rpms / freeradius

Clone
Source Code
GIT

Blame SOURCES/freeradius-bootstrap-run-only-once.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-3.0 c8-stream-3.0 c8s-stream-3.0 c9 c9-beta
  1.   185601b767d85239f2327eb26bdd96d95a805970
  2.   SOURCES
  3.   freeradius-bootstrap-run-only-once.patch
Blob History Raw
80a797 
Author: Antonio Torres <antorres@redhat.com>
80a797 
Date:   Wed Jul 20 2021
80a797 
Subject: [PATCH] ensure bootstrap script is run only once
80a797
80a797 
	The bootstrap script should only run once. By checking if there are
80a797 
	certificates in the directory, we can exit early if certificates were
80a797 
	already generated.
80a797
80a797 
	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
80a797 
	Signed-off-by: Antonio Torres antorres@redhat.com
80a797 
---
80a797 
 raddb/certs/README    | 16 ++++++----------
80a797 
 raddb/certs/bootstrap | 18 ++++++++++++------
80a797 
 2 files changed, 18 insertions(+), 16 deletions(-)
80a797
80a797 
diff --git a/raddb/certs/README b/raddb/certs/README
80a797 
index 6288921da1..32413964dd 100644
80a797 
--- a/raddb/certs/README
80a797 
+++ b/raddb/certs/README
80a797 
@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
80a797 
 your users, and to issue client certificates for EAP-TLS.
80a797
80a797 
   If FreeRADIUS was configured to use OpenSSL, then simply starting
80a797 
-the server in root in debugging mode should also create test
80a797 
-certificates, i.e.:
80a797 
+the server in root mode should also create test certificates.
80a797
80a797 
-$ radiusd -X
80a797 
-
80a797 
-  That will cause the EAP-TLS module to run the "bootstrap" script in
80a797 
-this directory.  The script will be executed only once, the first time
80a797 
-the server has been installed on a particular machine.  This bootstrap
80a797 
-script SHOULD be run on installation of any pre-built binary package
80a797 
-for your OS.  In any case, the script will ensure that it is not run
80a797 
-twice, and that it does not over-write any existing certificates.
80a797 
+  The start of FreeRADIUS will cause to run the "bootstrap" script.
80a797 
+The script will be executed during every start of FreeRADIUS via systemd but
80a797 
+the script will ensure that it does not overwrite any existing certificates.
80a797 
+Ideally, the bootstrap script file should be deleted after new testing certificates
80a797 
+have been generated.
80a797
80a797 
   If you already have CA and server certificates, rename (or delete)
80a797 
 this directory, and create a new "certs" directory containing your
80a797 
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
80a797 
index 0f719aafd4..92254dc936 100755
80a797 
--- a/raddb/certs/bootstrap
80a797 
+++ b/raddb/certs/bootstrap
80a797 
@@ -1,12 +1,18 @@
80a797 
 #!/bin/sh
80a797 
 #
80a797 
-#  This is a wrapper script to create default certificates when the
80a797 
-#  server first starts in debugging mode.  Once the certificates have been
80a797 
-#  created, this file should be deleted.
80a797 
+# Bootstrap script should be run only once. If there are already certificates
80a797 
+# generated, skip the execution.
80a797 
+#
80a797 
+cd `dirname $0`
80a797 
+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
80a797 
+  exit 0
80a797 
+fi
80a797 
+
80a797 
 #
80a797 
-#  Ideally, this program should be run as part of the installation of any
80a797 
-#  binary package.  The installation should also ensure that the permissions
80a797 
-#  and owners are correct for the files generated by this script.
80a797 
+#  This is a wrapper script to create default certificates when the
80a797 
+#  server starts via systemd. It should also ensure that the
80a797 
+#  permissions and owners are correct for the generated files. Once
80a797 
+# the certificates have been created, this file should be deleted.
80a797 
 #
80a797 
 #  $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
80a797 
 #

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation