[Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
Petr Viktorin
pviktori at redhat.com
Wed May 15 10:29:41 UTC 2013
On 05/15/2013 12:04 PM, Tomas Babej wrote:
> On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
>> Hello,
>>
>> See the commit message for details.
>>
>> https://fedorahosted.org/freeipa/ticket/3594
>>
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> + def regenerate_ca_file(self, ca_file):
> + dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
> + keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
> +
> + os.write(dm_pwd_fd, self.dirman_password)
> + os.close(dm_pwd_fd)
> +
> + keydb_pwd = ''
> + with open('/etc/pki/pki-tomcat/password.conf') as f:
> + for line in f.readlines():
> + key, value = line.strip().split('=')
> + if key == 'internal':
> + keydb_pwd = value
> + break
> +
> + os.write(keydb_pwd_fd, keydb_pwd)
> + os.close(keydb_pwd_fd)
> +
> + ipautil.run([
> + '/usr/bin/PKCS12Export',
> + '-d', '/etc/pki/pki-tomcat/alias/',
> + '-p', keydb_pwd_fname,
> + '-w', dm_pwd_fname,
> + '-o', ca_file
> + ])
> +
>
> If the PKCS12Export call fails (returns non-zero code), we raise
> exception here, and the temporary files are never removed.
>
> + os.remove(dm_pwd_fname)
> + os.remove(keydb_pwd_fname)
>
> This might not be a big issue since mkstemp() call creates temporary
> file readable and writable only be given user ID,
> however, we should not leave files with passwords in plaintext on the
> disk if it is not necessary.
>
> This can be easily prevented by wrapping the call up with
> try-chatch-finally block, or using raiseonerr=False options of run method.
Or by using ipautil.write_tmp_file() – the file it creates is always
removed after it's closed/garbage collected, and it has a name attribute.
--
Petr³
More information about the Freeipa-devel
mailing list