[Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
Tomas Babej
tbabej at redhat.com
Wed May 15 10:04:02 UTC 2013
On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
> Hello,
>
> See the commit message for details.
>
> https://fedorahosted.org/freeipa/ticket/3594
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
+ def regenerate_ca_file(self, ca_file):
+ dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
+ keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
+
+ os.write(dm_pwd_fd, self.dirman_password)
+ os.close(dm_pwd_fd)
+
+ keydb_pwd = ''
+ with open('/etc/pki/pki-tomcat/password.conf') as f:
+ for line in f.readlines():
+ key, value = line.strip().split('=')
+ if key == 'internal':
+ keydb_pwd = value
+ break
+
+ os.write(keydb_pwd_fd, keydb_pwd)
+ os.close(keydb_pwd_fd)
+
+ ipautil.run([
+ '/usr/bin/PKCS12Export',
+ '-d', '/etc/pki/pki-tomcat/alias/',
+ '-p', keydb_pwd_fname,
+ '-w', dm_pwd_fname,
+ '-o', ca_file
+ ])
+
If the PKCS12Export call fails (returns non-zero code), we raise
exception here, and the temporary files are never removed.
+ os.remove(dm_pwd_fname)
+ os.remove(keydb_pwd_fname)
This might not be a big issue since mkstemp() call creates temporary
file readable and writable only be given user ID,
however, we should not leave files with passwords in plaintext on the
disk if it is not necessary.
This can be easily prevented by wrapping the call up with
try-chatch-finally block, or using raiseonerr=False options of run method.
Tomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130515/c0802545/attachment.htm>
More information about the Freeipa-devel
mailing list