Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1434924
Description of problem: Some organizations are setting the umask to 0027 due to security baselines according to regulations or company internal rules Version-Release number of selected component (if applicable): 4.4 How reproducible: Always Steps to Reproduce: 1. ipa-backup --online --data 2. ipa-restore --online --data /back/up/dir 3. IPA server crippled Actual results: /var/lib/dirsrv/slapd-EXAMPLE-COM/ldif/EXAMPLE-COM-ipaca.ldif /var/lib/dirsrv/slapd-EXAMPLE-COM/ldif/EXAMPLE-COM-userRoot.ldif and probably others do not provide access rights for the dirsrv user, in this case 0600 Expected results: ipa-restore should manually set 0644 for those files to avoid the directory server not starting anymore Additional info: Mitigation: Set the umask to 0022 (at least temporary) systemctl start dirsrv@EXAMPLE-COM (if nor running anymore) re-run ipa-restore --online --data /back/up/dir
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1434924
Metadata Update from @pvoborni: - Issue tagged with: bug
Metadata Update from @slaykovsky: - Issue assigned to slaykovsky
Metadata Update from @slaykovsky: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1262
master:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.6.2 (was: FreeIPA 4.7) - Issue status updated to: Open (was: Closed)
ipa-4-6:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-7:
Login to comment on this ticket.