diff options
| author | Simo Sorce <ssorce@redhat.com> | 2009-09-28 07:51:26 -0400 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2009-09-28 08:41:27 -0400 |
| commit | 5ab9ed3c42781ae1911d253d56d67dc0288d55f7 (patch) | |
| tree | 9a3488b5c41fdbf37e5f58ced2ce1057b7583cff | |
| parent | cd23ef0605ec295ee9578dc3d9a749c89a947f42 (diff) | |
| download | sssd-5ab9ed3c42781ae1911d253d56d67dc0288d55f7.tar.gz sssd-5ab9ed3c42781ae1911d253d56d67dc0288d55f7.tar.xz sssd-5ab9ed3c42781ae1911d253d56d67dc0288d55f7.zip | |
Tighten up permission.
SSSD may contain passwords and other sensitive data, make sure we always keep its
permission tight. Also make /etc/sssd permission very strict, just in case,
admins may inadvertently copy an sssd.conf file without checking it's
permissions.
| -rw-r--r-- | contrib/sssd.spec.in | 2 | ||||
| -rw-r--r-- | server/upgrade/upgrade_config.py | 13 |
2 files changed, 13 insertions, 2 deletions
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 5dc45d28d..9513a6b6e 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -129,7 +129,7 @@ rm -rf $RPM_BUILD_ROOT %attr(755,root,root) %dir %{pipepath} %attr(700,root,root) %dir %{pipepath}/private %attr(750,root,root) %dir %{_var}/log/%{name} -%dir %{_sysconfdir}/sssd +%attr(700,root,root) %dir %{_sysconfdir}/sssd %config(noreplace) %{_sysconfdir}/sssd/sssd.conf %{_mandir}/man5/sssd.conf.5* %{_mandir}/man5/sssd-krb5.5* diff --git a/server/upgrade/upgrade_config.py b/server/upgrade/upgrade_config.py index 412fad534..87e3990d3 100644 --- a/server/upgrade/upgrade_config.py +++ b/server/upgrade/upgrade_config.py @@ -20,6 +20,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import os import sys import shutil import traceback @@ -91,6 +92,9 @@ class SSSDConfigFile(object): " Copy the file we operate on to a backup location " shutil.copy(self.file_name, self.file_name+".bak") + # make sure we don't leak data, force permissions on the backup + os.chmod(self.file_name+".bak", 0600) + def _migrate_if_exists(self, to_section, to_option, from_section, from_option): """ Move value of parameter from one section to another, renaming the parameter @@ -281,8 +285,12 @@ class SSSDConfigFile(object): # Migrate domains self._migrate_domains() - # all done, write the file + # all done, open the file for writing of = open(out_file_name, "wb") + + # make sure it has the right permissions too + os.chmod(out_file_name, 0600) + self._new_config.write(of) def parse_options(): @@ -337,6 +345,9 @@ def main(): print >>sys.stderr, "Can only upgrade from v1 to v2, file %s looks like version %d" % (options.filename, config.get_version()) return 1 + # make sure we keep strict settings when creating new files + os.umask(0077) + try: config.upgrade_v2(options.outfile, options.backup) except Exception, e: |