From a5f79cce8abc74beec0c27c477c046bb6cbe7101 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Sat, 19 Apr 2014 17:06:30 -0400
Subject: confdb: Change file checks for config file

We only really care that the file is readable by the owner and not
accessible by group or others. We do not really care whether the owner
can write/execute the file or not, so we mask out those perms.

Resolves:
https://bugzilla.redhat.com/1089098
Resolves:
https://fedorahosted.org/sssd/ticket/2321

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
---
 src/util/sss_ini.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'src/util')

diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
index 89b133da0..63b96f287 100644
--- a/src/util/sss_ini.c
+++ b/src/util/sss_ini.c
@@ -120,7 +120,8 @@ int sss_ini_config_file_open(struct sss_ini_initdata *init_data,
                                 &init_data->file);
 #elif defined(HAVE_LIBINI_CONFIG_V0)
     return check_and_open_readonly(config_file, &init_data->file, 0, 0,
-                                   S_IFREG|S_IRUSR|S_IWUSR, 0);
+                                   S_IFREG|S_IRUSR, /* f r**------ */
+                                   S_IFMT|(ALLPERMS & ~(S_IWUSR|S_IXUSR)));
 #endif
 }
 
@@ -137,8 +138,8 @@ int sss_ini_config_access_check(struct sss_ini_initdata *init_data)
                                    INI_ACCESS_CHECK_GID,
                                    0, /* owned by root */
                                    0, /* owned by root */
-                                   (S_IRUSR|S_IWUSR), /* rw------- */
-                                   0); /* check all there parts */
+                                   S_IRUSR, /* r**------ */
+                                   ALLPERMS & ~(S_IWUSR|S_IXUSR));
 #elif defined(HAVE_LIBINI_CONFIG_V0)
     return EOK;
 #endif
-- 
cgit