URL: https://github.com/SSSD/sssd/pull/5437 Author: sumit-bose Title: #5437: krb5_child: use proper umask for DIR type ccaches Action: opened
PR body: """ The current umask only had files in mind and hence only allowed read and write permissions for the user. If the new directory must be created for DIR type credentials caches the 'execute' permission is needed as well so that the user can change into the directory. This patch changes the umask to allow this if a DIR type credential cache is requested. Resolves: https://github.com/SSSD/sssd/issues/5436 :fixes: krb5_child uses proper umask for DIR type ccaches """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5437/head:pr5437 git checkout pr5437
From ba216cd11eb984e08df3387b4e2883a44a470069 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Tue, 15 Dec 2020 12:16:48 +0100 Subject: [PATCH] krb5_child: use proper umask for DIR type ccaches The current umask only had files in mind and hence only allowed read and write permissions for the user. If the new directory must be created for DIR type credentials caches the 'execute' permission is needed as well so that the user can change into the directory. This patch changes the umask to allow this if a DIR type credential cache is requested. Resolves: https://github.com/SSSD/sssd/issues/5436 :fixes: krb5_child uses proper umask for DIR type ccaches --- src/providers/krb5/krb5_child.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 6e2bf6d759..dc0096a9ce 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -972,8 +972,13 @@ static krb5_error_code create_ccache(char *ccname, krb5_creds *creds) bool switch_to_cc = false; #endif - /* Set a restrictive umask, just in case we end up creating any file */ - umask(SSS_DFL_UMASK); + /* Set a restrictive umask, just in case we end up creating any file or a + * directory */ + if (strncmp(ccname, "DIR:", 4) == 0) { + umask(SSS_DFL_X_UMASK); + } else { + umask(SSS_DFL_UMASK); + } /* we create a new context here as the main process one may have been * opened as root and contain possibly references (even open handles?)
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
