From c870ba24c530ecb21452ac63b56377be8983ceb1 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 28 May 2024 16:48:47 -0500
Subject: [PATCH] Fix config file owners and permissions for containers
The container startup scripts have been modified to update
the owners and permissions after the configuration is done
such that the config files will have the proper owners and
permissions.
Note: Some files created at runtime (e.g. log files) still
have inconsistent owners/permissions. These files will be
fixed separately later.
---
.github/workflows/ca-container-test.yml | 26 +++++++++++------------
.github/workflows/kra-container-test.yml | 8 +++----
.github/workflows/ocsp-container-test.yml | 8 +++----
base/acme/bin/pki-acme-run | 3 ---
base/ca/bin/pki-ca-run | 10 ++++++---
base/kra/bin/pki-kra-run | 10 ++++++---
base/ocsp/bin/pki-ocsp-run | 10 ++++++---
base/server/bin/pki-server-run | 10 ++++++---
8 files changed, 49 insertions(+), 36 deletions(-)
diff --git a/.github/workflows/ca-container-test.yml b/.github/workflows/ca-container-test.yml
index a467f627092..c52b2d02ef3 100644
--- a/.github/workflows/ca-container-test.yml
+++ b/.github/workflows/ca-container-test.yml
@@ -252,7 +252,7 @@ jobs:
# TODO: review owners/permissions
cat > expected << EOF
drwxrwxrwx 17 root Catalina
- drwxrwx--- 17 root alias
+ drwxrwxrwx 17 root alias
drwxrwxrwx 17 root ca
-rw-rw-rw- 17 root catalina.policy
lrwxrwxrwx 17 root catalina.properties -> /usr/share/pki/server/conf/catalina.properties
@@ -260,9 +260,9 @@ jobs:
lrwxrwxrwx 17 root context.xml -> /etc/tomcat/context.xml
-rw-rw-rw- 17 root jss.conf
lrwxrwxrwx 17 root logging.properties -> /usr/share/pki/server/conf/logging.properties
- -rw-rw---- 17 root password.conf
+ -rw-rw-rw- 17 root password.conf
-rw-rw-rw- 17 root server.xml
- -rw-rw---- 17 root serverCertNick.conf
+ -rw-rw-rw- 17 root serverCertNick.conf
-rw-rw-rw- 17 root tomcat.conf
lrwxrwxrwx 17 root web.xml -> /etc/tomcat/web.xml
EOF
@@ -283,18 +283,18 @@ jobs:
# TODO: review owners/permissions
cat > expected << EOF
-rw-rw-rw- 17 root CS.cfg
- -rw-rw---- 17 root adminCert.profile
+ -rw-rw-rw- 17 root adminCert.profile
drwxrwxrwx 17 root archives
- -rw-rw---- 17 root caAuditSigningCert.profile
- -rw-rw---- 17 root caCert.profile
- -rw-rw---- 17 root caOCSPCert.profile
- drwxrwx--- 17 root emails
- -rw-rw---- 17 root flatfile.txt
- drwxrwx--- 17 root profiles
- -rw-rw---- 17 root proxy.conf
+ -rw-rw-rw- 17 root caAuditSigningCert.profile
+ -rw-rw-rw- 17 root caCert.profile
+ -rw-rw-rw- 17 root caOCSPCert.profile
+ drwxrwxrwx 17 root emails
+ -rw-rw-rw- 17 root flatfile.txt
+ drwxrwxrwx 17 root profiles
+ -rw-rw-rw- 17 root proxy.conf
-rw-rw-rw- 17 root registry.cfg
- -rw-rw---- 17 root serverCert.profile
- -rw-rw---- 17 root subsystemCert.profile
+ -rw-rw-rw- 17 root serverCert.profile
+ -rw-rw-rw- 17 root subsystemCert.profile
EOF
diff expected output
diff --git a/.github/workflows/kra-container-test.yml b/.github/workflows/kra-container-test.yml
index 7a21d08362c..612708eab4b 100644
--- a/.github/workflows/kra-container-test.yml
+++ b/.github/workflows/kra-container-test.yml
@@ -368,7 +368,7 @@ jobs:
# TODO: review owners/permissions
cat > expected << EOF
drwxrwxrwx 17 root Catalina
- drwxrwx--- 17 root alias
