On (30/10/14 11:25), Pavel Reichl wrote:
Hello,
please see attached patch.
Thanks!
From 6d364e9468ea5c3ad0913853e1fb62112441e6a2 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/Makefile.am b/Makefile.am index 61bf5cf957d4024b67f48cf42f5735b5fa368945..f273d881699002ba6698e3de787648f9bd1cf68d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2759,16 +2759,15 @@ installsssddirs:: $(DESTDIR)$(sudolibdir) \ $(DESTDIR)$(autofslibdir) \ $(NULL); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) \
- $(DESTDIR)$(dbpath) \
- $(DESTDIR)$(mcpath) \
- $(DESTDIR)$(pipepath) \
- $(DESTDIR)$(pipepath)/private \
- $(DESTDIR)$(pubconfpath) \
- $(DESTDIR)$(pubconfpath)/krb5.include.d \
- $(DESTDIR)$(gpocachepath) \
- $(DESTDIR)$(sssdconfdir) \
- $(DESTDIR)$(logpath) \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0700 $(DESTDIR)$(dbpath); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0755 $(DESTDIR)$(mcpath); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0755 $(DESTDIR)$(pipepath); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0700 $(DESTDIR)$(pipepath)/private; \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0755 $(DESTDIR)$(pubconfpath); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0755 $(DESTDIR)$(pubconfpath)/krb5.include.d; \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0755 $(DESTDIR)$(gpocachepath); \
^^ horizontal tab is used instead of spaces. We have a convetion that just first command in series ("com1; com2; ..."). I would prefer to remove wrapping of new line at the end.
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0600 $(DESTDIR)$(sssdconfdir); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0600 $(DESTDIR)$(logpath) \
^^^^ Why sssd user cannot change dir to $(logpath)? It would be difficult to analyze log files from parent directory.
LS
On Wed, Nov 19, 2014 at 10:37:25AM +0100, Lukas Slebodnik wrote:
On (30/10/14 11:25), Pavel Reichl wrote:
Hello,
please see attached patch.
Thanks!
From 6d364e9468ea5c3ad0913853e1fb62112441e6a2 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/Makefile.am b/Makefile.am index 61bf5cf957d4024b67f48cf42f5735b5fa368945..f273d881699002ba6698e3de787648f9bd1cf68d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2759,16 +2759,15 @@ installsssddirs:: $(DESTDIR)$(sudolibdir) \ $(DESTDIR)$(autofslibdir) \ $(NULL); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) \
- $(DESTDIR)$(dbpath) \
- $(DESTDIR)$(mcpath) \
- $(DESTDIR)$(pipepath) \
- $(DESTDIR)$(pipepath)/private \
- $(DESTDIR)$(pubconfpath) \
- $(DESTDIR)$(pubconfpath)/krb5.include.d \
- $(DESTDIR)$(gpocachepath) \
- $(DESTDIR)$(sssdconfdir) \
- $(DESTDIR)$(logpath) \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0700 $(DESTDIR)$(dbpath); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0755 $(DESTDIR)$(mcpath); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0755 $(DESTDIR)$(pipepath); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0700 $(DESTDIR)$(pipepath)/private; \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0755 $(DESTDIR)$(pubconfpath); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0755 $(DESTDIR)$(pubconfpath)/krb5.include.d; \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0755 $(DESTDIR)$(gpocachepath); \
^^ horizontal tab is used instead of spaces. We have a convetion that just first command in series ("com1; com2; ..."). I would prefer to remove wrapping of new line at the end.
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0600 $(DESTDIR)$(sssdconfdir); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0600 $(DESTDIR)$(logpath) \
^^^^ Why sssd user cannot change dir to $(logpath)? It would be difficult to analyze log files from parent directory.LS
btw after the recent changes to build system I don't thik this patch applies anymore.
On 11/19/2014 10:45 AM, Jakub Hrozek wrote:
On Wed, Nov 19, 2014 at 10:37:25AM +0100, Lukas Slebodnik wrote:
On (30/10/14 11:25), Pavel Reichl wrote:
Hello,
please see attached patch.
