From dbfc407eef1d9ba2469687c3ffbe7fd8bb111d94 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 16 Jun 2015 13:22:32 +0200 Subject: BUILD: Store keytabs in /var/lib/sss/keytabs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Make sure the directory is only accessible to the sssd user Reviewed-by: Michal Židek --- Makefile.am | 7 +++++-- contrib/sssd.spec.in | 3 ++- src/providers/ipa/ipa_subdomains.h | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Makefile.am b/Makefile.am index a2db8e19f..c21c1f3e9 100644 --- a/Makefile.am +++ b/Makefile.am @@ -72,6 +72,7 @@ systemdconfdir = @systemdconfdir@ logpath = @logpath@ pubconfpath = @pubconfpath@ gpocachepath = @gpocachepath@ +keytabdir = $(sss_statedir)/keytabs pkgconfigdir = $(libdir)/pkgconfig krb5rcachedir = @krb5rcachedir@ sudolibdir = @sudolibpath@ @@ -3295,7 +3296,7 @@ src/sysv/systemd/journal.conf: src/sysv/systemd/journal.conf.in Makefile SSSD_USER_DIRS = \ $(DESTDIR)$(dbpath) \ - $(DESTDIR)$(dbpath)/keytabs \ + $(DESTDIR)$(keytabdir) \ $(DESTDIR)$(mcpath) \ $(DESTDIR)$(pipepath) \ $(DESTDIR)$(pipepath)/private \ @@ -3330,7 +3331,9 @@ if SSSD_USER $(SSSD_USER_DIRS) endif $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \ - $(DESTDIR)$(pipepath)/private + $(DESTDIR)$(pipepath)/private \ + $(DESTDIR)$(keytabdir) \ + $(NULL) $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \ $(DESTDIR)$(pubconfpath) \ $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index bfee8f8c2..1ebd92fa9 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -81,6 +81,7 @@ Requires: python-sssdconfig = %{version}-%{release} %global servicename sssd %global sssdstatedir %{_localstatedir}/lib/sss %global dbpath %{sssdstatedir}/db +%global keytabdir %{sssdstatedir}/keytabs %global pipepath %{sssdstatedir}/pipes %global mcpath %{sssdstatedir}/mc %global pubconfpath %{sssdstatedir}/pubconf @@ -765,7 +766,7 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root,-) %doc COPYING %attr(755,root,root) %dir %{pubconfpath}/krb5.include.d -%attr(700,sssd,sssd) %dir %{dbpath}/keytabs +%attr(700,sssd,sssd) %dir %{keytabdir} %{_libdir}/%{name}/libsss_ipa.so %attr(4750,root,sssd) %{_libexecdir}/%{servicename}/selinux_child %{_mandir}/man5/sssd-ipa.5* diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h index 281e975e7..5bc63a173 100644 --- a/src/providers/ipa/ipa_subdomains.h +++ b/src/providers/ipa/ipa_subdomains.h @@ -30,7 +30,7 @@ #include "config.h" #ifndef IPA_TRUST_KEYTAB_DIR -#define IPA_TRUST_KEYTAB_DIR DB_PATH"/keytabs" +#define IPA_TRUST_KEYTAB_DIR SSS_STATEDIR"/keytabs" #endif /* IPA_TRUST_KEYTAB_DIR */ /* ==Sid2Name Extended Operation============================================= */ -- cgit