summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2010-03-19 14:07:00 -0400
committerStephen Gallagher <sgallagh@redhat.com>2010-03-22 08:34:16 -0400
commit369975ab6d7c45916e0e2739eb5449879c32b6f8 (patch)
tree181dfa2ef15eee86d813c9fbee3cedcef19d0dde
parentb3f76cd4c5cacaad7580f953f3c17ab019d89330 (diff)
downloadsssd-369975ab6d7c45916e0e2739eb5449879c32b6f8.tar.gz
sssd-369975ab6d7c45916e0e2739eb5449879c32b6f8.tar.xz
sssd-369975ab6d7c45916e0e2739eb5449879c32b6f8.zip
Ensure the SSSDConfig creates sssd.conf with the correct mode
-rw-r--r--src/config/SSSDConfig.py2
-rwxr-xr-xsrc/config/SSSDConfigTest.py89
2 files changed, 87 insertions, 4 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index d073a6832..84af11bf2 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -1194,10 +1194,12 @@ class SSSDConfig(SSSDChangeConf):
outputfile = self.configfile
# open() will raise IOError if it fails
+ old_umask = os.umask(0177)
of = open(outputfile, "wb")
output = self.dump(self.opts)
of.write(output)
of.close()
+ os.umask(old_umask)
def list_services(self):
"""
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 7e882e74d..2d637bb99 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -5,6 +5,8 @@ Created on Sep 18, 2009
@author: sgallagh
'''
import unittest
+import os
+from stat import *
import SSSDConfig
@@ -119,7 +121,27 @@ class SSSDConfigTestValid(unittest.TestCase):
local_domain.set_active(True)
sssdconfig.save_domain(local_domain)
- sssdconfig.write('/tmp/testCreateNewLocalConfig.conf')
+ of = '/tmp/testCreateNewLocalConfig.conf'
+
+ #Ensure the output file doesn't exist
+ try:
+ os.unlink(of)
+ except:
+ pass
+
+ #Write out the file
+ sssdconfig.write(of)
+
+ #Verify that the output file has the correct permissions
+ mode = os.stat(of)[ST_MODE]
+
+ #Output files should not be readable or writable by
+ #non-owners, and should not be executable by anyone
+ self.assertFalse(S_IMODE(mode) & 0177)
+
+ #Remove the output file
+ os.unlink(of)
+
def testCreateNewLDAPConfig(self):
sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
@@ -133,7 +155,26 @@ class SSSDConfigTestValid(unittest.TestCase):
ldap_domain.set_active(True)
sssdconfig.save_domain(ldap_domain)
- sssdconfig.write('/tmp/testCreateNewLDAPConfig.conf')
+ of = '/tmp/testCreateNewLDAPConfig.conf'
+
+ #Ensure the output file doesn't exist
+ try:
+ os.unlink(of)
+ except:
+ pass
+
+ #Write out the file
+ sssdconfig.write(of)
+
+ #Verify that the output file has the correct permissions
+ mode = os.stat(of)[ST_MODE]
+
+ #Output files should not be readable or writable by
+ #non-owners, and should not be executable by anyone
+ self.assertFalse(S_IMODE(mode) & 0177)
+
+ #Remove the output file
+ os.unlink(of)
def testModifyExistingConfig(self):
sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
@@ -148,7 +189,26 @@ class SSSDConfigTestValid(unittest.TestCase):
ldap_domain.set_active(True)
sssdconfig.save_domain(ldap_domain)
- sssdconfig.write('/tmp/testModifyExistingConfig.conf')
+ of = '/tmp/testModifyExistingConfig.conf'
+
+ #Ensure the output file doesn't exist
+ try:
+ os.unlink(of)
+ except:
+ pass
+
+ #Write out the file
+ sssdconfig.write(of)
+
+ #Verify that the output file has the correct permissions
+ mode = os.stat(of)[ST_MODE]
+
+ #Output files should not be readable or writable by
+ #non-owners, and should not be executable by anyone
+ self.assertFalse(S_IMODE(mode) & 0177)
+
+ #Remove the output file
+ os.unlink(of)
def testSpaces(self):
sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
@@ -1412,7 +1472,28 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
'cn=accounts, dc=example, dc=com')
sssdconfig.save_domain(domain)
- sssdconfig.write('/tmp/testSaveDomain.out')
+
+ of = '/tmp/testSaveDomain.out'
+
+ #Ensure the output file doesn't exist
+ try:
+ os.unlink(of)
+ except:
+ pass
+
+ #Write out the file
+ sssdconfig.write(of)
+
+ #Verify that the output file has the correct permissions
+ mode = os.stat(of)[ST_MODE]
+
+ #Output files should not be readable or writable by
+ #non-owners, and should not be executable by anyone
+ self.assertFalse(S_IMODE(mode) & 0177)
+
+ #Remove the output file
+ os.unlink(of)
+
domain2 = sssdconfig.get_domain('example.com2')
self.assertTrue(domain2.get_option('ldap_krb5_init_creds'))