|
 |
7c7f29 |
From 8afc979b47994c8bebae22868b86761590231e09 Mon Sep 17 00:00:00 2001
|
|
|
7c7f29 |
From: William Brown <firstyear@redhat.com>
|
|
|
7c7f29 |
Date: Fri, 29 Jul 2016 14:36:19 +1000
|
|
|
7c7f29 |
Subject: [PATCH 27/29] Ticket 48450 - Add prestart work around for systemd ask
|
|
|
7c7f29 |
password
|
|
|
7c7f29 |
|
|
|
7c7f29 |
Bug Description: Due to a lack of response to fix the systemd ask password
|
|
|
7c7f29 |
permissions, we must resolve this ourselves. Without this, we cannot utilise
|
|
|
7c7f29 |
the ask password feature at all.
|
|
|
7c7f29 |
|
|
|
7c7f29 |
Fix Description: We add an execstartpre script, that parses dse.ldif for
|
|
|
7c7f29 |
the running server user. If found, we add the acl to ask-password directory
|
|
|
7c7f29 |
which will allow the server to start. We do this so that if each instance
|
|
|
7c7f29 |
has a unique user, they can all use ask pass correctly.
|
|
|
7c7f29 |
|
|
|
7c7f29 |
https://fedorahosted.org/389/ticket/48450
|
|
|
7c7f29 |
|
|
|
7c7f29 |
Author: wibrown
|
|
|
7c7f29 |
|
|
|
7c7f29 |
Review by: nhosoi (Thanks)
|
|
|
7c7f29 |
|
|
|
7c7f29 |
(cherry picked from commit e6b48924adb753f47683f25fab6e2b8e5d3cf84c)
|
|
|
7c7f29 |
---
|
|
|
7c7f29 |
Makefile.am | 3 ++-
|
|
|
7c7f29 |
wrappers/ds_systemd_ask_password_acl.in | 34 +++++++++++++++++++++++++++++++
|
|
|
7c7f29 |
wrappers/systemd.template.asan.service.in | 1 +
|
|
|
7c7f29 |
wrappers/systemd.template.service.in | 1 +
|
|
|
7c7f29 |
4 files changed, 38 insertions(+), 1 deletion(-)
|
|
|
7c7f29 |
create mode 100644 wrappers/ds_systemd_ask_password_acl.in
|
|
|
7c7f29 |
|
|
|
7c7f29 |
diff --git a/Makefile.am b/Makefile.am
|
|
|
7c7f29 |
index ed3d462..3e1bf47 100644
|
|
|
7c7f29 |
--- a/Makefile.am
|
|
|
7c7f29 |
+++ b/Makefile.am
|
|
|
7c7f29 |
@@ -620,7 +620,8 @@ sbin_SCRIPTS = ldap/admin/src/scripts/setup-ds.pl \
|
|
|
7c7f29 |
ldap/admin/src/scripts/dbmon.sh \
|
|
|
7c7f29 |
ldap/admin/src/scripts/ds_selinux_enabled \
|
|
|
7c7f29 |
ldap/admin/src/scripts/ds_selinux_port_query \
|
|
|
7c7f29 |
- wrappers/ldap-agent
|
|
|
7c7f29 |
+ wrappers/ds_systemd_ask_password_acl \
|
|
|
7c7f29 |
+ wrappers/ldap-agent
|
|
|
7c7f29 |
|
|
|
7c7f29 |
bin_SCRIPTS = ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl \
|
|
|
7c7f29 |
wrappers/dbscan \
|
|
|
7c7f29 |
diff --git a/wrappers/ds_systemd_ask_password_acl.in b/wrappers/ds_systemd_ask_password_acl.in
|
|
|
7c7f29 |
new file mode 100644
|
|
|
7c7f29 |
index 0000000..59bffc5
|
|
|
7c7f29 |
--- /dev/null
|
|
|
7c7f29 |
+++ b/wrappers/ds_systemd_ask_password_acl.in
|
|
|
7c7f29 |
@@ -0,0 +1,34 @@
|
|
|
7c7f29 |
+#!/bin/sh
|
|
|
7c7f29 |
+# BEGIN COPYRIGHT BLOCK
|
|
|
7c7f29 |
+# Copyright (C) 2016 Red Hat, Inc.
