sssd/0001-Tighten-up-permission.patch

From e98645b11a18d5eba14f9108504003ffdfe81f3a Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Mon, 28 Sep 2009 07:51:26 -0400
Subject: [PATCH] Tighten up permission.

SSSD may contain passwords and other sensitive data, make sure we always keep its
permission tight. Also make /etc/sssd permission very strict, just in case,
admins may inadvertently copy an sssd.conf file without checking it's
permissions.
---
 contrib/sssd.spec.in             |    2 +-
 server/upgrade/upgrade_config.py |   13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 2dd291f..93a1401 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -132,7 +132,7 @@ rm -rf $RPM_BUILD_ROOT
 %attr(755,root,root) %dir %{pipepath}
 %attr(700,root,root) %dir %{pipepath}/private
 %attr(750,root,root) %dir %{_var}/log/%{name}
-%dir %{_sysconfdir}/sssd
+%attr(700,root,root) %dir %{_sysconfdir}/sssd
 %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
 %config %{_sysconfdir}/sssd/sssd.api.conf
 %attr(700,root,root) %dir %{_sysconfdir}/sssd/sssd.api.d
diff --git a/server/upgrade/upgrade_config.py b/server/upgrade/upgrade_config.py
index 412fad5..87e3990 100644
--- a/server/upgrade/upgrade_config.py
+++ b/server/upgrade/upgrade_config.py
@@ -20,6 +20,7 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import os
 import sys
 import shutil
 import traceback
@@ -91,6 +92,9 @@ class SSSDConfigFile(object):
         " Copy the file we operate on to a backup location "
         shutil.copy(self.file_name, self.file_name+".bak")
 
+        # make sure we don't leak data, force permissions on the backup
+        os.chmod(self.file_name+".bak", 0600)
+
     def _migrate_if_exists(self, to_section, to_option, from_section, from_option):
         """
         Move value of parameter from one section to another, renaming the parameter
@@ -281,8 +285,12 @@ class SSSDConfigFile(object):
         # Migrate domains
         self._migrate_domains()
 
-        # all done, write the file
+        # all done, open the file for writing
         of = open(out_file_name, "wb")
+
+        # make sure it has the right permissions too
+        os.chmod(out_file_name, 0600)
+
         self._new_config.write(of)
 
 def parse_options():
@@ -337,6 +345,9 @@ def main():
         print >>sys.stderr, "Can only upgrade from v1 to v2, file %s looks like version %d" % (options.filename, config.get_version())
         return 1
 
+    # make sure we keep strict settings when creating new files
+    os.umask(0077)
+
     try:
         config.upgrade_v2(options.outfile, options.backup)
     except Exception, e:
-- 
1.6.2.5
- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust 2009-10-13 20:25:50 +00:00			`From e98645b11a18d5eba14f9108504003ffdfe81f3a Mon Sep 17 00:00:00 2001`
Add two patches 1) Ensure that the configuration upgrade script always writes the config file with 0600 permissions 2) Eliminate an infinite loop in group enumerations 2009-09-29 12:19:20 +00:00			`From: Simo Sorce <ssorce@redhat.com>`
			`Date: Mon, 28 Sep 2009 07:51:26 -0400`
- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust 2009-10-13 20:25:50 +00:00			`Subject: [PATCH] Tighten up permission.`
Add two patches 1) Ensure that the configuration upgrade script always writes the config file with 0600 permissions 2) Eliminate an infinite loop in group enumerations 2009-09-29 12:19:20 +00:00
			`SSSD may contain passwords and other sensitive data, make sure we always keep its`
			`permission tight. Also make /etc/sssd permission very strict, just in case,`
			`admins may inadvertently copy an sssd.conf file without checking it's`
			`permissions.`
			`---`
			`contrib/sssd.spec.in \| 2 +-`
			`server/upgrade/upgrade_config.py \| 13 ++++++++++++-`
			`2 files changed, 13 insertions(+), 2 deletions(-)`

			`diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in`
- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust 2009-10-13 20:25:50 +00:00			`index 2dd291f..93a1401 100644`
Add two patches 1) Ensure that the configuration upgrade script always writes the config file with 0600 permissions 2) Eliminate an infinite loop in group enumerations 2009-09-29 12:19:20 +00:00			`--- a/contrib/sssd.spec.in`
			`+++ b/contrib/sssd.spec.in`
- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust 2009-10-13 20:25:50 +00:00			`@@ -132,7 +132,7 @@ rm -rf $RPM_BUILD_ROOT`
Add two patches 1) Ensure that the configuration upgrade script always writes the config file with 0600 permissions 2) Eliminate an infinite loop in group enumerations 2009-09-29 12:19:20 +00:00			`%attr(755,root,root) %dir %{pipepath}`
			`%attr(700,root,root) %dir %{pipepath}/private`
			`%attr(750,root,root) %dir %{_var}/log/%{name}`
			`-%dir %{_sysconfdir}/sssd`
			`+%attr(700,root,root) %dir %{_sysconfdir}/sssd`
			`%config(noreplace) %{_sysconfdir}/sssd/sssd.conf`
- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust 2009-10-13 20:25:50 +00:00			`%config %{_sysconfdir}/sssd/sssd.api.conf`
			`%attr(700,root,root) %dir %{_sysconfdir}/sssd/sssd.api.d`
Add two patches 1) Ensure that the configuration upgrade script always writes the config file with 0600 permissions 2) Eliminate an infinite loop in group enumerations 2009-09-29 12:19:20 +00:00			`diff --git a/server/upgrade/upgrade_config.py b/server/upgrade/upgrade_config.py`
			`index 412fad5..87e3990 100644`
			`--- a/server/upgrade/upgrade_config.py`
			`+++ b/server/upgrade/upgrade_config.py`
			`@@ -20,6 +20,7 @@`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`

			`+import os`
			`import sys`
			`import shutil`
			`import traceback`
			`@@ -91,6 +92,9 @@ class SSSDConfigFile(object):`
			`" Copy the file we operate on to a backup location "`
			`shutil.copy(self.file_name, self.file_name+".bak")`

			`+ # make sure we don't leak data, force permissions on the backup`
			`+ os.chmod(self.file_name+".bak", 0600)`
			`+`
			`def _migrate_if_exists(self, to_section, to_option, from_section, from_option):`
			`"""`
			`Move value of parameter from one section to another, renaming the parameter`
			`@@ -281,8 +285,12 @@ class SSSDConfigFile(object):`
			`# Migrate domains`
			`self._migrate_domains()`

			`- # all done, write the file`
			`+ # all done, open the file for writing`
			`of = open(out_file_name, "wb")`
			`+`
			`+ # make sure it has the right permissions too`
			`+ os.chmod(out_file_name, 0600)`
			`+`
			`self._new_config.write(of)`

			`def parse_options():`
			`@@ -337,6 +345,9 @@ def main():`
			`print >>sys.stderr, "Can only upgrade from v1 to v2, file %s looks like version %d" % (options.filename, config.get_version())`
			`return 1`

			`+ # make sure we keep strict settings when creating new files`
			`+ os.umask(0077)`
			`+`
			`try:`
			`config.upgrade_v2(options.outfile, options.backup)`
			`except Exception, e:`
			`--`
			`1.6.2.5`