[Fedora-directory-commits] ldapserver/ldap/servers/slapd ssl.c, 1.24, 1.25

[Nathan Kinder]

Author: nkinder

Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10811/ldap/servers/slapd

Modified Files:
	ssl.c 
Log Message:
Resolves: 455629
Summary: Ensure server group has proper permissions on certificate db files.



Index: ssl.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/ssl.c,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- ssl.c	5 Feb 2009 17:34:56 -0000	1.24
+++ ssl.c	6 Feb 2009 00:29:44 -0000	1.25
@@ -410,6 +410,9 @@
 	int len = 0;
     PRUint32 nssFlags = 0;
 	char *certdir;
+	char *certdb_file_name = NULL;
+	char *keydb_file_name = NULL;
+	char *secmoddb_file_name = NULL;
 
 	/* set in slapd_bootstrap_config,
 	   thus certdir is available even if config_available is false */
@@ -468,9 +471,23 @@
 		return -1;
 	}
 
-    /****** end of NSS Initialization ******/
+	/* NSS creates the certificate db files with a mode of 600.  There
+	 * is no way to pass in a mode to use for creation to NSS, so we
+	 * need to modify it after creation.  We need to allow read and
+	 * write permission to the group so the certs can be managed via
+	 * the console/adminserver. */
+	certdb_file_name = slapi_ch_smprintf("%s/cert8.db", certdir);
+	keydb_file_name = slapi_ch_smprintf("%s/key3.db", certdir);
+	secmoddb_file_name = slapi_ch_smprintf("%s/secmod.db", certdir);
+	chmod(certdb_file_name, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP );
+	chmod(keydb_file_name, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP );
+	chmod(secmoddb_file_name, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP );
 
+    /****** end of NSS Initialization ******/
     _nss_initialized = 1;
+    slapi_ch_free_string(&certdb_file_name);
+    slapi_ch_free_string(&keydb_file_name);
+    slapi_ch_free_string(&secmoddb_file_name);
     slapi_ch_free_string(&certdir);
     return rv;
 }