|
|
|
7c7f29 |
+#
|
|
|
7c7f29 |
+# All rights reserved.
|
|
|
7c7f29 |
+#
|
|
|
7c7f29 |
+# License: GPL (version 3 or any later version).
|
|
|
7c7f29 |
+# See LICENSE for details.
|
|
|
7c7f29 |
+# END COPYRIGHT BLOCK
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+# Systemd has not fixed the issue at https://bugzilla.redhat.com/show_bug.cgi?id=1322167
|
|
|
7c7f29 |
+# As a result, we need a way to fix the permissions as we start.
|
|
|
7c7f29 |
+# We have to reset these each time, as this folder is on a tmpfs.
|
|
|
7c7f29 |
+# If we don't do this, we can't prompt for the password!
|
|
|
7c7f29 |
+# If you want this script to go away, fix the bugzilla so we don't need it!
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+# Make sure we have the path to the dse.ldif
|
|
|
7c7f29 |
+if [ -z $1 ]
|
|
|
7c7f29 |
+then
|
|
|
7c7f29 |
+ echo "usage: ${0} /etc/dirsrv/slapd-<instance>/dse.ldif"
|
|
|
7c7f29 |
+ exit 1
|
|
|
7c7f29 |
+fi
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+# Grep the user out
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+DS_USER=`grep 'nsslapd-localuser: ' $1 | awk '{print $2}'`
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+# Now apply the acl
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
+if [ -d /var/run/systemd/ask-password ]
|
|
|
7c7f29 |
+then
|
|
|
7c7f29 |
+ setfacl -m u:${DS_USER}:rwx /var/run/systemd/ask-password
|
|
|
7c7f29 |
+fi
|
|
|
7c7f29 |
+
|
|
|
7c7f29 |
diff --git a/wrappers/systemd.template.asan.service.in b/wrappers/systemd.template.asan.service.in
|
|
|
7c7f29 |
index dd361b4..5de91de 100644
|
|
|
7c7f29 |
--- a/wrappers/systemd.template.asan.service.in
|
|
|
7c7f29 |
+++ b/wrappers/systemd.template.asan.service.in
|
|
|
7c7f29 |
@@ -25,6 +25,7 @@ PIDFile=@localstatedir@/run/@package_name@/slapd-%i.pid
|
|
|
7c7f29 |
# We can't symbolize here, as llvm symbolize crashes when it goes near systemd.
|
|
|
7c7f29 |
Environment='ASAN_OPTIONS="detect_leaks=1 symbolize=0 log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.asan detect_deadlocks=1"'
|
|
|
7c7f29 |
LimitCORE=infinity
|
|
|
7c7f29 |
+ExecStartPre=@sbindir@/ds_systemd_ask_password_acl @instconfigdir@/slapd-%i/dse.ldif
|
|
|
7c7f29 |
ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/@package_name@/slapd-%i.pid
|
|
|
7c7f29 |
# if you need to set other directives e.g. LimitNOFILE=8192
|
|
|
7c7f29 |
# set them in this file
|
|
|
7c7f29 |
diff --git a/wrappers/systemd.template.service.in b/wrappers/systemd.template.service.in
|
|
|
7c7f29 |
index a045036..6f096b7 100644
|
|
|
7c7f29 |
--- a/wrappers/systemd.template.service.in
|
|
|
7c7f29 |
+++ b/wrappers/systemd.template.service.in
|
|
|
7c7f29 |
@@ -22,6 +22,7 @@ Type=notify
|
|
|
7c7f29 |
EnvironmentFile=@initconfigdir@/@package_name@
|
|
|
7c7f29 |
EnvironmentFile=@initconfigdir@/@package_name@-%i
|
|
|
7c7f29 |
PIDFile=@localstatedir@/run/@package_name@/slapd-%i.pid
|
|
|
7c7f29 |
+ExecStartPre=@sbindir@/ds_systemd_ask_password_acl @instconfigdir@/slapd-%i/dse.ldif
|
|
|
7c7f29 |
ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/@package_name@/slapd-%i.pid
|
|
|
7c7f29 |
# if you need to set other directives e.g. LimitNOFILE=8192
|
|
|
7c7f29 |
# set them in this file
|
|
|
7c7f29 |
--
|
|
|
7c7f29 |
2.4.11
|
|
|
7c7f29 |
|