From 4c45356ecc287d5d8fcab9cdc1ec3987d41319c3 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 29 Sep 2009 12:19:20 +0000 Subject: [PATCH] Add two patches 1) Ensure that the configuration upgrade script always writes the config file with 0600 permissions 2) Eliminate an infinite loop in group enumerations --- 0001-Tighten-up-permission.patch | 76 +++++++++++++++++++ ...te-loop-with-empty-group-enumeration.patch | 61 +++++++++++++++ sssd.spec | 6 ++ 3 files changed, 143 insertions(+) create mode 100644 0001-Tighten-up-permission.patch create mode 100644 0002-Fix-infinite-loop-with-empty-group-enumeration.patch diff --git a/0001-Tighten-up-permission.patch b/0001-Tighten-up-permission.patch new file mode 100644 index 0000000..f13e1e6 --- /dev/null +++ b/0001-Tighten-up-permission.patch @@ -0,0 +1,76 @@ +From 5ab9ed3c42781ae1911d253d56d67dc0288d55f7 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 28 Sep 2009 07:51:26 -0400 +Subject: [PATCH 1/2] Tighten up permission. + +SSSD may contain passwords and other sensitive data, make sure we always keep its +permission tight. Also make /etc/sssd permission very strict, just in case, +admins may inadvertently copy an sssd.conf file without checking it's +permissions. +--- + contrib/sssd.spec.in | 2 +- + server/upgrade/upgrade_config.py | 13 ++++++++++++- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in +index 5dc45d2..9513a6b 100644 +--- a/contrib/sssd.spec.in ++++ b/contrib/sssd.spec.in +@@ -129,7 +129,7 @@ rm -rf $RPM_BUILD_ROOT + %attr(755,root,root) %dir %{pipepath} + %attr(700,root,root) %dir %{pipepath}/private + %attr(750,root,root) %dir %{_var}/log/%{name} +-%dir %{_sysconfdir}/sssd ++%attr(700,root,root) %dir %{_sysconfdir}/sssd + %config(noreplace) %{_sysconfdir}/sssd/sssd.conf + %{_mandir}/man5/sssd.conf.5* + %{_mandir}/man5/sssd-krb5.5* +diff --git a/server/upgrade/upgrade_config.py b/server/upgrade/upgrade_config.py +index 412fad5..87e3990 100644 +--- a/server/upgrade/upgrade_config.py ++++ b/server/upgrade/upgrade_config.py +@@ -20,6 +20,7 @@ + # You should have received a copy of the GNU General Public License + # along with this program. If not, see . + ++import os + import sys + import shutil + import traceback +@@ -91,6 +92,9 @@ class SSSDConfigFile(object): + " Copy the file we operate on to a backup location " + shutil.copy(self.file_name, self.file_name+".bak") + ++ # make sure we don't leak data, force permissions on the backup ++ os.chmod(self.file_name+".bak", 0600) ++ + def _migrate_if_exists(self, to_section, to_option, from_section, from_option): + """ + Move value of parameter from one section to another, renaming the parameter +@@ -281,8 +285,12 @@ class SSSDConfigFile(object): + # Migrate domains + self._migrate_domains() + +- # all done, write the file ++ # all done, open the file for writing + of = open(out_file_name, "wb") ++ ++ # make sure it has the right permissions too ++ os.chmod(out_file_name, 0600) ++ + self._new_config.write(of) + + def parse_options(): +@@ -337,6 +345,9 @@ def main(): + print >>sys.stderr, "Can only upgrade from v1 to v2, file %s looks like version %d" % (options.filename, config.get_version()) + return 1 + ++ # make sure we keep strict settings when creating new files ++ os.umask(0077) ++ + try: + config.upgrade_v2(options.outfile, options.backup) + except Exception, e: +-- +1.6.2.5 + diff --git a/0002-Fix-infinite-loop-with-empty-group-enumeration.patch b/0002-Fix-infinite-loop-with-empty-group-enumeration.patch new file mode 100644 index 0000000..62df014 --- /dev/null +++ b/0002-Fix-infinite-loop-with-empty-group-enumeration.patch @@ -0,0 +1,61 @@ +From 5cada7fa7f822ac064f3f5d452f7f32fc4595bd4 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Tue, 29 Sep 2009 07:34:30 -0400 +Subject: [PATCH 2/2] Fix infinite loop with empty group enumeration + +Loop control variable was not being incremented. +I also converted a goto loop into a do...while loop to make it +easier to follow the logic. +--- + server/responder/nss/nsssrv_cmd.c | 28 +++++++++++++++------------- + 1 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c +index 8ca0be6..ebfd1d5 100644 +--- a/server/responder/nss/nsssrv_cmd.c ++++ b/server/responder/nss/nsssrv_cmd.c +@@ -2645,26 +2645,28 @@ static int nss_cmd_retgrent(struct cli_ctx *cctx, int num) + nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx); + gctx = nctx->gctx; + +-retry: +- if (gctx->cur >= gctx->num) goto none; +- +- gdom = &gctx->doms[gctx->cur]; ++ do { ++ if (gctx->cur >= gctx->num) goto none; + +- n = gdom->res->count - gdom->cur; +- if (n == 0 && (gctx->cur+1 < gctx->num)) { +- gctx->cur++; + gdom = &gctx->doms[gctx->cur]; ++ + n = gdom->res->count - gdom->cur; +- } ++ if (n == 0 && (gctx->cur+1 < gctx->num)) { ++ gctx->cur++; ++ gdom = &gctx->doms[gctx->cur]; ++ n = gdom->res->count - gdom->cur; ++ } + +- if (!n) goto none; ++ if (!n) goto none; + +- msgs = &(gdom->res->msgs[gdom->cur]); ++ msgs = &(gdom->res->msgs[gdom->cur]); + +- ret = fill_grent(cctx->creq->out, gdom->domain, nctx, true, msgs, num, &n); +- if (ret == ENOENT) goto retry; ++ ret = fill_grent(cctx->creq->out, gdom->domain, nctx, true, msgs, num, &n); ++ ++ gdom->cur += n; ++ ++ } while(ret == ENOENT); + +- gdom->cur += n; + return ret; + + none: +-- +1.6.2.5 + diff --git a/sssd.spec b/sssd.spec index 641ec6d..6d90d2b 100644 --- a/sssd.spec +++ b/sssd.spec @@ -15,6 +15,9 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### +Patch1: 0001-Tighten-up-permission.patch +Patch2: 0002-Fix-infinite-loop-with-empty-group-enumeration.patch + ### Dependencies ### Requires: libldb >= 0.9.3 @@ -74,6 +77,9 @@ service. %prep %setup -q +%patch1 -p1 -b .tighten_permission +%patch2 -p1 -b .infinite_group_loop + %build %configure \ --without-tests \