andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame SOURCES/0027-Ticket-48450-Add-prestart-work-around-for-systemd-as.patch

7c7f29
From 8afc979b47994c8bebae22868b86761590231e09 Mon Sep 17 00:00:00 2001
7c7f29
From: William Brown <firstyear@redhat.com>
7c7f29
Date: Fri, 29 Jul 2016 14:36:19 +1000
7c7f29
Subject: [PATCH 27/29] Ticket 48450 - Add prestart work around for systemd ask
7c7f29
 password
7c7f29
7c7f29
Bug Description:  Due to a lack of response to fix the systemd ask password
7c7f29
permissions, we must resolve this ourselves. Without this, we cannot utilise
7c7f29
the ask password feature at all.
7c7f29
7c7f29
Fix Description:  We add an execstartpre script, that parses dse.ldif for
7c7f29
the running server user. If found, we add the acl to ask-password directory
7c7f29
which will allow the server to start. We do this so that if each instance
7c7f29
has a unique user, they can all use ask pass correctly.
7c7f29
7c7f29
https://fedorahosted.org/389/ticket/48450
7c7f29
7c7f29
Author: wibrown
7c7f29
7c7f29
Review by: nhosoi (Thanks)
7c7f29
7c7f29
(cherry picked from commit e6b48924adb753f47683f25fab6e2b8e5d3cf84c)
7c7f29
---
7c7f29
 Makefile.am                               |  3 ++-
7c7f29
 wrappers/ds_systemd_ask_password_acl.in   | 34 +++++++++++++++++++++++++++++++
7c7f29
 wrappers/systemd.template.asan.service.in |  1 +
7c7f29
 wrappers/systemd.template.service.in      |  1 +
7c7f29
 4 files changed, 38 insertions(+), 1 deletion(-)
7c7f29
 create mode 100644 wrappers/ds_systemd_ask_password_acl.in
7c7f29
7c7f29
diff --git a/Makefile.am b/Makefile.am
7c7f29
index ed3d462..3e1bf47 100644
7c7f29
--- a/Makefile.am
7c7f29
+++ b/Makefile.am
7c7f29
@@ -620,7 +620,8 @@ sbin_SCRIPTS = ldap/admin/src/scripts/setup-ds.pl \
7c7f29
 	ldap/admin/src/scripts/dbmon.sh \
7c7f29
 	ldap/admin/src/scripts/ds_selinux_enabled \
7c7f29
 	ldap/admin/src/scripts/ds_selinux_port_query \
7c7f29
-    wrappers/ldap-agent
7c7f29
+	wrappers/ds_systemd_ask_password_acl \
7c7f29
+	wrappers/ldap-agent
7c7f29
 
7c7f29
 bin_SCRIPTS = ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl \
7c7f29
 	wrappers/dbscan \
7c7f29
diff --git a/wrappers/ds_systemd_ask_password_acl.in b/wrappers/ds_systemd_ask_password_acl.in
7c7f29
new file mode 100644
7c7f29
index 0000000..59bffc5
7c7f29
--- /dev/null
7c7f29
+++ b/wrappers/ds_systemd_ask_password_acl.in
7c7f29
@@ -0,0 +1,34 @@
7c7f29
+#!/bin/sh
7c7f29
+# BEGIN COPYRIGHT BLOCK
7c7f29
+# Copyright (C) 2016 Red Hat, Inc.
7c7f29
+#
7c7f29
+# All rights reserved.
7c7f29
+#
7c7f29
+# License: GPL (version 3 or any later version).
7c7f29
+# See LICENSE for details.
7c7f29
+# END COPYRIGHT BLOCK
7c7f29
+
7c7f29
+# Systemd has not fixed the issue at https://bugzilla.redhat.com/show_bug.cgi?id=1322167
7c7f29
+# As a result, we need a way to fix the permissions as we start.
7c7f29
+# We have to reset these each time, as this folder is on a tmpfs.
7c7f29
+# If we don't do this, we can't prompt for the password!
7c7f29
+# If you want this script to go away, fix the bugzilla so we don't need it!
7c7f29
+
7c7f29
+# Make sure we have the path to the dse.ldif
7c7f29
+if [ -z $1 ]
7c7f29
+then
7c7f29
+    echo "usage: ${0} /etc/dirsrv/slapd-<instance>/dse.ldif"
7c7f29
+    exit 1
7c7f29
+fi
7c7f29
+
7c7f29
+# Grep the user out
7c7f29
+
7c7f29
+DS_USER=`grep 'nsslapd-localuser: ' $1 | awk '{print $2}'`
7c7f29
+
7c7f29
+# Now apply the acl
7c7f29
+
7c7f29
+if [ -d /var/run/systemd/ask-password ]
7c7f29
+then
7c7f29
+    setfacl -m u:${DS_USER}:rwx /var/run/systemd/ask-password
7c7f29
+fi
7c7f29
+
7c7f29
diff --git a/wrappers/systemd.template.asan.service.in b/wrappers/systemd.template.asan.service.in
7c7f29
index dd361b4..5de91de 100644
7c7f29
--- a/wrappers/systemd.template.asan.service.in
7c7f29
+++ b/wrappers/systemd.template.asan.service.in
7c7f29
@@ -25,6 +25,7 @@ PIDFile=@localstatedir@/run/@package_name@/slapd-%i.pid
7c7f29
 # We can't symbolize here, as llvm symbolize crashes when it goes near systemd.
7c7f29
 Environment='ASAN_OPTIONS="detect_leaks=1 symbolize=0 log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.asan detect_deadlocks=1"'
7c7f29
 LimitCORE=infinity
7c7f29
+ExecStartPre=@sbindir@/ds_systemd_ask_password_acl @instconfigdir@/slapd-%i/dse.ldif
7c7f29
 ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/@package_name@/slapd-%i.pid
7c7f29
 # if you need to set other directives e.g. LimitNOFILE=8192
7c7f29
 # set them in this file
7c7f29
diff --git a/wrappers/systemd.template.service.in b/wrappers/systemd.template.service.in
7c7f29
index a045036..6f096b7 100644
7c7f29
--- a/wrappers/systemd.template.service.in
7c7f29
+++ b/wrappers/systemd.template.service.in
7c7f29
@@ -22,6 +22,7 @@ Type=notify
7c7f29
 EnvironmentFile=@initconfigdir@/@package_name@
7c7f29
 EnvironmentFile=@initconfigdir@/@package_name@-%i
7c7f29
 PIDFile=@localstatedir@/run/@package_name@/slapd-%i.pid
7c7f29
+ExecStartPre=@sbindir@/ds_systemd_ask_password_acl @instconfigdir@/slapd-%i/dse.ldif
7c7f29
 ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/@package_name@/slapd-%i.pid
7c7f29
 # if you need to set other directives e.g. LimitNOFILE=8192
7c7f29
 # set them in this file
7c7f29
-- 
7c7f29
2.4.11
7c7f29