+ drwxrwxrwx 17 root alias
-rw-rw-rw- 17 root catalina.policy
lrwxrwxrwx 17 root catalina.properties -> /usr/share/pki/server/conf/catalina.properties
drwxrwxrwx 17 root certs
@@ -376,9 +376,9 @@ jobs:
-rw-rw-rw- 17 root jss.conf
drwxrwxrwx 17 root kra
lrwxrwxrwx 17 root logging.properties -> /usr/share/pki/server/conf/logging.properties
- -rw-rw---- 17 root password.conf
+ -rw-rw-rw- 17 root password.conf
-rw-rw-rw- 17 root server.xml
- -rw-rw---- 17 root serverCertNick.conf
+ -rw-rw-rw- 17 root serverCertNick.conf
-rw-rw-rw- 17 root tomcat.conf
lrwxrwxrwx 17 root web.xml -> /etc/tomcat/web.xml
EOF
@@ -400,7 +400,7 @@ jobs:
cat > expected << EOF
-rw-rw-rw- 17 root CS.cfg
drwxrwxrwx 17 root archives
- -rw-rw-r-- 17 root registry.cfg
+ -rw-rw-rw- 17 root registry.cfg
EOF
diff expected output
diff --git a/.github/workflows/ocsp-container-test.yml b/.github/workflows/ocsp-container-test.yml
index e41b2417977..712afbee100 100644
--- a/.github/workflows/ocsp-container-test.yml
+++ b/.github/workflows/ocsp-container-test.yml
@@ -354,7 +354,7 @@ jobs:
# TODO: review owners/permissions
cat > expected << EOF
drwxrwxrwx 17 root Catalina
- drwxrwx--- 17 root alias
+ drwxrwxrwx 17 root alias
-rw-rw-rw- 17 root catalina.policy
lrwxrwxrwx 17 root catalina.properties -> /usr/share/pki/server/conf/catalina.properties
drwxrwxrwx 17 root certs
@@ -362,9 +362,9 @@ jobs:
-rw-rw-rw- 17 root jss.conf
lrwxrwxrwx 17 root logging.properties -> /usr/share/pki/server/conf/logging.properties
drwxrwxrwx 17 root ocsp
- -rw-rw---- 17 root password.conf
+ -rw-rw-rw- 17 root password.conf
-rw-rw-rw- 17 root server.xml
- -rw-rw---- 17 root serverCertNick.conf
+ -rw-rw-rw- 17 root serverCertNick.conf
-rw-rw-rw- 17 root tomcat.conf
lrwxrwxrwx 17 root web.xml -> /etc/tomcat/web.xml
EOF
@@ -386,7 +386,7 @@ jobs:
cat > expected << EOF
-rw-rw-rw- 17 root CS.cfg
drwxrwxrwx 17 root archives
- -rw-rw-r-- 17 root registry.cfg
+ -rw-rw-rw- 17 root registry.cfg
EOF
diff expected output
diff --git a/base/acme/bin/pki-acme-run b/base/acme/bin/pki-acme-run
index b148951db78..036b3ba2380 100755
--- a/base/acme/bin/pki-acme-run
+++ b/base/acme/bin/pki-acme-run
@@ -19,9 +19,6 @@ then
else
echo "INFO: Creating /data/conf"
cp -r /var/lib/pki/pki-tomcat/conf.default /data/conf
- chown -Rf pkiuser:root /data/conf
- find /data/conf -type f -exec chmod +rw -- {} +
- find /data/conf -type d -exec chmod +rwx -- {} +
fi
echo "################################################################################"
diff --git a/base/ca/bin/pki-ca-run b/base/ca/bin/pki-ca-run
index 3d2f661476e..d8a6dba21f7 100755
--- a/base/ca/bin/pki-ca-run
+++ b/base/ca/bin/pki-ca-run
@@ -16,9 +16,6 @@ then
else
echo "INFO: Creating /data/conf"
cp -r /var/lib/pki/pki-tomcat/conf.default /data/conf
- chown -Rf pkiuser:root /data/conf
- find /data/conf -type f -exec chmod +rw -- {} +
- find /data/conf -type d -exec chmod +rwx -- {} +
fi
echo "################################################################################"
@@ -386,6 +383,13 @@ echo "INFO: Configuring PKI CA"
pki-server ca-config-set internaldb.minConns 0
pki-server ca-config-set ca.authorityMonitor.enable false
+echo "################################################################################"
+echo "INFO: Updating owners and permissions"
