Ensure the SSSDConfig creates sssd.conf with the correct mode

author: Stephen Gallagher <sgallagh@redhat.com> 2010-03-19 14:07:00 -0400
committer: Stephen Gallagher <sgallagh@redhat.com> 2010-03-22 08:34:16 -0400
commit: 369975ab6d7c45916e0e2739eb5449879c32b6f8 (patch)
tree: 181dfa2ef15eee86d813c9fbee3cedcef19d0dde
parent: b3f76cd4c5cacaad7580f953f3c17ab019d89330 (diff)
download: sssd-369975ab6d7c45916e0e2739eb5449879c32b6f8.tar.gz
sssd-369975ab6d7c45916e0e2739eb5449879c32b6f8.tar.xz
sssd-369975ab6d7c45916e0e2739eb5449879c32b6f8.zip
2 files changed, 87 insertions, 4 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index d073a6832..84af11bf2 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -1194,10 +1194,12 @@ class SSSDConfig(SSSDChangeConf):
             outputfile = self.configfile
 
         # open() will raise IOError if it fails
+        old_umask = os.umask(0177)
         of = open(outputfile, "wb")
         output = self.dump(self.opts)
         of.write(output)
         of.close()
+        os.umask(old_umask)
 
     def list_services(self):
         """
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 7e882e74d..2d637bb99 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -5,6 +5,8 @@ Created on Sep 18, 2009
 @author: sgallagh
 '''
 import unittest
+import os
+from stat import *
 
 import SSSDConfig
 
@@ -119,7 +121,27 @@ class SSSDConfigTestValid(unittest.TestCase):
         local_domain.set_active(True)
         sssdconfig.save_domain(local_domain)
 
-        sssdconfig.write('/tmp/testCreateNewLocalConfig.conf')
+        of = '/tmp/testCreateNewLocalConfig.conf'
+
+        #Ensure the output file doesn't exist
+        try:
+            os.unlink(of)
+        except:
+            pass
+
+        #Write out the file
+        sssdconfig.write(of)
+
+        #Verify that the output file has the correct permissions
+        mode = os.stat(of)[ST_MODE]
+
+        #Output files should not be readable or writable by
+        #non-owners, and should not be executable by anyone
+        self.assertFalse(S_IMODE(mode) & 0177)
+
+        #Remove the output file
+        os.unlink(of)
+
 
     def testCreateNewLDAPConfig(self):
         sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
@@ -133,7 +155,26 @@ class SSSDConfigTestValid(unittest.TestCase):
         ldap_domain.set_active(True)
         sssdconfig.save_domain(ldap_domain)
 
-        sssdconfig.write('/tmp/testCreateNewLDAPConfig.conf')
+        of = '/tmp/testCreateNewLDAPConfig.conf'
+
+        #Ensure the output file doesn't exist
+        try:
+            os.unlink(of)
+        except:
+            pass
+
+        #Write out the file
+        sssdconfig.write(of)
+
+        #Verify that the output file has the correct permissions
+        mode = os.stat(of)[ST_MODE]
+
+        #Output files should not be readable or writable by
+        #non-owners, and should not be executable by anyone
+        self.assertFalse(S_IMODE(mode) & 0177)
+
+        #Remove the output file
+        os.unlink(of)
 
     def testModifyExistingConfig(self):
         sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
@@ -148,7 +189,26 @@ class SSSDConfigTestValid(unittest.TestCase):
         ldap_domain.set_active(True)
         sssdconfig.save_domain(ldap_domain)
 
-        sssdconfig.write('/tmp/testModifyExistingConfig.conf')
+        of = '/tmp/testModifyExistingConfig.conf'
+
+        #Ensure the output file doesn't exist
+        try:
+            os.unlink(of)
+        except:
+            pass
+
+        #Write out the file
+        sssdconfig.write(of)
+
+        #Verify that the output file has the correct permissions
+        mode = os.stat(of)[ST_MODE]
+
+        #Output files should not be readable or writable by
+        #non-owners, and should not be executable by anyone
+        self.assertFalse(S_IMODE(mode) & 0177)
+
+        #Remove the output file
+        os.unlink(of)
 
     def testSpaces(self):
         sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
@@ -1412,7 +1472,28 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
                          'cn=accounts, dc=example, dc=com')
 
         sssdconfig.save_domain(domain)
-        sssdconfig.write('/tmp/testSaveDomain.out')
+
+        of = '/tmp/testSaveDomain.out'
+
+        #Ensure the output file doesn't exist
+        try:
+            os.unlink(of)
+        except:
+            pass
+
+        #Write out the file
+        sssdconfig.write(of)
+
+        #Verify that the output file has the correct permissions
+        mode = os.stat(of)[ST_MODE]
+
+        #Output files should not be readable or writable by
+        #non-owners, and should not be executable by anyone
+        self.assertFalse(S_IMODE(mode) & 0177)
+
+        #Remove the output file
+        os.unlink(of)
+
 
         domain2 = sssdconfig.get_domain('example.com2')
         self.assertTrue(domain2.get_option('ldap_krb5_init_creds'))
author	Stephen Gallagher <sgallagh@redhat.com>	2010-03-19 14:07:00 -0400
committer	Stephen Gallagher <sgallagh@redhat.com>	2010-03-22 08:34:16 -0400
commit	369975ab6d7c45916e0e2739eb5449879c32b6f8 (patch)
tree	181dfa2ef15eee86d813c9fbee3cedcef19d0dde
parent	b3f76cd4c5cacaad7580f953f3c17ab019d89330 (diff)
download	sssd-369975ab6d7c45916e0e2739eb5449879c32b6f8.tar.gz sssd-369975ab6d7c45916e0e2739eb5449879c32b6f8.tar.xz sssd-369975ab6d7c45916e0e2739eb5449879c32b6f8.zip