[Yum-devel] [PATCH] Try to workaround the case where non-root users can't read certs. BZ 690904.
seth vidal
skvidal at fedoraproject.org
Tue Feb 14 21:12:12 UTC 2012
On Tue, 14 Feb 2012 16:05:56 -0500
James Antill <james at and.org> wrote:
> ---
> docs/yum.conf.5 | 13 +++++++++++++
> yum/__init__.py | 12 ++++++++++++
> yum/config.py | 2 ++
> 3 files changed, 27 insertions(+), 0 deletions(-)
>
> diff --git a/docs/yum.conf.5 b/docs/yum.conf.5
> index 59bd779..babf66d 100644
> --- a/docs/yum.conf.5
> +++ b/docs/yum.conf.5
> @@ -376,6 +376,15 @@ Path to the SSL client key yum should use to
> connect to repos/remote sites Defaults to none.
>
> .IP
> +\fBssl_check_cert_permissions \fR
> +Boolean - Whether yum should check the permissions on the paths for
> the +certificates on the repository (both remote and local). If we
> can't read any of +the files then yum will force skip_if_unavailable
> to be true. +This is most useful for non-root processes which use yum
> on repos. that have +client cert files which are readable only by
> root. +Defaults to True.
> +
> +.IP
> \fBhistory_record \fR
> Boolean - should yum record history entries for transactions. This
> takes some disk space, and some extra time in the transactions. But
> it allows how to know a @@ -843,6 +852,10 @@ repository.
> Overrides the \fBsslclientkey\fR option from the [main] section for
> this repository.
>
> +.IP
> +\fBssl_check_cert_permissions \fR
> +Overrides the \fBssl_check_cert_permissions\fR option from the
> [main] section +for this repository.
>
> .IP
> \fBmetadata_expire \fR
> diff --git a/yum/__init__.py b/yum/__init__.py
> index 29305d2..1ffdc35 100644
> --- a/yum/__init__.py
> +++ b/yum/__init__.py
> @@ -491,6 +491,18 @@ class YumBase(depsolve.Depsolve):
> if validate and not validate(thisrepo):
> continue
>
> + if thisrepo.ssl_check_cert_permissions:
> + for fn in (thisrepo.sslcacert,
> + thisrepo.sslclientcert,
> thisrepo.sslclientkey):
> + if not fn:
> + continue
> + # If we can't read the SSL certs. we need to
> skip the repo.
> + # if we don't have all the data.
> + if not os.access(fn, os.R_OK):
> + msg="Repo %s forced skip_if_unavailable=True
> due to: %s"
> + self.logger.warning(msg % (thisrepo.id, fn))
> + thisrepo.skip_if_unavailable = True
> +
> # Got our list of repo objects, add them to the repos
> # collection
> try:
> diff --git a/yum/config.py b/yum/config.py
> index 3beac89..a683f23 100644
> --- a/yum/config.py
> +++ b/yum/config.py
> @@ -837,6 +837,7 @@ class YumConf(StartupConf):
> sslverify = BoolOption(True)
> sslclientcert = Option()
> sslclientkey = Option()
> + ssl_check_cert_permissions = BoolOption(True)
>
> history_record = BoolOption(True)
> history_record_packages = ListOption(['yum', 'rpm'])
> @@ -952,6 +953,7 @@ class RepoConf(BaseConfig):
> sslverify = Inherit(YumConf.sslverify)
> sslclientcert = Inherit(YumConf.sslclientcert)
> sslclientkey = Inherit(YumConf.sslclientkey)
> + ssl_check_cert_permissions = Inherit(YumConf.sslclientkey)
>
> skip_if_unavailable = BoolOption(False)
>
ACK - makes sense to me.
-sv
More information about the Yum-devel
mailing list