ehlo, review is appreciated.
LS
>From 812846b5ddd5b786a776f9813ac58b9735bba1ce Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Thu, 3 Mar 2016 13:34:26 +0100 Subject: [PATCH 1/2] GPO: Soften umask in gpo_child MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The default umask(0177) inherited from sssd_be is to strict for gpo_child in non-root mode. mkdir creates directories with only "rw" permission for owner. The man 1 chmod says: "execute (or search for directories) (x)" In another words, execute bit is required for directories. sh-4.3$ mkdir dir sh-4.3$ chmod 600 dir/ sh-4.3$ mkdir dir/subdir mkdir: cannot create directory ‘dir/subdir’: Permission denied Resolves: https://fedorahosted.org/sssd/ticket/2962 --- src/providers/ad/ad_gpo_child.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/providers/ad/ad_gpo_child.c b/src/providers/ad/ad_gpo_child.c index 1b599716487793524e35ebb1b7b7626539b18bb9..95bea0e959473acdaf01c091e61ee99bb0133f42 100644 --- a/src/providers/ad/ad_gpo_child.c +++ b/src/providers/ad/ad_gpo_child.c @@ -208,6 +208,7 @@ static errno_t prepare_gpo_cache(TALLOC_CTX *mem_ctx, char *last = NULL; char *smb_path_with_suffix = NULL; errno_t ret; + mode_t old_umask; smb_path_with_suffix = talloc_strdup(mem_ctx, input_smb_path_with_suffix); if (smb_path_with_suffix == NULL) { @@ -229,11 +230,13 @@ static errno_t prepare_gpo_cache(TALLOC_CTX *mem_ctx, ptr = smb_path_with_suffix + 1; + old_umask = umask(SSS_DFL_X_UMASK); for (i = 0; i < num_dirs; i++) { first = ptr; last = strchr(first, delim); if (last == NULL) { - return EINVAL; + ret = EINVAL; + goto done; } *last = '\0'; last++; @@ -241,7 +244,8 @@ static errno_t prepare_gpo_cache(TALLOC_CTX *mem_ctx, current_dir = talloc_asprintf(mem_ctx, "%s/%s", current_dir, first); if (current_dir == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); - return ENOMEM; + ret = ENOMEM; + goto done; } DEBUG(SSSDBG_TRACE_FUNC, "Storing GPOs in %s\n", current_dir); @@ -249,14 +253,18 @@ static errno_t prepare_gpo_cache(TALLOC_CTX *mem_ctx, ret = errno; DEBUG(SSSDBG_CRIT_FAILURE, "mkdir(%s) failed: %d\n", current_dir, ret); - return ret; + goto done; } ptr = last; } - return EOK; + ret = EOK; +done: + umask(old_umask); + + return ret; } /* -- 2.7.2
>From 880cff39d978caea0add82b23075413f4b1c09d3 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Thu, 3 Mar 2016 13:34:55 +0100 Subject: [PATCH 2/2] GPO_CHILD: Create directories in gpo_cache with right permissions The parent directory has to have execute bit if we want to create subdirectories or read files there. sh-4.3$ mkdir dir sh-4.3$ echo "test" > dir/test_file sh-4.3$ chmod 644 dir/ sh-4.3$ ls dir/ test_file sh-4.3$ cat dir/test_file cat: dir/test_file: Permission denied It was not probelm for sssd in root mode because root has by default capbilities DAC_OVERRIDE and DAC_READ_SEARCH which bypass file read, write, and execute permission checks and directory read and execute permission checks Resolves: https://fedorahosted.org/sssd/ticket/2962 --- src/providers/ad/ad_gpo_child.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/providers/ad/ad_gpo_child.c b/src/providers/ad/ad_gpo_child.c index 95bea0e959473acdaf01c091e61ee99bb0133f42..5c1276b37d75fcf67899727c017f750f5eee61b9 100644 --- a/src/providers/ad/ad_gpo_child.c +++ b/src/providers/ad/ad_gpo_child.c @@ -249,7 +249,7 @@ static errno_t prepare_gpo_cache(TALLOC_CTX *mem_ctx, } DEBUG(SSSDBG_TRACE_FUNC, "Storing GPOs in %s\n", current_dir); - if ((mkdir(current_dir, 0644)) < 0 && errno != EEXIST) { + if ((mkdir(current_dir, 0700)) < 0 && errno != EEXIST) { ret = errno; DEBUG(SSSDBG_CRIT_FAILURE, "mkdir(%s) failed: %d\n", current_dir, ret); -- 2.7.2
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
