From 912b360f90385eda0b8ec2c0acee468f070190ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20K=C3=A1cha?= <ph@cesnet.cz>
Date: Tue, 25 Jul 2017 14:42:30 +0200
Subject: [PATCH] Better error reporting on unreadable client files, group
 loose umask and file perms to allow webserver access

---
 warden3/contrib/warden_ra/warden_ra.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/warden3/contrib/warden_ra/warden_ra.py b/warden3/contrib/warden_ra/warden_ra.py
index f9e26c9..b7400c3 100755
--- a/warden3/contrib/warden_ra/warden_ra.py
+++ b/warden3/contrib/warden_ra/warden_ra.py
@@ -84,14 +84,20 @@ class OpenSSLRegistry(object):
         self.log = log
         self.subject_dn_template = subject_dn_template
         self.openssl_sign = openssl_sign
+        os.umask(0o0002)    # read privilege for usual apache group
 
     def get_clients(self):
         return [self.get_client(c) for c in os.listdir(self.client_dir) if pth.isdir(pth.join(self.client_dir, c))]
 
     def get_client(self, name):
         config = ConfigParser.RawConfigParser()
-        if not config.read(pth.join(self.client_dir, name, "state")):
-            return None
+        try:
+            with open(pth.join(self.client_dir, name, "state")) as cf:
+                config.readfp(cf)
+        except IOError as e:
+            if e.errno == errno.ENOENT:
+                return None
+            raise
         datum = dict(config.items("Client"))
         return Client(name, admins=datum["admins"].split(","), status=datum["status"], pwd=datum.get("password"))
 
@@ -116,6 +122,7 @@ class OpenSSLRegistry(object):
                 raise
         with tempfile.NamedTemporaryFile(dir=client_path, delete=False) as cf:
             config.write(cf)
+        os.chmod(cf.name, 0o660)    # read privilege for usual apache group
         os.rename(cf.name, pth.join(client_path, "state")) # atomic + rewrite, so no need for locking
 
     def get_certs(self, client):
-- 
GitLab