On (01/12/14 16:02), Pavel Reichl wrote: > >On 11/26/2014 01:36 PM, Lukas Slebodnik wrote: >>On (25/11/14 17:31), Jakub Hrozek wrote: >>>On Tue, Nov 25, 2014 at 04:39:02PM +0100, Lukas Slebodnik wrote: >>>>On (25/11/14 15:52), Pavel Reichl wrote: >>>>>On 11/25/2014 03:48 PM, Pavel Reichl wrote: >>>>>>On 11/25/2014 03:38 PM, Lukas Slebodnik wrote: >>>>>>>On (25/11/14 14:26), Pavel Reichl wrote: >>>>>>>>On 11/19/2014 10:45 AM, Jakub Hrozek wrote: >>>>>>>> >>>>>>>>Thanks. >>>>>>>>From 649aae0d47299229f2afe51fa27e6c315d967ae1 Mon Sep 17 00:00:00 2001 >>>>>>>>From: Pavel Reichl <prei...@redhat.com> >>>>>>>>Date: Thu, 30 Oct 2014 10:13:54 +0000 >>>>>>>>Subject: [PATCH] BUILD: restrict perms. when installing from source >>>>>>>> >>>>>>>>Resolves: >>>>>>>>https://fedorahosted.org/sssd/ticket/2467 >>>>>>>>--- >>>>>>>>Makefile.am | 3 +++ >>>>>>>>1 file changed, 3 insertions(+) >>>>>>>> >>>>>>>>diff --git a/Makefile.am b/Makefile.am >>>>>>>>index >>>>>>>>56a562c761d39ff5f54bc034ede563c40bf21ef8..21f02388efe360ecea9cdd157f91ffe172b08f91 >>>>>>>>100644 >>>>>>>>--- a/Makefile.am >>>>>>>>+++ b/Makefile.am >>>>>>>>@@ -2831,6 +2831,9 @@ if SSSD_USER >>>>>>>> -chown $(SSSD_USER):$(SSSD_USER) \ >>>>>>>> $(SSSD_USER_DIRS) >>>>>>>>endif >>>>>>>>+ $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) >>>>>>>>$(DESTDIR)$(pipepath)/private >>>>>>>>+ $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) >>>>>>>>$(DESTDIR)$(pubconfpath) $(DESTDIR)$(pubconfpath)/krb5.include.d >>>>>>>>$(DESTDIR)$(gpocachepath) >>>>>>>I would like to apologize for nitpicking but previous two lines are >>>>>>>longer >>>>>>>than 80 characters. >>>>>>> >>>>>>>LS >>>>>>No need to apologize, I just hope you like the formatting of continuous >>>>>>lines. >>>>>> >>>>>> >>>>>Sorry, I used tab instead of spaces on one of the continuous lines, updated >>>>>patch attached. >>>>>From 4364ca79d714105082057806f320b73ef1fc1a67 Mon Sep 17 00:00:00 2001 >>>>>From: Pavel Reichl <prei...@redhat.com> >>>>>Date: Thu, 30 Oct 2014 10:13:54 +0000 >>>>>Subject: [PATCH] BUILD: restrict perms. when installing from source >>>>> >>>>>Resolves: >>>>>https://fedorahosted.org/sssd/ticket/2467 >>>>>--- >>>>>Makefile.am | 6 ++++++ >>>>>1 file changed, 6 insertions(+) >>>>> >>>>>diff --git a/Makefile.am b/Makefile.am >>>>>index >>>>>56a562c761d39ff5f54bc034ede563c40bf21ef8..84f22fd0ce7bb59dd90609ced3c26a3b91c3c74d >>>>> 100644 >>>>>--- a/Makefile.am >>>>>+++ b/Makefile.am >>>>>@@ -2831,6 +2831,12 @@ if SSSD_USER >>>>> -chown $(SSSD_USER):$(SSSD_USER) \ >>>>> $(SSSD_USER_DIRS) >>>>>endif >>>>>+ $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \ >>>>>+ $(DESTDIR)$(pipepath)/private >>>>>+ $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \ >>>>>+ $(DESTDIR)$(pubconfpath) \ >>>>>+ $(DESTDIR)$(pubconfpath)/krb5.include.d >>>>>$(DESTDIR)$(gpocachepath) >>>>>+ $(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir) >>>>Two directories has different permissions with and without patch. >>>> >>>>Before: >>>>[root@e6078a90f933 /]# ls -ld /var/log/sssd/ >>>>drwxr-x---. 2 root root 4096 Sep 25 08:54 /var/log/sssd/ >>>I would prefer to lock down the logfiles as much as possible, even >>>though 'others' have no access here. >>I don't have problem with this change. >> >>>>[root@e6078a90f933 /]# ls -ld /etc/sssd/ >>>>drwx------. 2 root root 4096 Sep 25 08:54 /etc/sssd/ >>>> >>>>After: >>>>[root@bd7fb00d6a7a /usr/local]# ls -ld ./var/log/sssd/ >>>>drwx------. 2 root root 40 Nov 25 16:15 ./var/log/sssd/ >>>>[root@bd7fb00d6a7a /usr/local]# ls -ld ./etc/sssd/ >>>>drwx--x--x. 2 root root 40 Nov 25 16:15 ./etc/sssd/ >>>> >>>>I don't want to say it's wrong >>>>Could you explain it? >>>I think I know what's going on. In the specfiles, we relaxed the >>>/etc/sssd/ permissions so that the configAPI files are accessible for >>>non-root. >>> >>Why it should be accessible for other if they cannot read it? >>only owner can read/modify sssd.conf >Stephen's explanation: >>The idea was that we could allow non-root users to read the API >>configuration (*not* the sssd.conf) and be able to generate prototype >>sssd.conf files. It still required root to be able to put the file in >>place. Thank you for explanation. Make sense.
LS _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
