4b1fe8a0ab
Together with the patches backported from upstream, we're changing the deskprofilepath permissions from 755 to 751, reflecting the upstream spec file changes. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
51 lines
1.8 KiB
Diff
51 lines
1.8 KiB
Diff
From 2c5b03913c54234efdabcff83de368bae72dc799 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
Date: Sat, 20 Jan 2018 23:58:14 +0100
|
|
Subject: [PATCH 85/88] DESKPROFILE: Fix the permissions and soften the umask
|
|
for user's dir
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
The user dir has been created as 0600 and owned by the user. It doesn't
|
|
work anymore as CAP_DAC_OVERRIDE has been dropped from our systemd
|
|
service upstream.
|
|
|
|
In order to have it working again, let's change it to 0700 (as the
|
|
executable bit is needed for creating a file inside a folder) and soften
|
|
the default umask from (0177) to (0077) to be able to create this dir.
|
|
|
|
This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
|
|
package.
|
|
|
|
Resolves:
|
|
https://pagure.io/SSSD/sssd/issue/3621
|
|
|
|
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
---
|
|
src/providers/ipa/ipa_deskprofile_rules_util.c | 6 +++++-
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
|
|
index 989f3aadd..0846b16f6 100644
|
|
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
|
|
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
|
|
@@ -264,7 +264,11 @@ ipa_deskprofile_rules_create_user_dir(
|
|
goto done;
|
|
}
|
|
|
|
- ret = sss_create_dir(domain_dir, shortname, 0600, uid, gid);
|
|
+ /* In order to read, create and traverse the directory, we need to have its
|
|
+ * permissions set as 'rwx------' (700). */
|
|
+ old_umask = umask(0077);
|
|
+ ret = sss_create_dir(domain_dir, shortname, 0700, uid, gid);
|
|
+ umask(old_umask);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
"Failed to create the directory \"%s/%s/%s\" that would be used "
|
|
--
|
|
2.14.3
|
|
|