diff --git a/0001-Tighten-up-permission.patch b/0001-Tighten-up-permission.patch deleted file mode 100644 index 8f1d70f..0000000 --- a/0001-Tighten-up-permission.patch +++ /dev/null @@ -1,76 +0,0 @@ -From e98645b11a18d5eba14f9108504003ffdfe81f3a Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Mon, 28 Sep 2009 07:51:26 -0400 -Subject: [PATCH] Tighten up permission. - -SSSD may contain passwords and other sensitive data, make sure we always keep its -permission tight. Also make /etc/sssd permission very strict, just in case, -admins may inadvertently copy an sssd.conf file without checking it's -permissions. ---- - contrib/sssd.spec.in | 2 +- - server/upgrade/upgrade_config.py | 13 ++++++++++++- - 2 files changed, 13 insertions(+), 2 deletions(-) - -diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in -index 2dd291f..93a1401 100644 ---- a/contrib/sssd.spec.in -+++ b/contrib/sssd.spec.in -@@ -132,7 +132,7 @@ rm -rf $RPM_BUILD_ROOT - %attr(755,root,root) %dir %{pipepath} - %attr(700,root,root) %dir %{pipepath}/private - %attr(750,root,root) %dir %{_var}/log/%{name} --%dir %{_sysconfdir}/sssd -+%attr(700,root,root) %dir %{_sysconfdir}/sssd - %config(noreplace) %{_sysconfdir}/sssd/sssd.conf - %config %{_sysconfdir}/sssd/sssd.api.conf - %attr(700,root,root) %dir %{_sysconfdir}/sssd/sssd.api.d -diff --git a/server/upgrade/upgrade_config.py b/server/upgrade/upgrade_config.py -index 412fad5..87e3990 100644 ---- a/server/upgrade/upgrade_config.py -+++ b/server/upgrade/upgrade_config.py -@@ -20,6 +20,7 @@ - # You should have received a copy of the GNU General Public License - # along with this program. If not, see . - -+import os - import sys - import shutil - import traceback -@@ -91,6 +92,9 @@ class SSSDConfigFile(object): - " Copy the file we operate on to a backup location " - shutil.copy(self.file_name, self.file_name+".bak") - -+ # make sure we don't leak data, force permissions on the backup -+ os.chmod(self.file_name+".bak", 0600) -+ - def _migrate_if_exists(self, to_section, to_option, from_section, from_option): - """ - Move value of parameter from one section to another, renaming the parameter -@@ -281,8 +285,12 @@ class SSSDConfigFile(object): - # Migrate domains - self._migrate_domains() - -- # all done, write the file -+ # all done, open the file for writing - of = open(out_file_name, "wb") -+ -+ # make sure it has the right permissions too -+ os.chmod(out_file_name, 0600) -+ - self._new_config.write(of) - - def parse_options(): -@@ -337,6 +345,9 @@ def main(): - print >>sys.stderr, "Can only upgrade from v1 to v2, file %s looks like version %d" % (options.filename, config.get_version()) - return 1 - -+ # make sure we keep strict settings when creating new files -+ os.umask(0077) -+ - try: - config.upgrade_v2(options.outfile, options.backup) - except Exception, e: --- -1.6.2.5 -