From 45414c12aa933a33d9a635cc212c448c858c6bab Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sat, 11 Oct 2014 20:22:42 +0200
Subject: BUILD: Install ldap_child and as setuid if running under
 non-privileged user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The ldap_child permissions should be 4750, owned by root.sssd,
to make sure only root and sssd can execute the child and if executed by
sssd, the child will run as root.

Reviewed-by: Michal Židek <mzidek@redhat.com>
---
 Makefile.am          | 5 +++++
 contrib/sssd.spec.in | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index 60bc67f1a..02b087ea3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2844,6 +2844,11 @@ else
 	$(MKDIR_P) $(DESTDIR)$(initdir)
 endif
 
+if SSSD_USER
+	chgrp $(SSSD_USER) $(sssdlibexecdir)/ldap_child
+	chmod 4750 $(sssdlibexecdir)/ldap_child
+endif
+
 install-data-hook:
 	rm $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 \
        $(DESTDIR)/$(nsslibdir)/libnss_sss.so
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index db3bbcb09..d2e6cec26 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -645,7 +645,7 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(-,root,root,-)
 %doc COPYING
 %{_libdir}/%{name}/libsss_krb5_common.so
-%{_libexecdir}/%{servicename}/ldap_child
+%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/ldap_child
 %{_libexecdir}/%{servicename}/krb5_child
 
 %files krb5 -f sssd_krb5.lang
-- 
cgit