+
+chown -Rf pkiuser:root /data/conf
+find /data/conf -type f -exec chmod +rw -- {} +
+find /data/conf -type d -exec chmod +rwx -- {} +
+
echo "################################################################################"
echo "INFO: Starting PKI CA"
diff --git a/base/kra/bin/pki-kra-run b/base/kra/bin/pki-kra-run
index 3599d749d0b..6ebbf811237 100755
--- a/base/kra/bin/pki-kra-run
+++ b/base/kra/bin/pki-kra-run
@@ -16,9 +16,6 @@ then
else
echo "INFO: Creating /data/conf"
cp -r /var/lib/pki/pki-tomcat/conf.default /data/conf
- chown -Rf pkiuser:root /data/conf
- find /data/conf -type f -exec chmod +rw -- {} +
- find /data/conf -type d -exec chmod +rwx -- {} +
fi
echo "################################################################################"
@@ -162,6 +159,13 @@ echo "INFO: Configuring PKI KRA"
pki-server kra-config-set internaldb.minConns 0
+echo "################################################################################"
+echo "INFO: Updating owners and permissions"
+
+chown -Rf pkiuser:root /data/conf
+find /data/conf -type f -exec chmod +rw -- {} +
+find /data/conf -type d -exec chmod +rwx -- {} +
+
echo "################################################################################"
echo "INFO: Starting PKI KRA"
diff --git a/base/ocsp/bin/pki-ocsp-run b/base/ocsp/bin/pki-ocsp-run
index 7bc9de2b6c8..dd56f2df042 100755
--- a/base/ocsp/bin/pki-ocsp-run
+++ b/base/ocsp/bin/pki-ocsp-run
@@ -16,9 +16,6 @@ then
else
echo "INFO: Creating /data/conf"
cp -r /var/lib/pki/pki-tomcat/conf.default /data/conf
- chown -Rf pkiuser:root /data/conf
- find /data/conf -type f -exec chmod +rw -- {} +
- find /data/conf -type d -exec chmod +rwx -- {} +
fi
echo "################################################################################"
@@ -159,6 +156,13 @@ echo "INFO: Configuring OCSP Responder"
pki-server ocsp-config-set internaldb.minConns 0
+echo "################################################################################"
+echo "INFO: Updating owners and permissions"
+
+chown -Rf pkiuser:root /data/conf
+find /data/conf -type f -exec chmod +rw -- {} +
+find /data/conf -type d -exec chmod +rwx -- {} +
+
echo "################################################################################"
echo "INFO: Starting OCSP Responder"
diff --git a/base/server/bin/pki-server-run b/base/server/bin/pki-server-run
index fde969b8b76..f320393745f 100755
--- a/base/server/bin/pki-server-run
+++ b/base/server/bin/pki-server-run
@@ -19,9 +19,6 @@ then
else
echo "INFO: Creating /data/conf"
cp -r /var/lib/pki/pki-tomcat/conf.default /data/conf
- chown -Rf pkiuser:root /data/conf
- find /data/conf -type f -exec chmod +rw -- {} +
- find /data/conf -type d -exec chmod +rwx -- {} +
fi
echo "################################################################################"
@@ -193,6 +190,13 @@ then
ca_signing
fi
+echo "################################################################################"
+echo "INFO: Updating owners and permissions"
+
+chown -Rf pkiuser:root /data/conf
+find /data/conf -type f -exec chmod +rw -- {} +
+find /data/conf -type d -exec chmod +rwx -- {} +
+
echo "################################################################################"
echo "INFO: Starting PKI server"