ldap/admin/src/scripts/10fixrundir.pl | 11 +++++++++++
ldap/admin/src/scripts/DSCreate.pm.in | 13 +++++++------
2 files changed, 18 insertions(+), 6 deletions(-)
New commits:
commit 5135d9a3da96d779167d7ee731d3e50890bf74ec
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Jan 25 14:52:13 2011 -0800
Bug 671199 - Don't allow other to write to rundir
The persmissions on /var/run/dirsrv currently get set to 777 by
the setup program. There were some discrepencies with the way the
changeOwnerMode subroutine is used that cause 777 to be the mode
set when we intended for it to be 770. This patch fixes up the
way changeOwnerMode is used to sllow one to reset the group
ownership without altering the permissions for other.
In addition, this patch makes an upgrade remove any permissions that
are set for other on the rundir.
diff --git a/ldap/admin/src/scripts/10fixrundir.pl
b/ldap/admin/src/scripts/10fixrundir.pl
index a1e7524..b7a395c 100644
--- a/ldap/admin/src/scripts/10fixrundir.pl
+++ b/ldap/admin/src/scripts/10fixrundir.pl
@@ -6,6 +6,7 @@ sub runinst {
my ($inf, $inst, $dseldif, $conn) = @_;
my @errs;
+ my $mode;
# see if nsslapd-rundir is defined
my $ent = $conn->search("cn=config", "base",
"(objectclass=*)");
@@ -24,5 +25,15 @@ sub runinst {
}
}
+ # ensure that other doesn't have permissions on rundir
+ $mode = (stat($inf->{slapd}->{run_dir}))[2] or return
('error_chmoding_file', $inf->{slapd}->{run_dir}, $!);
+ # mask off permissions for other
+ $mode &= 07770;
+ $! = 0; # clear errno
+ chmod $mode, $inf->{slapd}->{run_dir};
+ if ($!) {
+ return ('error_chmoding_file', $inf->{slapd}->{run_dir}, $!);
+ }
+
return ();
}
diff --git a/ldap/admin/src/scripts/DSCreate.pm.in
b/ldap/admin/src/scripts/DSCreate.pm.in
index d0dc209..bda23a5 100644
--- a/ldap/admin/src/scripts/DSCreate.pm.in
+++ b/ldap/admin/src/scripts/DSCreate.pm.in
@@ -163,6 +163,7 @@ sub changeOwnerMode {
my $mode = shift;
my $it = shift;
my $gidonly = shift;
+ my $othermode = shift;
my $uid = getpwnam $inf->{General}->{SuiteSpotUserID};
my $gid = -1; # default to leave it alone
@@ -172,7 +173,8 @@ sub changeOwnerMode {
$gid = getgrnam $inf->{General}->{SuiteSpotGroup};
}
- $mode = getMode($inf, $mode, $gidonly);
+ $mode = getMode($inf, $mode, $othermode);
+
$! = 0; # clear errno
chmod $mode, $it;
if ($!) {
@@ -238,9 +240,8 @@ sub makeDSDirs {
debug(3, "Root user " . $inf->{General}->{SuiteSpotUserID} .
" already has access to $inf->{slapd}->{run_dir} - skipping\n");
} else {
my $dir = $inf->{slapd}->{run_dir};
- # rwx by user only, or by user & group if a group is defined
- @errs = changeOwnerMode($inf, 7, $dir, 7);
- debug(3, "Changed owner of $dir to " .
$inf->{General}->{SuiteSpotUserID} . ": error @errs\n");
+ # rwx by user only, or by user & group if a group is defined. Also only
change the group ownership.
+ @errs = changeOwnerMode($inf, 7, $dir, 1);
debug(3, "\t" . `/bin/ls -ld $dir`);
}
# set the group of the parent dir of config_dir and inst_dir
@@ -248,8 +249,8 @@ sub makeDSDirs {
for my $kw (qw(inst_dir config_dir)) {
my $dir = $inf->{slapd}->{$kw};
my $parent = dirname($dir);
- # changeOwnerMode(inf, mode, file, gidonly & default mode);
- @errs = changeOwnerMode($inf, 7, $parent, 5);
+ # changeOwnerMode(inf, mode, file, gidonly, othermode);
+ @errs = changeOwnerMode($inf, 7, $parent, 1, 5);
if (@errs) {
return @errs;
}