diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2015-06-16 13:22:32 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-06-16 18:27:39 +0200 |
| commit | dbfc407eef1d9ba2469687c3ffbe7fd8bb111d94 (patch) | |
| tree | 76d1a16921daf6d9a5ca1d594414d22ff591152b | |
| parent | a5bb518446d5ce565d7ba819590a009cabb0b0b4 (diff) | |
| download | sssd-dbfc407eef1d9ba2469687c3ffbe7fd8bb111d94.tar.gz sssd-dbfc407eef1d9ba2469687c3ffbe7fd8bb111d94.tar.xz sssd-dbfc407eef1d9ba2469687c3ffbe7fd8bb111d94.zip | |
BUILD: Store keytabs in /var/lib/sss/keytabs
Make sure the directory is only accessible to the sssd user
Reviewed-by: Michal Židek <mzidek@redhat.com>
| -rw-r--r-- | Makefile.am | 7 | ||||
| -rw-r--r-- | contrib/sssd.spec.in | 3 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_subdomains.h | 2 |
3 files changed, 8 insertions, 4 deletions
diff --git a/Makefile.am b/Makefile.am index a2db8e19f..c21c1f3e9 100644 --- a/Makefile.am +++ b/Makefile.am @@ -72,6 +72,7 @@ systemdconfdir = @systemdconfdir@ logpath = @logpath@ pubconfpath = @pubconfpath@ gpocachepath = @gpocachepath@ +keytabdir = $(sss_statedir)/keytabs pkgconfigdir = $(libdir)/pkgconfig krb5rcachedir = @krb5rcachedir@ sudolibdir = @sudolibpath@ @@ -3295,7 +3296,7 @@ src/sysv/systemd/journal.conf: src/sysv/systemd/journal.conf.in Makefile SSSD_USER_DIRS = \ $(DESTDIR)$(dbpath) \ - $(DESTDIR)$(dbpath)/keytabs \ + $(DESTDIR)$(keytabdir) \ $(DESTDIR)$(mcpath) \ $(DESTDIR)$(pipepath) \ $(DESTDIR)$(pipepath)/private \ @@ -3330,7 +3331,9 @@ if SSSD_USER $(SSSD_USER_DIRS) endif $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \ - $(DESTDIR)$(pipepath)/private + $(DESTDIR)$(pipepath)/private \ + $(DESTDIR)$(keytabdir) \ + $(NULL) $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \ $(DESTDIR)$(pubconfpath) \ $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index bfee8f8c2..1ebd92fa9 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -81,6 +81,7 @@ Requires: python-sssdconfig = %{version}-%{release} %global servicename sssd %global sssdstatedir %{_localstatedir}/lib/sss %global dbpath %{sssdstatedir}/db +%global keytabdir %{sssdstatedir}/keytabs %global pipepath %{sssdstatedir}/pipes %global mcpath %{sssdstatedir}/mc %global pubconfpath %{sssdstatedir}/pubconf @@ -765,7 +766,7 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root,-) %doc COPYING %attr(755,root,root) %dir %{pubconfpath}/krb5.include.d -%attr(700,sssd,sssd) %dir %{dbpath}/keytabs +%attr(700,sssd,sssd) %dir %{keytabdir} %{_libdir}/%{name}/libsss_ipa.so %attr(4750,root,sssd) %{_libexecdir}/%{servicename}/selinux_child %{_mandir}/man5/sssd-ipa.5* diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h index 281e975e7..5bc63a173 100644 --- a/src/providers/ipa/ipa_subdomains.h +++ b/src/providers/ipa/ipa_subdomains.h @@ -30,7 +30,7 @@ #include "config.h" #ifndef IPA_TRUST_KEYTAB_DIR -#define IPA_TRUST_KEYTAB_DIR DB_PATH"/keytabs" +#define IPA_TRUST_KEYTAB_DIR SSS_STATEDIR"/keytabs" #endif /* IPA_TRUST_KEYTAB_DIR */ /* ==Sid2Name Extended Operation============================================= */ |