From b068d3336ad65748881d0dc74505f41dac9f0f13 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Nov 11 2016 11:13:56 +0000
Subject: Added file permissions option to IPAChangeConf.newConf()


Also added information about why os.chmod is called sometimes
after newConf() calls.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>

---

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 3334396..c246402 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -360,6 +360,7 @@ def configure_ipa_conf(
     target_fname = paths.IPA_DEFAULT_CONF
     fstore.backup_file(target_fname)
     ipaconf.newConf(target_fname, opts)
+    # umask applies when creating a new file but we want 0o644 here
     os.chmod(target_fname, 0o644)
 
 
@@ -746,6 +747,7 @@ def configure_krb5_conf(
     root_logger.debug("%s", krbconf.dump(opts))
 
     krbconf.newConf(filename, opts)
+    # umask applies when creating a new file but we want 0o644 here
     os.chmod(filename, 0o644)
 
 
diff --git a/ipaclient/ipachangeconf.py b/ipaclient/ipachangeconf.py
index 25473fb..610cd50 100644
--- a/ipaclient/ipachangeconf.py
+++ b/ipaclient/ipachangeconf.py
@@ -508,12 +508,13 @@ class IPAChangeConf(object):
                 pass
         return True
 
-    def newConf(self, file, options):
+    def newConf(self, file, options, file_perms=0o644):
         """"
         Write settings to a new file, backup the old
         :param file: path to the file
         :param options: a set of dictionaries in the form:
              {'name': 'foo', 'value': 'bar', 'action': 'set/comment'}
+        :param file_perms: number defining the new file's permissions
         """
         output = ""
         f = None
@@ -525,7 +526,7 @@ class IPAChangeConf(object):
                     # The orign file did not exist
                     pass
 
-            f = openLocked(file, 0o644)
+            f = openLocked(file, file_perms)
 
             # Trunkate
             f.seek(0)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 20f26db..663fb83 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -264,7 +264,9 @@ def create_ipa_conf(fstore, config, ca_enabled):
         {'name': 'empty', 'type': 'empty'}
     ]
     ipaconf.newConf(target_fname, opts)
-    os.chmod(target_fname, 0o644)   # must be readable for httpd
+    # the new file must be readable for httpd
+    # Also, umask applies when creating a new file but we want 0o644 here
+    os.chmod(target_fname, 0o644)
 
 
 def check_dirsrv():