[Pki-devel] [PATCH] Verify Symbolic Links (Dogtag 9)

Ade Lee alee at redhat.com
Tue Aug 28 14:25:10 UTC 2012 

The CS.cfg logic looks fine.

The check_symlinks() code is still a little confusing.

You do the following check:

target=${symlinks[${key}]}
# Check to make certain that the expected target exists.
if [ -e ${target} ]; then
    ....
else
    # Attempt to remove this dangling symbolic link and
    # issue an ERROR that the target to which the
    # symbolic link is expected to point does NOT exist.
    rm ${symlink}
    ....

This is not correct.  Its not necessarily a danglng link.  The link that
is there may in fact point to another (wrong) target.  All you know is
that you cannot correct this link because the expected target does not
exist.

To simplify check_links(), I suggest that you move the check for whether
or not the target exists and is fully resolvable into make_symlink().
If either fails, then error out.

then the logic in check_symlinks() becomes simpler.

if [ -e symlink]; then
    if [-h symlink]; then
        target = symlinks[key]
        current_target = `readlink symlink`
        if [target == current_target]; then 
            check if exists and resolvable and chown
        else
            rm symlink
            make_link()
    elif [-f symlink]
        warn about debugging
    else
        error "directory or some such"
else
    make_link()

On Mon, 2012-08-27 at 20:57 -0700, Matthew Harmsen wrote:
> This patch attempts to address these issues.
> 
> On 08/24/12 07:54, Ade Lee wrote:
> > same comments as on the dogtag 10 patch.
> >
> > On Wed, 2012-08-22 at 20:26 -0700, Matthew Harmsen wrote:
> >> This patch addresses the issue listed below for Dogtag 9:
> >>        * TRAC Ticket #301 - Need to modify init scripts to verify
> >>          needed symlinks in an instance
> >> This patch has been tested and found to work successfully on 64-bit
> >> Fedora 16 with SElinux in "Permissive" mode:
> >>        * Built and installed Dogtag 9 Packages on a 64-bit Fedora 16
> >>          host
> >>        * Installed and configured Dogtag 9 CA, KRA, OCSP, TKS, RA, and
> >>          TPS instances
> >>        * Tested attached symlinks patch on all subsystems (although I
> >>          was unable to get the configured TPS to restart --
> >>          successfully applied logic from standalone test program)
> >> _______________________________________________
> >> Pki-devel mailing list
> >> Pki-devel at redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-devel
> >
>

More information about the Pki-devel mailing list