diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2014-10-11 20:22:42 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-11-05 20:16:06 +0100 |
| commit | fe5108b091e77dac505fd433c2df9c8b5736b21f (patch) | |
| tree | c3d95e88272cd6ee5a8f567454f156ac92578e37 | |
| parent | c6a29b0121b64bbe6b81f2d61c81c480bbf1a858 (diff) | |
| download | sssd-fe5108b091e77dac505fd433c2df9c8b5736b21f.tar.gz sssd-fe5108b091e77dac505fd433c2df9c8b5736b21f.tar.xz sssd-fe5108b091e77dac505fd433c2df9c8b5736b21f.zip | |
BUILD: Install ldap_child and as setuid if running under non-privileged user
The ldap_child permissions should be 4750, owned by root.sssd,
to make sure only root and sssd can execute the child and if executed by
sssd, the child will run as root.
Reviewed-by: Michal Židek <mzidek@redhat.com>
| -rw-r--r-- | Makefile.am | 5 | ||||
| -rw-r--r-- | contrib/sssd.spec.in | 2 |
2 files changed, 6 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am index 60bc67f1a..02b087ea3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2844,6 +2844,11 @@ else $(MKDIR_P) $(DESTDIR)$(initdir) endif +if SSSD_USER + chgrp $(SSSD_USER) $(sssdlibexecdir)/ldap_child + chmod 4750 $(sssdlibexecdir)/ldap_child +endif + install-data-hook: rm $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 \ $(DESTDIR)/$(nsslibdir)/libnss_sss.so diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index db3bbcb09..d2e6cec26 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -645,7 +645,7 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root,-) %doc COPYING %{_libdir}/%{name}/libsss_krb5_common.so -%{_libexecdir}/%{servicename}/ldap_child +%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/ldap_child %{_libexecdir}/%{servicename}/krb5_child %files krb5 -f sssd_krb5.lang |