib import pkcs10, x509
 from ipalib import errors
 
 from ipaplatform import services
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
 
@@ -1140,7 +1141,7 @@ class CAInstance(DogtagInstance):
         os.chmod(self.ra_agent_db + "/key3.db", 0o640)
         os.chmod(self.ra_agent_db + "/secmod.db", 0o640)
 
-        pent = pwd.getpwnam("apache")
+        pent = pwd.getpwnam(constants.HTTPD_USER)
         os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid )
         os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid )
         os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid )
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 4f240da..658e8ec 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -43,6 +43,7 @@ from ipalib import pkcs10, x509, api
 from ipalib.errors import CertificateOperationError
 from ipalib.text import _
 from ipaplatform import services
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 
 # Apache needs access to this database so we need to create it
@@ -519,8 +520,7 @@ class CertDB(object):
         f.write(pwdfile.read())
         f.close()
         pwdfile.close()
-        # TODO: replace explicit uid by a platform-specific one
-        self.set_perms(self.pwd_conf, uid="apache")
+        self.set_perms(self.pwd_conf, uid=constants.HTTPD_USER)
 
     def find_root_cert(self, nickname):
         """
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 0d1074d..34fa64d 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -41,6 +41,7 @@ import ipapython.errors
 from ipaserver.install import sysupgrade
 from ipalib import api
 from ipalib import errors
+from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks
 from ipaplatform.paths import paths
 from ipaplatform import services
@@ -52,7 +53,7 @@ SELINUX_BOOLEAN_SETTINGS = dict(
 )
 
 KDCPROXY_USER = 'kdcproxy'
-
+HTTPD_USER = constants.HTTPD_USER
 
 def httpd_443_configured():
     """
@@ -190,14 +191,14 @@ class HTTPInstance(service.Service):
             installutils.create_keytab(paths.IPA_KEYTAB, self.principal)
             self.move_service(self.principal)
 
-        pent = pwd.getpwnam("apache")
+        pent = pwd.getpwnam(HTTPD_USER)
         os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
 
     def remove_httpd_ccache(self):
         # Clean up existing ccache
         # Make sure that empty env is passed to avoid passing KRB5CCNAME from
         # current env
-        ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={})
+        ipautil.run(['kdestroy', '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
 
     def __configure_http(self):
         target_fname = paths.HTTPD_IPA_CONF
@@ -328,7 +329,7 @@ class HTTPInstance(service.Service):
         os.chmod(certs.NSS_DIR + "/secmod.db", 0o660)
         os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0o660)
 
-        pent = pwd.getpwnam("apache")
+        pent = pwd.getpwnam(HTTPD_USER)
         os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid )
         os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid )
         os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid )
@@ -497,7 +498,7 @@ class HTTPInstance(service.Service):
                 pass
 
         # Remove the ccache file for the HTTPD service
-        ipautil.run([paths.KDESTROY, '-c', paths.KRB5CC_HTTPD], runas='apache',
+        ipautil.run([paths.KDESTROY, '-c', paths.KRB5CC_HTTPD], runas=HTTPD_USER,
                     raiseonerr=False)
 
         # Remove the configuration files we create
diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
index e90b2ab..ac0b027 100644
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -24,6 +24,7 @@ import os.path
 import pwd
 import optparse
 
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipapython import admintool
 from ipapython.dn import DN
@@ -151,7 +152,7 @@ class ServerCertInstall(admintool.AdminTool):
         os.chmod(os.path.join(dirname, 'key3.db'), 0o640)
         os.chmod(os.path.join(dirname, 'secmod.db'), 0o640)
 
-        pent = pwd.getpwnam("apache")
+        pent = pwd.getpwnam(constants.HTTPD_USER)
         os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid)
         os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
         os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)