diff options
Diffstat (limited to 'Create-KDC-and-kadmind-log-files-with-mode-0640.patch')
| -rw-r--r-- | Create-KDC-and-kadmind-log-files-with-mode-0640.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/Create-KDC-and-kadmind-log-files-with-mode-0640.patch b/Create-KDC-and-kadmind-log-files-with-mode-0640.patch new file mode 100644 index 0000000..9810acd --- /dev/null +++ b/Create-KDC-and-kadmind-log-files-with-mode-0640.patch @@ -0,0 +1,65 @@ +From 6b126bfc40ba416746e4d30edb0b6b72c21c8b10 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Tue, 23 Aug 2016 16:58:44 -0400 +Subject: [PATCH 13/19] Create KDC and kadmind log files with mode 0640 + +In krb5_klog_init(), use open() and fdopen() to open log files so that +we can specify a mode. Specify a mode which doesn't include the +group-write, other-read, or other-write bits even if the process umask +allows them. + +[ghudson@mit.edu: wrote commit message, de-indented post-open setup +code] +[rharwood@redhat.com: backport not clean due to SELinux patching] + +ticket: 8344 (new) +--- + src/lib/kadm5/logger.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c +index 64f9641..0517efe 100644 +--- a/src/lib/kadm5/logger.c ++++ b/src/lib/kadm5/logger.c +@@ -354,7 +354,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do + const char *logging_profent[3]; + const char *logging_defent[3]; + char **logging_specs; +- int i, ngood; ++ int i, ngood, fd, append; + char *cp, *cp2; + char savec = '\0'; + int error; +@@ -422,18 +422,21 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do + /* + * Check for append/overwrite, then open the file. + */ +- if (cp[4] == ':' || cp[4] == '=') { +- f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w"); +- if (f) { +- set_cloexec_file(f); +- log_control.log_entries[i].lfu_filep = f; +- log_control.log_entries[i].log_type = K_LOG_FILE; +- log_control.log_entries[i].lfu_fname = &cp[5]; +- } else { ++ append = (cp[4] == ':') ? O_APPEND : 0; ++ if (append || cp[4] == '=') { ++ fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append, ++ S_IRUSR | S_IWUSR | S_IRGRP); ++ if (fd != -1) ++ f = fdopen(fd, append ? "a" : "w"); ++ if (fd == -1 || f == NULL) { + fprintf(stderr,"Couldn't open log file %s: %s\n", + &cp[5], error_message(errno)); + continue; + } ++ set_cloexec_file(f); ++ log_control.log_entries[i].lfu_filep = f; ++ log_control.log_entries[i].log_type = K_LOG_FILE; ++ log_control.log_entries[i].lfu_fname = &cp[5]; + } + } + #ifdef HAVE_SYSLOG +-- +2.9.3 + |