From 3a07842d56f74a727ab8dc17407478349a5c0bb2 Mon Sep 17 00:00:00 2001 From: Firstyear Date: Sun, 1 May 2022 13:34:19 +1000 Subject: [PATCH] 20220501 fix logging (#730) --- kanidm_book/src/administrivia.md | 3 +++ kanidm_book/src/server_configuration.md | 16 ++++++++-------- kanidm_client/src/lib.rs | 9 +++++---- project_docs/RELEASE_CHECKLIST.md | 8 ++++++++ 4 files changed, 24 insertions(+), 12 deletions(-) diff --git a/kanidm_book/src/administrivia.md b/kanidm_book/src/administrivia.md index 79d6c2fa0..060f8af43 100644 --- a/kanidm_book/src/administrivia.md +++ b/kanidm_book/src/administrivia.md @@ -151,6 +151,9 @@ Third, trigger the database domain rename process. docker run --rm -i -t -v kandimd:/data \ kanidm/server:latest /sbin/kanidmd domain_name_change -c /data/server.toml + +Finally, you can now start your instance again. + docker start # Raw actions diff --git a/kanidm_book/src/server_configuration.md b/kanidm_book/src/server_configuration.md index b647a76bc..e76bc3a9b 100644 --- a/kanidm_book/src/server_configuration.md +++ b/kanidm_book/src/server_configuration.md @@ -83,22 +83,22 @@ You will also need a config file in the volume named `server.toml` (Within the c An example is located in [examples/server.toml](../../examples/server.toml). -### Domain Name +> **WARNING** You MUST set the `domain` name correctly, aligned with your `origin`, else the server +> may refuse to start, or some features (e.g. webauthn, oauth) may not work correctly! -You then *MUST* set your domain name so that security principal names (spn's) are generated correctly. -This domain name _must_ match the url/origin of the server that you plan to use to interact with -so that other features work correctly. It is possible to change this domain name later. +### Check the configuration is valid. - docker run --rm -i -t -v kanidmd:/data kanidm/server:latest /sbin/kanidmd domain_name_change -c /data/server.toml -n idm.example.com +You should test your configuration is valid before you proceed. -> **WARNING** You MUST set the domain name correctly, aligned with your origin, else the server -> may refuse to start, or some features may not work correctly! + docker run --rm -i -t -v kandimd:/data \ + kanidm/server:latest /sbin/kanidmd configtest -c /data/server.toml ### Default Admin Account Then you can setup the initial admin account and initialise the database into your volume. - docker run --rm -i -t -v kanidmd:/data kanidm/server:latest /sbin/kanidmd recover_account -c /data/server.toml -n admin + docker run --rm -i -t -v kanidmd:/data \ + kanidm/server:latest /sbin/kanidmd recover_account -c /data/server.toml -n admin ### Run the Server diff --git a/kanidm_client/src/lib.rs b/kanidm_client/src/lib.rs index 1738d4808..3347fd458 100644 --- a/kanidm_client/src/lib.rs +++ b/kanidm_client/src/lib.rs @@ -122,10 +122,6 @@ impl KanidmClientBuilder { let path = Path::new(ca_path); let ca_meta = read_file_metadata(&path)?; - if !ca_meta.permissions().readonly() { - warn!("permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", ca_path); - } - #[cfg(target_family = "unix")] if ca_meta.uid() != 0 || ca_meta.gid() != 0 { warn!( @@ -133,6 +129,11 @@ impl KanidmClientBuilder { ca_path ); } + + #[cfg(target_family = "unix")] + if ca_meta.mode() != 0o644 { + warn!("permissions on {} may not be secure. Should be set to 0644. This could be a security risk ...", ca_path); + } } // TODO #725: Handle these errors better, or at least provide diagnostics - this currently fails silently diff --git a/project_docs/RELEASE_CHECKLIST.md b/project_docs/RELEASE_CHECKLIST.md index db2e10d8f..68ab0f8b2 100644 --- a/project_docs/RELEASE_CHECKLIST.md +++ b/project_docs/RELEASE_CHECKLIST.md @@ -13,10 +13,18 @@ * cargo test * Update RELEASE_NOTES.md +* git commit * cargo release --no-dev-version --skip-push --skip-publish --skip-tag 1.1.0-alpha.X * git rebase -i HEAD~X * git tag v1.1.0-alpha.x +* git branch v1.1.0-alpha.x +* git checkout v1.1.0-alpha.x + +// Check it + +* git push origin v1.1.0-alpha.x +* git push origin master * release kanidm_proto * release kanidmd/kanidm