Thanks! From 6d364e9468ea5c3ad0913853e1fb62112441e6a2 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/Makefile.am b/Makefile.am index 61bf5cf957d4024b67f48cf42f5735b5fa368945..f273d881699002ba6698e3de787648f9bd1cf68d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2759,16 +2759,15 @@ installsssddirs:: $(DESTDIR)$(sudolibdir) \ $(DESTDIR)$(autofslibdir) \ $(NULL); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) \
- $(DESTDIR)$(dbpath) \
- $(DESTDIR)$(mcpath) \
- $(DESTDIR)$(pipepath) \
- $(DESTDIR)$(pipepath)/private \
- $(DESTDIR)$(pubconfpath) \
- $(DESTDIR)$(pubconfpath)/krb5.include.d \
- $(DESTDIR)$(gpocachepath) \
- $(DESTDIR)$(sssdconfdir) \
- $(DESTDIR)$(logpath) \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0700 $(DESTDIR)$(dbpath); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0755 $(DESTDIR)$(mcpath); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0755 $(DESTDIR)$(pipepath); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0700 $(DESTDIR)$(pipepath)/private; \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0755 $(DESTDIR)$(pubconfpath); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0755 $(DESTDIR)$(pubconfpath)/krb5.include.d; \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0755 $(DESTDIR)$(gpocachepath); \
^^ horizontal tab is used instead of spaces. We have a convetion that just first command in series ("com1; com2; ..."). I would prefer to remove wrapping of new line at the end.
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0600 $(DESTDIR)$(sssdconfdir); \
- $(INSTALL) $(INSTALL_USER_DIR_FLAGS) -m 0600 $(DESTDIR)$(logpath) \
^^^^ Why sssd user cannot change dir to $(logpath)? It would be difficult to analyze log files from parent directory.LS
btw after the recent changes to build system I don't thik this patch applies anymore. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Hello, please see updated patch.
Thanks.
On (25/11/14 14:26), Pavel Reichl wrote:
On 11/19/2014 10:45 AM, Jakub Hrozek wrote:
Thanks.
From 649aae0d47299229f2afe51fa27e6c315d967ae1 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/Makefile.am b/Makefile.am index 56a562c761d39ff5f54bc034ede563c40bf21ef8..21f02388efe360ecea9cdd157f91ffe172b08f91 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2831,6 +2831,9 @@ if SSSD_USER -chown $(SSSD_USER):$(SSSD_USER) \ $(SSSD_USER_DIRS) endif
- $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) $(DESTDIR)$(pipepath)/private
- $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) $(DESTDIR)$(pubconfpath) $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
I would like to apologize for nitpicking but previous two lines are longer than 80 characters.
LS
On 11/25/2014 03:38 PM, Lukas Slebodnik wrote:
On (25/11/14 14:26), Pavel Reichl wrote:
On 11/19/2014 10:45 AM, Jakub Hrozek wrote:
Thanks. From 649aae0d47299229f2afe51fa27e6c315d967ae1 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/Makefile.am b/Makefile.am index 56a562c761d39ff5f54bc034ede563c40bf21ef8..21f02388efe360ecea9cdd157f91ffe172b08f91 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2831,6 +2831,9 @@ if SSSD_USER -chown $(SSSD_USER):$(SSSD_USER) \ $(SSSD_USER_DIRS) endif
- $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) $(DESTDIR)$(pipepath)/private
- $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) $(DESTDIR)$(pubconfpath) $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
I would like to apologize for nitpicking but previous two lines are longer than 80 characters.
LS _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
No need to apologize, I just hope you like the formatting of continuous lines.
On 11/25/2014 03:48 PM, Pavel Reichl wrote:
On 11/25/2014 03:38 PM, Lukas Slebodnik wrote:
On (25/11/14 14:26), Pavel Reichl wrote:
On 11/19/2014 10:45 AM, Jakub Hrozek wrote:
Thanks. From 649aae0d47299229f2afe51fa27e6c315d967ae1 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/Makefile.am b/Makefile.am index 56a562c761d39ff5f54bc034ede563c40bf21ef8..21f02388efe360ecea9cdd157f91ffe172b08f91 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2831,6 +2831,9 @@ if SSSD_USER -chown $(SSSD_USER):$(SSSD_USER) \ $(SSSD_USER_DIRS) endif
- $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath)
$(DESTDIR)$(pipepath)/private
- $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath)
$(DESTDIR)$(pubconfpath) $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
I would like to apologize for nitpicking but previous two lines are longer than 80 characters.
LS _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
No need to apologize, I just hope you like the formatting of continuous lines.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Sorry, I used tab instead of spaces on one of the continuous lines, updated patch attached.
