Add two patches

1) Ensure that the configuration upgrade script always writes the config file with 0600 permissions 2) Eliminate an infinite loop in group enumerations
2009-09-29 12:19:20 +00:00 · 2009-09-29 12:19:20 +00:00 · 4c45356ecc
commit 4c45356ecc
parent 7a716e3c15
3 changed files with 143 additions and 0 deletions
--- a/0001-Tighten-up-permission.patch
+++ b/0001-Tighten-up-permission.patch
@ -0,0 +1,76 @@
 From 5ab9ed3c42781ae1911d253d56d67dc0288d55f7 Mon Sep 17 00:00:00 2001
 From: Simo Sorce <ssorce@redhat.com>
 Date: Mon, 28 Sep 2009 07:51:26 -0400
 Subject: [PATCH 1/2] Tighten up permission.
 SSSD may contain passwords and other sensitive data, make sure we always keep its
 permission tight. Also make /etc/sssd permission very strict, just in case,
 admins may inadvertently copy an sssd.conf file without checking it's
 permissions.
 ---
 contrib/sssd.spec.in             |    2 +-
 server/upgrade/upgrade_config.py |   13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)
 diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
 index 5dc45d2..9513a6b 100644
 --- a/contrib/sssd.spec.in
 +++ b/contrib/sssd.spec.in
@@ -129,7 +129,7 @@ rm -rf $RPM_BUILD_ROOT
 %attr(755,root,root) %dir %{pipepath}
 %attr(700,root,root) %dir %{pipepath}/private
 %attr(750,root,root) %dir %{_var}/log/%{name}
 -%dir %{_sysconfdir}/sssd
 +%attr(700,root,root) %dir %{_sysconfdir}/sssd
 %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
 %{_mandir}/man5/sssd.conf.5*
 %{_mandir}/man5/sssd-krb5.5*
 diff --git a/server/upgrade/upgrade_config.py b/server/upgrade/upgrade_config.py
 index 412fad5..87e3990 100644
 --- a/server/upgrade/upgrade_config.py
 +++ b/server/upgrade/upgrade_config.py
@@ -20,6 +20,7 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 +import os
 import sys
 import shutil
 import traceback
@@ -91,6 +92,9 @@ class SSSDConfigFile(object):
         " Copy the file we operate on to a backup location "
         shutil.copy(self.file_name, self.file_name+".bak")
 +        # make sure we don't leak data, force permissions on the backup
 +        os.chmod(self.file_name+".bak", 0600)
 +
     def _migrate_if_exists(self, to_section, to_option, from_section, from_option):
         """
         Move value of parameter from one section to another, renaming the parameter
@@ -281,8 +285,12 @@ class SSSDConfigFile(object):
         # Migrate domains
         self._migrate_domains()
 -        # all done, write the file
 +        # all done, open the file for writing
         of = open(out_file_name, "wb")
 +
 +        # make sure it has the right permissions too
 +        os.chmod(out_file_name, 0600)
 +
         self._new_config.write(of)
 def parse_options():
@@ -337,6 +345,9 @@ def main():
         print >>sys.stderr, "Can only upgrade from v1 to v2, file %s looks like version %d" % (options.filename, config.get_version())
         return 1
 +    # make sure we keep strict settings when creating new files
 +    os.umask(0077)
 +
     try:
         config.upgrade_v2(options.outfile, options.backup)
     except Exception, e:
 -- 
 1.6.2.5
--- a/0002-Fix-infinite-loop-with-empty-group-enumeration.patch
+++ b/0002-Fix-infinite-loop-with-empty-group-enumeration.patch
@ -0,0 +1,61 @@
 From 5cada7fa7f822ac064f3f5d452f7f32fc4595bd4 Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Tue, 29 Sep 2009 07:34:30 -0400
 Subject: [PATCH 2/2] Fix infinite loop with empty group enumeration
 Loop control variable was not being incremented.
 I also converted a goto loop into a do...while loop to make it
 easier to follow the logic.
 ---
 server/responder/nss/nsssrv_cmd.c |   28 +++++++++++++++-------------
 1 files changed, 15 insertions(+), 13 deletions(-)
 diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c
 index 8ca0be6..ebfd1d5 100644
 --- a/server/responder/nss/nsssrv_cmd.c
 +++ b/server/responder/nss/nsssrv_cmd.c
@@ -2645,26 +2645,28 @@ static int nss_cmd_retgrent(struct cli_ctx *cctx, int num)
     nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
     gctx = nctx->gctx;
 -retry:
 -    if (gctx->cur >= gctx->num) goto none;
 -
 -    gdom = &gctx->doms[gctx->cur];
 +    do {
 +        if (gctx->cur >= gctx->num) goto none;
 -    n = gdom->res->count - gdom->cur;
 -    if (n == 0 && (gctx->cur+1 < gctx->num)) {
 -        gctx->cur++;
         gdom = &gctx->doms[gctx->cur];
 +
         n = gdom->res->count - gdom->cur;
 -    }
 +        if (n == 0 && (gctx->cur+1 < gctx->num)) {
 +            gctx->cur++;
 +            gdom = &gctx->doms[gctx->cur];
 +            n = gdom->res->count - gdom->cur;
 +        }
 -    if (!n) goto none;
 +        if (!n) goto none;
 -    msgs = &(gdom->res->msgs[gdom->cur]);
 +        msgs = &(gdom->res->msgs[gdom->cur]);
 -    ret = fill_grent(cctx->creq->out, gdom->domain, nctx, true, msgs, num, &n);
 -    if (ret == ENOENT) goto retry;
 +        ret = fill_grent(cctx->creq->out, gdom->domain, nctx, true, msgs, num, &n);
 +
 +        gdom->cur += n;
 +
 +    } while(ret == ENOENT);
 -    gdom->cur += n;
     return ret;
 none:
 -- 
 1.6.2.5
--- a/sssd.spec
+++ b/sssd.spec
@ -15,6 +15,9 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 ### Patches ###
 Patch1: 0001-Tighten-up-permission.patch
 Patch2: 0002-Fix-infinite-loop-with-empty-group-enumeration.patch
 ### Dependencies ###
 Requires: libldb >= 0.9.3
@ -74,6 +77,9 @@ service.
 %prep
 %setup -q
 %patch1 -p1 -b .tighten_permission
 %patch2 -p1 -b .infinite_group_loop
 %build
 %configure \
    --without-tests \