Add two patches

1) Ensure that the configuration upgrade script always writes the config
    file with 0600 permissions
2) Eliminate an infinite loop in group enumerations
This commit is contained in:
Stephen Gallagher 2009-09-29 12:19:20 +00:00
parent 7a716e3c15
commit 4c45356ecc
3 changed files with 143 additions and 0 deletions

View File

@ -0,0 +1,76 @@
From 5ab9ed3c42781ae1911d253d56d67dc0288d55f7 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Mon, 28 Sep 2009 07:51:26 -0400
Subject: [PATCH 1/2] Tighten up permission.
SSSD may contain passwords and other sensitive data, make sure we always keep its
permission tight. Also make /etc/sssd permission very strict, just in case,
admins may inadvertently copy an sssd.conf file without checking it's
permissions.
---
contrib/sssd.spec.in | 2 +-
server/upgrade/upgrade_config.py | 13 ++++++++++++-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 5dc45d2..9513a6b 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -129,7 +129,7 @@ rm -rf $RPM_BUILD_ROOT
%attr(755,root,root) %dir %{pipepath}
%attr(700,root,root) %dir %{pipepath}/private
%attr(750,root,root) %dir %{_var}/log/%{name}
-%dir %{_sysconfdir}/sssd
+%attr(700,root,root) %dir %{_sysconfdir}/sssd
%config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%{_mandir}/man5/sssd.conf.5*
%{_mandir}/man5/sssd-krb5.5*
diff --git a/server/upgrade/upgrade_config.py b/server/upgrade/upgrade_config.py
index 412fad5..87e3990 100644
--- a/server/upgrade/upgrade_config.py
+++ b/server/upgrade/upgrade_config.py
@@ -20,6 +20,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+import os
import sys
import shutil
import traceback
@@ -91,6 +92,9 @@ class SSSDConfigFile(object):
" Copy the file we operate on to a backup location "
shutil.copy(self.file_name, self.file_name+".bak")
+ # make sure we don't leak data, force permissions on the backup
+ os.chmod(self.file_name+".bak", 0600)
+
def _migrate_if_exists(self, to_section, to_option, from_section, from_option):
"""
Move value of parameter from one section to another, renaming the parameter
@@ -281,8 +285,12 @@ class SSSDConfigFile(object):
# Migrate domains
self._migrate_domains()
- # all done, write the file
+ # all done, open the file for writing
of = open(out_file_name, "wb")
+
+ # make sure it has the right permissions too
+ os.chmod(out_file_name, 0600)
+
self._new_config.write(of)
def parse_options():
@@ -337,6 +345,9 @@ def main():
print >>sys.stderr, "Can only upgrade from v1 to v2, file %s looks like version %d" % (options.filename, config.get_version())
return 1
+ # make sure we keep strict settings when creating new files
+ os.umask(0077)
+
try:
config.upgrade_v2(options.outfile, options.backup)
except Exception, e:
--
1.6.2.5

View File

@ -0,0 +1,61 @@
From 5cada7fa7f822ac064f3f5d452f7f32fc4595bd4 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 29 Sep 2009 07:34:30 -0400
Subject: [PATCH 2/2] Fix infinite loop with empty group enumeration
Loop control variable was not being incremented.
I also converted a goto loop into a do...while loop to make it
easier to follow the logic.
---
server/responder/nss/nsssrv_cmd.c | 28 +++++++++++++++-------------
1 files changed, 15 insertions(+), 13 deletions(-)
diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c
index 8ca0be6..ebfd1d5 100644
--- a/server/responder/nss/nsssrv_cmd.c
+++ b/server/responder/nss/nsssrv_cmd.c
@@ -2645,26 +2645,28 @@ static int nss_cmd_retgrent(struct cli_ctx *cctx, int num)
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
gctx = nctx->gctx;
-retry:
- if (gctx->cur >= gctx->num) goto none;
-
- gdom = &gctx->doms[gctx->cur];
+ do {
+ if (gctx->cur >= gctx->num) goto none;
- n = gdom->res->count - gdom->cur;
- if (n == 0 && (gctx->cur+1 < gctx->num)) {
- gctx->cur++;
gdom = &gctx->doms[gctx->cur];
+
n = gdom->res->count - gdom->cur;
- }
+ if (n == 0 && (gctx->cur+1 < gctx->num)) {
+ gctx->cur++;
+ gdom = &gctx->doms[gctx->cur];
+ n = gdom->res->count - gdom->cur;
+ }
- if (!n) goto none;
+ if (!n) goto none;
- msgs = &(gdom->res->msgs[gdom->cur]);
+ msgs = &(gdom->res->msgs[gdom->cur]);
- ret = fill_grent(cctx->creq->out, gdom->domain, nctx, true, msgs, num, &n);
- if (ret == ENOENT) goto retry;
+ ret = fill_grent(cctx->creq->out, gdom->domain, nctx, true, msgs, num, &n);
+
+ gdom->cur += n;
+
+ } while(ret == ENOENT);
- gdom->cur += n;
return ret;
none:
--
1.6.2.5

View File

@ -15,6 +15,9 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ### ### Patches ###
Patch1: 0001-Tighten-up-permission.patch
Patch2: 0002-Fix-infinite-loop-with-empty-group-enumeration.patch
### Dependencies ### ### Dependencies ###
Requires: libldb >= 0.9.3 Requires: libldb >= 0.9.3
@ -74,6 +77,9 @@ service.
%prep %prep
%setup -q %setup -q
%patch1 -p1 -b .tighten_permission
%patch2 -p1 -b .infinite_group_loop
%build %build
%configure \ %configure \
--without-tests \ --without-tests \