On (25/11/14 15:52), Pavel Reichl wrote:
On 11/25/2014 03:48 PM, Pavel Reichl wrote:
On 11/25/2014 03:38 PM, Lukas Slebodnik wrote:
On (25/11/14 14:26), Pavel Reichl wrote:
On 11/19/2014 10:45 AM, Jakub Hrozek wrote:
Thanks. From 649aae0d47299229f2afe51fa27e6c315d967ae1 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/Makefile.am b/Makefile.am index 56a562c761d39ff5f54bc034ede563c40bf21ef8..21f02388efe360ecea9cdd157f91ffe172b08f91 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2831,6 +2831,9 @@ if SSSD_USER -chown $(SSSD_USER):$(SSSD_USER) \ $(SSSD_USER_DIRS) endif
- $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath)
$(DESTDIR)$(pipepath)/private
- $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath)
$(DESTDIR)$(pubconfpath) $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
I would like to apologize for nitpicking but previous two lines are longer than 80 characters.
LS
No need to apologize, I just hope you like the formatting of continuous lines.
Sorry, I used tab instead of spaces on one of the continuous lines, updated patch attached.
From 4364ca79d714105082057806f320b73ef1fc1a67 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/Makefile.am b/Makefile.am index 56a562c761d39ff5f54bc034ede563c40bf21ef8..84f22fd0ce7bb59dd90609ced3c26a3b91c3c74d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2831,6 +2831,12 @@ if SSSD_USER -chown $(SSSD_USER):$(SSSD_USER) \ $(SSSD_USER_DIRS) endif
- $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \
$(DESTDIR)$(pipepath)/private- $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \
$(DESTDIR)$(pubconfpath) \$(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)- $(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir)
Two directories has different permissions with and without patch.
Before: [root@e6078a90f933 /]# ls -ld /var/log/sssd/ drwxr-x---. 2 root root 4096 Sep 25 08:54 /var/log/sssd/
[root@e6078a90f933 /]# ls -ld /etc/sssd/ drwx------. 2 root root 4096 Sep 25 08:54 /etc/sssd/
After: [root@bd7fb00d6a7a /usr/local]# ls -ld ./var/log/sssd/ drwx------. 2 root root 40 Nov 25 16:15 ./var/log/sssd/ [root@bd7fb00d6a7a /usr/local]# ls -ld ./etc/sssd/ drwx--x--x. 2 root root 40 Nov 25 16:15 ./etc/sssd/
I don't want to say it's wrong Could you explain it?
LS
On Tue, Nov 25, 2014 at 04:39:02PM +0100, Lukas Slebodnik wrote:
On (25/11/14 15:52), Pavel Reichl wrote:
On 11/25/2014 03:48 PM, Pavel Reichl wrote:
On 11/25/2014 03:38 PM, Lukas Slebodnik wrote:
On (25/11/14 14:26), Pavel Reichl wrote:
On 11/19/2014 10:45 AM, Jakub Hrozek wrote:
Thanks. From 649aae0d47299229f2afe51fa27e6c315d967ae1 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/Makefile.am b/Makefile.am index 56a562c761d39ff5f54bc034ede563c40bf21ef8..21f02388efe360ecea9cdd157f91ffe172b08f91 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2831,6 +2831,9 @@ if SSSD_USER -chown $(SSSD_USER):$(SSSD_USER) \ $(SSSD_USER_DIRS) endif
- $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath)
$(DESTDIR)$(pipepath)/private
- $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath)
$(DESTDIR)$(pubconfpath) $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
I would like to apologize for nitpicking but previous two lines are longer than 80 characters.
LS
No need to apologize, I just hope you like the formatting of continuous lines.
Sorry, I used tab instead of spaces on one of the continuous lines, updated patch attached.
From 4364ca79d714105082057806f320b73ef1fc1a67 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/Makefile.am b/Makefile.am index 56a562c761d39ff5f54bc034ede563c40bf21ef8..84f22fd0ce7bb59dd90609ced3c26a3b91c3c74d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2831,6 +2831,12 @@ if SSSD_USER -chown $(SSSD_USER):$(SSSD_USER) \ $(SSSD_USER_DIRS) endif
- $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \
$(DESTDIR)$(pipepath)/private- $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \
$(DESTDIR)$(pubconfpath) \$(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)- $(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir)
Two directories has different permissions with and without patch.
Before: [root@e6078a90f933 /]# ls -ld /var/log/sssd/ drwxr-x---. 2 root root 4096 Sep 25 08:54 /var/log/sssd/
I would prefer to lock down the logfiles as much as possible, even though 'others' have no access here.
[root@e6078a90f933 /]# ls -ld /etc/sssd/ drwx------. 2 root root 4096 Sep 25 08:54 /etc/sssd/
After: [root@bd7fb00d6a7a /usr/local]# ls -ld ./var/log/sssd/ drwx------. 2 root root 40 Nov 25 16:15 ./var/log/sssd/ [root@bd7fb00d6a7a /usr/local]# ls -ld ./etc/sssd/ drwx--x--x. 2 root root 40 Nov 25 16:15 ./etc/sssd/
I don't want to say it's wrong Could you explain it?
