4c45356ecc
1) Ensure that the configuration upgrade script always writes the config file with 0600 permissions 2) Eliminate an infinite loop in group enumerations
77 lines
2.7 KiB
Diff
77 lines
2.7 KiB
Diff
From 5ab9ed3c42781ae1911d253d56d67dc0288d55f7 Mon Sep 17 00:00:00 2001
|
|
From: Simo Sorce <ssorce@redhat.com>
|
|
Date: Mon, 28 Sep 2009 07:51:26 -0400
|
|
Subject: [PATCH 1/2] Tighten up permission.
|
|
|
|
SSSD may contain passwords and other sensitive data, make sure we always keep its
|
|
permission tight. Also make /etc/sssd permission very strict, just in case,
|
|
admins may inadvertently copy an sssd.conf file without checking it's
|
|
permissions.
|
|
---
|
|
contrib/sssd.spec.in | 2 +-
|
|
server/upgrade/upgrade_config.py | 13 ++++++++++++-
|
|
2 files changed, 13 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
|
index 5dc45d2..9513a6b 100644
|
|
--- a/contrib/sssd.spec.in
|
|
+++ b/contrib/sssd.spec.in
|
|
@@ -129,7 +129,7 @@ rm -rf $RPM_BUILD_ROOT
|
|
%attr(755,root,root) %dir %{pipepath}
|
|
%attr(700,root,root) %dir %{pipepath}/private
|
|
%attr(750,root,root) %dir %{_var}/log/%{name}
|
|
-%dir %{_sysconfdir}/sssd
|
|
+%attr(700,root,root) %dir %{_sysconfdir}/sssd
|
|
%config(noreplace) %{_sysconfdir}/sssd/sssd.conf
|
|
%{_mandir}/man5/sssd.conf.5*
|
|
%{_mandir}/man5/sssd-krb5.5*
|
|
diff --git a/server/upgrade/upgrade_config.py b/server/upgrade/upgrade_config.py
|
|
index 412fad5..87e3990 100644
|
|
--- a/server/upgrade/upgrade_config.py
|
|
+++ b/server/upgrade/upgrade_config.py
|
|
@@ -20,6 +20,7 @@
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
+import os
|
|
import sys
|
|
import shutil
|
|
import traceback
|
|
@@ -91,6 +92,9 @@ class SSSDConfigFile(object):
|
|
" Copy the file we operate on to a backup location "
|
|
shutil.copy(self.file_name, self.file_name+".bak")
|
|
|
|
+ # make sure we don't leak data, force permissions on the backup
|
|
+ os.chmod(self.file_name+".bak", 0600)
|
|
+
|
|
def _migrate_if_exists(self, to_section, to_option, from_section, from_option):
|
|
"""
|
|
Move value of parameter from one section to another, renaming the parameter
|
|
@@ -281,8 +285,12 @@ class SSSDConfigFile(object):
|
|
# Migrate domains
|
|
self._migrate_domains()
|
|
|
|
- # all done, write the file
|
|
+ # all done, open the file for writing
|
|
of = open(out_file_name, "wb")
|
|
+
|
|
+ # make sure it has the right permissions too
|
|
+ os.chmod(out_file_name, 0600)
|
|
+
|
|
self._new_config.write(of)
|
|
|
|
def parse_options():
|
|
@@ -337,6 +345,9 @@ def main():
|
|
print >>sys.stderr, "Can only upgrade from v1 to v2, file %s looks like version %d" % (options.filename, config.get_version())
|
|
return 1
|
|
|
|
+ # make sure we keep strict settings when creating new files
|
|
+ os.umask(0077)
|
|
+
|
|
try:
|
|
config.upgrade_v2(options.outfile, options.backup)
|
|
except Exception, e:
|
|
--
|
|
1.6.2.5
|
|
|