1698384 – ipa-kra-install fails due to fs.protected_regular=1

Bug 1698384 - ipa-kra-install fails due to fs.protected_regular=1

Summary: ipa-kra-install fails due to fs.protected_regular=1

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeipa
Sub Component:
Version:	30
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	François Cami
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-04-10 09:40 UTC by François Cami
Modified:	2019-11-20 01:02 UTC (History)
CC List:	9 users (show)
Fixed In Version:	freeipa-4.8.2-1.fc31
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-20 01:02:15 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description François Cami 2019-04-10 09:40:27 UTC

ipa-kra-install fails on f30+:

2019-04-09T22:15:46Z DEBUG   [3/11]: configuring KRA instance
2019-04-09T22:15:46Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 605, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 591, in run_step
    method()
  File "/usr/lib/python3.7/site-packages/ipaserver/install/krainstance.py", line 292, in __spawn_instance
    with open(cfg_file, "w") as f:
PermissionError: [Errno 13] Permission denied: '/tmp/tmpm1rqniqo'

2019-04-09T22:15:46Z DEBUG   [error] PermissionError: [Errno 13] Permission denied: '/tmp/tmpm1rqniqo'
2019-04-09T22:15:46Z DEBUG Removing /var/lib/ipa/tmp-gt08zqc7
2019-04-09T22:15:46Z DEBUG Removing /root/.dogtag/pki-tomcat/kra
2019-04-09T22:15:46Z DEBUG   File "/usr/lib/python3.7/site-packages/ipapython/admintool.py", line 179, in execute
    return_value = self.run()
  File "/usr/lib/python3.7/site-packages/ipapython/install/cli.py", line 347, in run
    return cfgr.run()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 655, in _configure
    next(executor)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.7/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.7/site-packages/ipaserver/install/server/__init__.py", line 583, in main
    replica_install(self)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/server/replicainstall.py", line 400, in decorated
    func(installer)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/server/replicainstall.py", line 1274, in install
    kra.install(api, config, options, custodia=custodia)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/kra.py", line 94, in install
    promote=promote)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/krainstance.py", line 142, in configure_instance
    self.start_creation(runtime=120)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 605, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 591, in run_step
    method()
  File "/usr/lib/python3.7/site-packages/ipaserver/install/krainstance.py", line 292, in __spawn_instance
    with open(cfg_file, "w") as f:

This is because the temp (/tmp) configuration file is first chowned to a non-root account and then opened rw by root.

This is related to https://bugzilla.redhat.com/show_bug.cgi?id=1677027

Comment 1 François Cami 2019-04-10 09:41:02 UTC

The following patch fixes the issue:

diff -rU2 1/ipaserver/install/krainstance.py 2/ipaserver/install/krainstance.py
--- 1/ipaserver/install/krainstance.py	2019-04-10 09:47:00.741398165 +0200
+++ 2/ipaserver/install/krainstance.py	2019-04-10 10:07:43.516687770 +0200
@@ -155,5 +155,4 @@
         os.close(cfg_fd)
         pent = pwd.getpwnam(self.service_user)
-        os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
         self.tmp_agent_db = tempfile.mkdtemp(
                 prefix="tmp-", dir=paths.VAR_LIB_IPA)
@@ -293,4 +292,7 @@
             config.write(f)
 
+        # chown after write is necessary when fs.protected_regular=1
+        os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
+
         try:
             DogtagInstance.spawn_instance(

Comment 2 François Cami 2019-04-10 09:50:44 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7906

Comment 3 François Cami 2019-04-11 08:05:15 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/cf42dc1f2930cba3fca144ad4b7c1c01e9ed9163

Comment 4 Rob Crittenden 2019-04-11 19:39:29 UTC

Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/a0973db29e0074d0c0732973fe73418430fec9fc

Comment 5 Fedora Update System 2019-11-12 20:48:22 UTC

FEDORA-2019-75a963e4cb has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-75a963e4cb

Comment 6 Fedora Update System 2019-11-13 10:53:08 UTC

freeipa-4.8.2-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-75a963e4cb

Comment 7 Fedora Update System 2019-11-20 01:02:15 UTC

freeipa-4.8.2-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.