Comments (6)
Well crud. The code uses tempfile.mkdtemp() to create a temporary directory, optionally owned by another user. I could hardcode dir="/tmp" into the call so that the temporary files are always public. That was the implicit assumption before, anyway. How does that sound to you?
from pki.
CC @rcritten
from pki.
This should help.
from pki.
This should be backported to 11.3 and 11.4. I can open those PRs as well if desired.
from pki.
Thank you!
from pki.
I tested the patch today, unfortunately it didn't fix my issue completely.
An example of error (spoiler)
java.nio.file.AccessDeniedException: /tmp/.private/root/tmps57i6g40/sslserver.csr
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218)
at java.base/java.nio.file.spi.FileSystemProvider.newOutputStream(FileSystemProvider.java:484)
at java.base/java.nio.file.Files.newOutputStream(Files.java:228)
at java.base/java.nio.file.Files.write(Files.java:3512)
at com.netscape.cmstools.nss.NSSCertRequestCLI.execute(NSSCertRequestCLI.java:181)
at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:659)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698)
ERROR: CalledProcessError: Command '['runuser', '-u', 'pkiuser', '--', 'pki', '-d', '/etc/pki/pki-tomcat/alias', '-C', '/tmp/tmpx05hn8yr/password.txt', 'nss-cert-request', '--subject', 'cn=ipa.example.test,o=2023-08-15 15:28:23', '--csr', '/tmp/.private/root/tmps57i6g40/sslserver.csr', '--key-type', 'RSA', '--key-size', '2048', '--hash', 'SHA256']' returned non-zero exit status 255.
File "/usr/lib64/python3/site-packages/pki/server/pkispawn.py", line 588, in main
scriptlet.spawn(deployer)
File "/usr/lib64/python3/site-packages/pki/server/deployment/scriptlets/configuration.py", line 222, in spawn
deployer.create_temp_sslserver_cert(instance)
File "/usr/lib64/python3/site-packages/pki/server/deployment/__init__.py", line 2012, in create_temp_sslserver_cert
nssdb.create_request(
File "/usr/lib64/python3/site-packages/pki/nssdb.py", line 914, in create_request
self.__create_request(
File "/usr/lib64/python3/site-packages/pki/nssdb.py", line 1508, in __create_request
self.run(cmd, check=True, runas=True)
File "/usr/lib64/python3/site-packages/pki/nssdb.py", line 268, in run
result = subprocess.run(
^^^^^^^^^^^^^^^
File "/usr/lib64/python3.11/subprocess.py", line 571, in run
raise CalledProcessError(retcode, process.args,
I added at least
this change (spoiler) to get basic installation work
--- a/base/server/python/pki/server/deployment/__init__.py
+++ b/base/server/python/pki/server/deployment/__init__.py
@@ -1931,7 +1931,7 @@ class PKIDeployer:
generic_exts = [generic_ext]
- tmpdir = tempfile.mkdtemp()
+ tmpdir = tempfile.mkdtemp(dir='/tmp')
try:
csr_file = os.path.join(tmpdir, 'request.csr')
@@ -1973,7 +1973,7 @@ class PKIDeployer:
instance.set_sslserver_cert_nickname(nickname)
- tmpdir = tempfile.mkdtemp()
+ tmpdir = tempfile.mkdtemp(dir='/tmp')
nssdb = instance.open_nssdb(
user=self.mdict['pki_user'],
group=self.mdict['pki_group']
But I'm concerned that mkdtemp
(quite a few of them in the code) may lead to such a problem.
from pki.
Related Issues (20)
- No such command: builddep when building CA Container HOT 1
- Test failures on Fedora 40 HOT 9
- FreeIPA: on a replica, ipa ca-del subca fails with @pki/master repo HOT 5
- Freeipa: adding subca in loop fails with Non-2xx response from CA REST API: 500 HOT 5
- Intermittent authentication failure
- IPA test_sign_smime_csr_full_principal failed
- Intermittent EST test failure
- dogtag with podman, systemd service inactive (dead) on restart HOT 2
- Log rotation can break ipa-kra-install HOT 1
- Nightly test failure with @pki/master copr repo HOT 16
- Intermittent CertStatusUpdateTask failure
- Intermittent SerialNumberUpdateTask failure
- Occasional 500 errors / ajp_read_header: ajp_ilink_receive failed messages have started appearing
- Guidance Needed: Intermittent Unresponsiveness in Dogtag PKI Web Services in Podman Container Linked to 389ds Undefined Backend Issues HOT 2
- OCSP ansible CI error HOT 1
- IPA server installation with externally-signed CA fails (with @pki/master copr repo) HOT 3
- IPA scenario install / uninstall / install fails with @pki/master repo HOT 1
- IPA KRA install fails on a replica (@pki/master)
- ipa vault-add fails with "Unable to archive key" (@pki/master)
- IPA CA install fails on a replica (@pki/master)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pki.