[Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
Ana Krivokapic
akrivoka at redhat.com
Wed May 15 11:36:51 UTC 2013
On 05/15/2013 12:29 PM, Petr Viktorin wrote:
> On 05/15/2013 12:04 PM, Tomas Babej wrote:
>> On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
>>> Hello,
>>>
>>> See the commit message for details.
>>>
>>> https://fedorahosted.org/freeipa/ticket/3594
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>> + def regenerate_ca_file(self, ca_file):
>> + dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
>> + keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
>> +
>> + os.write(dm_pwd_fd, self.dirman_password)
>> + os.close(dm_pwd_fd)
>> +
>> + keydb_pwd = ''
>> + with open('/etc/pki/pki-tomcat/password.conf') as f:
>> + for line in f.readlines():
>> + key, value = line.strip().split('=')
>> + if key == 'internal':
>> + keydb_pwd = value
>> + break
>> +
>> + os.write(keydb_pwd_fd, keydb_pwd)
>> + os.close(keydb_pwd_fd)
>> +
>> + ipautil.run([
>> + '/usr/bin/PKCS12Export',
>> + '-d', '/etc/pki/pki-tomcat/alias/',
>> + '-p', keydb_pwd_fname,
>> + '-w', dm_pwd_fname,
>> + '-o', ca_file
>> + ])
>> +
>>
>> If the PKCS12Export call fails (returns non-zero code), we raise
>> exception here, and the temporary files are never removed.
>>
>> + os.remove(dm_pwd_fname)
>> + os.remove(keydb_pwd_fname)
>>
>> This might not be a big issue since mkstemp() call creates temporary
>> file readable and writable only be given user ID,
>> however, we should not leave files with passwords in plaintext on the
>> disk if it is not necessary.
>>
>> This can be easily prevented by wrapping the call up with
>> try-chatch-finally block, or using raiseonerr=False options of run
>> method.
>
> Or by using ipautil.write_tmp_file() – the file it creates is always
> removed after it's closed/garbage collected, and it has a name attribute.
>
Updated patch uses `ipautil.write_tmp_file()`.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-akrivoka-0029-02-Make-sure-replication-works-after-DM-password-is-cha.patch
Type: text/x-patch
Size: 3147 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130515/cd6962eb/attachment.bin>
More information about the Freeipa-devel
mailing list