From 2d13921d545b57eed0a908eb0ffcfdd0262162c2 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Fri, 14 Jan 2022 15:08:19 -0500 Subject: [PATCH] Amend deployment initialize for consistent ownership Depending on the options selected/not selected, the /var/lib/confluent directory may have been initialized incorrectly. Have all the potential paths begin with ensuring /var/lib/confluent is correct, and then use seteuid consistently to take care of the rest. --- confluent_server/bin/osdeploy | 8 ++++++++ confluent_server/confluent/certutil.py | 12 ++++++++++++ confluent_server/confluent/sshutil.py | 11 ++++++----- 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/confluent_server/bin/osdeploy b/confluent_server/bin/osdeploy index 1c72e6f4..e849cfd8 100644 --- a/confluent_server/bin/osdeploy +++ b/confluent_server/bin/osdeploy @@ -258,6 +258,14 @@ def initialize(cmdset): sys.exit(1) init_confluent_myname() sshutil.initialize_root_key(False) + if cmdset.t or cmdset.s or cmdset.a or cmdset.u: + neededuid = os.stat('/etc/confluent').st_uid + try: + os.makedirs('/var/lib/confluent') + os.chown('/var/lib/confluent', neededuid, -1) + except OSError as e: + if e.errno != 17: + raise if cmdset.t: didsomething = True init_confluent_myname() diff --git a/confluent_server/confluent/certutil.py b/confluent_server/confluent/certutil.py index 73060154..13f866f1 100644 --- a/confluent_server/confluent/certutil.py +++ b/confluent_server/confluent/certutil.py @@ -15,6 +15,15 @@ def get_openssl_conf_location(): else: raise Exception("Cannot find openssl config file") +def normalize_uid(): + curruid = os.geteuid() + neededuid = os.stat('/etc/confluent').st_uid + if curruid != neededuid: + os.seteuid(neededuid) + if os.geteuid() != neededuid: + raise Exception('Need to run as root or owner of /etc/confluent') + return curruid + def get_ip_addresses(): lines, _ = util.run(['ip', 'addr']) if not isinstance(lines, str): @@ -96,11 +105,14 @@ def assure_tls_ca(): os.remove(tmpconfig) fname = '/var/lib/confluent/public/site/tls/{0}.pem'.format( collective.get_myname()) + ouid = normalize_uid() try: os.makedirs(os.path.dirname(fname)) except OSError as e: if e.errno != 17: raise + finally: + os.seteuid(ouid) shutil.copy2('/etc/confluent/tls/cacert.pem', fname) hv, _ = util.run( ['openssl', 'x509', '-in', '/etc/confluent/tls/cacert.pem', '-hash', '-noout']) diff --git a/confluent_server/confluent/sshutil.py b/confluent_server/confluent/sshutil.py index b5511e70..0a5e1d9e 100644 --- a/confluent_server/confluent/sshutil.py +++ b/confluent_server/confluent/sshutil.py @@ -89,11 +89,14 @@ def initialize_ca(): ['ssh-keygen', '-C', comment, '-t', 'ed25519', '-f', '/etc/confluent/ssh/ca', '-N', get_passphrase()], preexec_fn=normalize_uid) + ouid = normalize_uid() try: os.makedirs('/var/lib/confluent/public/site/ssh/', mode=0o755) except OSError as e: if e.errno != 17: raise + finally: + os.seteuid(ouid) cafilename = '/var/lib/confluent/public/site/ssh/{0}.ca'.format(myname) shutil.copy('/etc/confluent/ssh/ca.pub', cafilename) # newent = '@cert-authority * ' + capub.read() @@ -167,16 +170,14 @@ def initialize_root_key(generate, automation=False): '-C', 'Confluent Automation by {}'.format(myname)], preexec_fn=normalize_uid) authorized = ['/etc/confluent/ssh/automation.pub'] + ouid = normalize_uid() try: os.makedirs('/var/lib/confluent/public/site/ssh', mode=0o755) - neededuid = os.stat('/etc/confluent').st_uid - os.chown('/var/lib/confluent', neededuid, -1) - os.chown('/var/lib/confluent/public', neededuid, -1) - os.chown('/var/lib/confluent/public/site', neededuid, -1) - os.chown('/var/lib/confluent/public/site/ssh', neededuid, -1) except OSError as e: if e.errno != 17: raise + finally: + os.seteuid(ouid) neededuid = os.stat('/etc/confluent').st_uid if automation: suffix = 'automationpubkey'