[Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed

Ana Krivokapic akrivoka at redhat.com
Wed May 15 11:36:51 UTC 2013 

On 05/15/2013 12:29 PM, Petr Viktorin wrote:
> On 05/15/2013 12:04 PM, Tomas Babej wrote:
>> On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
>>> Hello,
>>>
>>> See the commit message for details.
>>>
>>> https://fedorahosted.org/freeipa/ticket/3594
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>> +    def regenerate_ca_file(self, ca_file):
>> +        dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
>> +        keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
>> +
>> +        os.write(dm_pwd_fd, self.dirman_password)
>> +        os.close(dm_pwd_fd)
>> +
>> +        keydb_pwd = ''
>> +        with open('/etc/pki/pki-tomcat/password.conf') as f:
>> +            for line in f.readlines():
>> +                key, value = line.strip().split('=')
>> +                if key == 'internal':
>> +                    keydb_pwd = value
>> +                    break
>> +
>> +        os.write(keydb_pwd_fd, keydb_pwd)
>> +        os.close(keydb_pwd_fd)
>> +
>> +        ipautil.run([
>> +            '/usr/bin/PKCS12Export',
>> +            '-d', '/etc/pki/pki-tomcat/alias/',
>> +            '-p', keydb_pwd_fname,
>> +            '-w', dm_pwd_fname,
>> +            '-o', ca_file
>> +        ])
>> +
>>
>> If the PKCS12Export call fails (returns non-zero code), we raise
>> exception here, and the temporary files are never removed.
>>
>> +        os.remove(dm_pwd_fname)
>> +        os.remove(keydb_pwd_fname)
>>
>> This might not be a big issue since mkstemp() call creates temporary
>> file readable and writable only be given user ID,
>> however, we should not leave files with passwords in plaintext on the
>> disk if it is not necessary.
>>
>> This can be easily prevented by wrapping the call up with
>> try-chatch-finally block, or using raiseonerr=False options of run
>> method.
>
> Or by using ipautil.write_tmp_file() – the file it creates is always
> removed after it's closed/garbage collected, and it has a name attribute.
>

Updated patch uses `ipautil.write_tmp_file()`.

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-akrivoka-0029-02-Make-sure-replication-works-after-DM-password-is-cha.patch
Type: text/x-patch
Size: 3147 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130515/cd6962eb/attachment.bin>

More information about the Freeipa-devel mailing list