sssd/0001-Tighten-up-permission.patch

77 lines
2.7 KiB
Diff
Raw Normal View History

From 5ab9ed3c42781ae1911d253d56d67dc0288d55f7 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Mon, 28 Sep 2009 07:51:26 -0400
Subject: [PATCH 1/2] Tighten up permission.
SSSD may contain passwords and other sensitive data, make sure we always keep its
permission tight. Also make /etc/sssd permission very strict, just in case,
admins may inadvertently copy an sssd.conf file without checking it's
permissions.
---
contrib/sssd.spec.in | 2 +-
server/upgrade/upgrade_config.py | 13 ++++++++++++-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 5dc45d2..9513a6b 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -129,7 +129,7 @@ rm -rf $RPM_BUILD_ROOT
%attr(755,root,root) %dir %{pipepath}
%attr(700,root,root) %dir %{pipepath}/private
%attr(750,root,root) %dir %{_var}/log/%{name}
-%dir %{_sysconfdir}/sssd
+%attr(700,root,root) %dir %{_sysconfdir}/sssd
%config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%{_mandir}/man5/sssd.conf.5*
%{_mandir}/man5/sssd-krb5.5*
diff --git a/server/upgrade/upgrade_config.py b/server/upgrade/upgrade_config.py
index 412fad5..87e3990 100644
--- a/server/upgrade/upgrade_config.py
+++ b/server/upgrade/upgrade_config.py
@@ -20,6 +20,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+import os
import sys
import shutil
import traceback
@@ -91,6 +92,9 @@ class SSSDConfigFile(object):
" Copy the file we operate on to a backup location "
shutil.copy(self.file_name, self.file_name+".bak")
+ # make sure we don't leak data, force permissions on the backup
+ os.chmod(self.file_name+".bak", 0600)
+
def _migrate_if_exists(self, to_section, to_option, from_section, from_option):
"""
Move value of parameter from one section to another, renaming the parameter
@@ -281,8 +285,12 @@ class SSSDConfigFile(object):
# Migrate domains
self._migrate_domains()
- # all done, write the file
+ # all done, open the file for writing
of = open(out_file_name, "wb")
+
+ # make sure it has the right permissions too
+ os.chmod(out_file_name, 0600)
+
self._new_config.write(of)
def parse_options():
@@ -337,6 +345,9 @@ def main():
print >>sys.stderr, "Can only upgrade from v1 to v2, file %s looks like version %d" % (options.filename, config.get_version())
return 1
+ # make sure we keep strict settings when creating new files
+ os.umask(0077)
+
try:
config.upgrade_v2(options.outfile, options.backup)
except Exception, e:
--
1.6.2.5