From 5ab9ed3c42781ae1911d253d56d67dc0288d55f7 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 28 Sep 2009 07:51:26 -0400 Subject: [PATCH 1/2] Tighten up permission. SSSD may contain passwords and other sensitive data, make sure we always keep its permission tight. Also make /etc/sssd permission very strict, just in case, admins may inadvertently copy an sssd.conf file without checking it's permissions. --- contrib/sssd.spec.in | 2 +- server/upgrade/upgrade_config.py | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 5dc45d2..9513a6b 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -129,7 +129,7 @@ rm -rf $RPM_BUILD_ROOT %attr(755,root,root) %dir %{pipepath} %attr(700,root,root) %dir %{pipepath}/private %attr(750,root,root) %dir %{_var}/log/%{name} -%dir %{_sysconfdir}/sssd +%attr(700,root,root) %dir %{_sysconfdir}/sssd %config(noreplace) %{_sysconfdir}/sssd/sssd.conf %{_mandir}/man5/sssd.conf.5* %{_mandir}/man5/sssd-krb5.5* diff --git a/server/upgrade/upgrade_config.py b/server/upgrade/upgrade_config.py index 412fad5..87e3990 100644 --- a/server/upgrade/upgrade_config.py +++ b/server/upgrade/upgrade_config.py @@ -20,6 +20,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import os import sys import shutil import traceback @@ -91,6 +92,9 @@ class SSSDConfigFile(object): " Copy the file we operate on to a backup location " shutil.copy(self.file_name, self.file_name+".bak") + # make sure we don't leak data, force permissions on the backup + os.chmod(self.file_name+".bak", 0600) + def _migrate_if_exists(self, to_section, to_option, from_section, from_option): """ Move value of parameter from one section to another, renaming the parameter @@ -281,8 +285,12 @@ class SSSDConfigFile(object): # Migrate domains self._migrate_domains() - # all done, write the file + # all done, open the file for writing of = open(out_file_name, "wb") + + # make sure it has the right permissions too + os.chmod(out_file_name, 0600) + self._new_config.write(of) def parse_options(): @@ -337,6 +345,9 @@ def main(): print >>sys.stderr, "Can only upgrade from v1 to v2, file %s looks like version %d" % (options.filename, config.get_version()) return 1 + # make sure we keep strict settings when creating new files + os.umask(0077) + try: config.upgrade_v2(options.outfile, options.backup) except Exception, e: -- 1.6.2.5