sssd/0084-DESKPROFILE-Soften-umask-for-the-domain-s-dir.patch

From b576b290d3d7e165269edf36d6be27bc1441a688 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Sat, 20 Jan 2018 15:06:37 +0100
Subject: [PATCH 84/88] DESKPROFILE: Soften umask for the domain's dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The default umask (0177) is way too strict, not allowing us to create
the domain's dir, which has to have its mode set as 751.

In order to solve this, let's soften the umask to 0026.

This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
package.

Resolves:
https://pagure.io/SSSD/sssd/issue/3621

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Simo Sorce <simo@redhat.com>
---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index 01b7d0527..989f3aadd 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -229,6 +229,7 @@ ipa_deskprofile_rules_create_user_dir(
     char *domain;
     char *domain_dir;
     errno_t ret;
+    mode_t old_umask;
 
     tmp_ctx = talloc_new(NULL);
     if (tmp_ctx == NULL) {
@@ -243,8 +244,10 @@ ipa_deskprofile_rules_create_user_dir(
         goto done;
     }
 
-    ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0755,
+    old_umask = umask(0026);
+    ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0751,
                          getuid(), getgid());
+    umask(old_umask);
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE,
               "Failed to create the directory \"%s/%s\" that would be used to "
-- 
2.14.3
Resolves: upstream#3621: FleetCommander integration must not require capability DAC_OVERRIDE Together with the patches backported from upstream, we're changing the deskprofilepath permissions from 755 to 751, reflecting the upstream spec file changes. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> 2018-02-14 21:20:50 +00:00			`From b576b290d3d7e165269edf36d6be27bc1441a688 Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>`
			`Date: Sat, 20 Jan 2018 15:06:37 +0100`
			`Subject: [PATCH 84/88] DESKPROFILE: Soften umask for the domain's dir`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`The default umask (0177) is way too strict, not allowing us to create`
			`the domain's dir, which has to have its mode set as 751.`

			`In order to solve this, let's soften the umask to 0026.`

			`This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora`
			`package.`

			`Resolves:`
			`https://pagure.io/SSSD/sssd/issue/3621`

			`Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>`

			`Reviewed-by: Simo Sorce <simo@redhat.com>`
			`---`
			`src/providers/ipa/ipa_deskprofile_rules_util.c \| 5 ++++-`
			`1 file changed, 4 insertions(+), 1 deletion(-)`

			`diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c`
			`index 01b7d0527..989f3aadd 100644`
			`--- a/src/providers/ipa/ipa_deskprofile_rules_util.c`
			`+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c`
			`@@ -229,6 +229,7 @@ ipa_deskprofile_rules_create_user_dir(`
			`char *domain;`
			`char *domain_dir;`
			`errno_t ret;`
			`+ mode_t old_umask;`

			`tmp_ctx = talloc_new(NULL);`
			`if (tmp_ctx == NULL) {`
			`@@ -243,8 +244,10 @@ ipa_deskprofile_rules_create_user_dir(`
			`goto done;`
			`}`

			`- ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0755,`
			`+ old_umask = umask(0026);`
			`+ ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0751,`
			`getuid(), getgid());`
			`+ umask(old_umask);`
			`if (ret != EOK) {`
			`DEBUG(SSSDBG_CRIT_FAILURE,`
			`"Failed to create the directory \"%s/%s\" that would be used to "`
			`--`
			`2.14.3`