I think I know what's going on. In the specfiles, we relaxed the /etc/sssd/ permissions so that the configAPI files are accessible for non-root.
Check out the permissions in Fedora in RHEL, I would expect them to be 711 as well.
On (25/11/14 17:31), Jakub Hrozek wrote:
On Tue, Nov 25, 2014 at 04:39:02PM +0100, Lukas Slebodnik wrote:
On (25/11/14 15:52), Pavel Reichl wrote:
On 11/25/2014 03:48 PM, Pavel Reichl wrote:
On 11/25/2014 03:38 PM, Lukas Slebodnik wrote:
On (25/11/14 14:26), Pavel Reichl wrote:
On 11/19/2014 10:45 AM, Jakub Hrozek wrote:
Thanks. From 649aae0d47299229f2afe51fa27e6c315d967ae1 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/Makefile.am b/Makefile.am index 56a562c761d39ff5f54bc034ede563c40bf21ef8..21f02388efe360ecea9cdd157f91ffe172b08f91 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2831,6 +2831,9 @@ if SSSD_USER -chown $(SSSD_USER):$(SSSD_USER) \ $(SSSD_USER_DIRS) endif
- $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath)
$(DESTDIR)$(pipepath)/private
- $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath)
$(DESTDIR)$(pubconfpath) $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
I would like to apologize for nitpicking but previous two lines are longer than 80 characters.
LS
No need to apologize, I just hope you like the formatting of continuous lines.
Sorry, I used tab instead of spaces on one of the continuous lines, updated patch attached.
From 4364ca79d714105082057806f320b73ef1fc1a67 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/Makefile.am b/Makefile.am index 56a562c761d39ff5f54bc034ede563c40bf21ef8..84f22fd0ce7bb59dd90609ced3c26a3b91c3c74d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2831,6 +2831,12 @@ if SSSD_USER -chown $(SSSD_USER):$(SSSD_USER) \ $(SSSD_USER_DIRS) endif
- $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \
$(DESTDIR)$(pipepath)/private- $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \
$(DESTDIR)$(pubconfpath) \$(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)- $(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir)
Two directories has different permissions with and without patch.
Before: [root@e6078a90f933 /]# ls -ld /var/log/sssd/ drwxr-x---. 2 root root 4096 Sep 25 08:54 /var/log/sssd/
I would prefer to lock down the logfiles as much as possible, even though 'others' have no access here.
I don't have problem with this change.
[root@e6078a90f933 /]# ls -ld /etc/sssd/ drwx------. 2 root root 4096 Sep 25 08:54 /etc/sssd/
After: [root@bd7fb00d6a7a /usr/local]# ls -ld ./var/log/sssd/ drwx------. 2 root root 40 Nov 25 16:15 ./var/log/sssd/ [root@bd7fb00d6a7a /usr/local]# ls -ld ./etc/sssd/ drwx--x--x. 2 root root 40 Nov 25 16:15 ./etc/sssd/
I don't want to say it's wrong Could you explain it?
I think I know what's going on. In the specfiles, we relaxed the /etc/sssd/ permissions so that the configAPI files are accessible for non-root.
Why it should be accessible for other if they cannot read it? only owner can read/modify sssd.conf
Check out the permissions in Fedora in RHEL, I would expect them to be 711 as well.
centos 6.6: bash-4.1# ls -ld /etc/sssd/ drwx------. 2 root root 4096 Oct 16 14:31 /etc/sssd/
centos 7.0: bash-4.2# ls -ld /etc/sssd/ drwx------. 2 root root 4096 Nov 6 14:09 /etc/sssd/
fedora 19: sh-4.2# ls -ld /etc/sssd drwx------. 2 root root 4096 Apr 11 2014 /etc/sssd
fedora 20: sh-4.2# ls -ld /etc/sssd drwx------. 2 root root 4096 Sep 25 08:54 /etc/sssd
fedora 21: sh-4.3# ls -ld /etc/sssd drwx------. 2 root root 4096 Oct 22 11:26 /etc/sssd
LS
On 11/26/2014 01:36 PM, Lukas Slebodnik wrote:
On (25/11/14 17:31), Jakub Hrozek wrote:
On Tue, Nov 25, 2014 at 04:39:02PM +0100, Lukas Slebodnik wrote:
On (25/11/14 15:52), Pavel Reichl wrote:
On 11/25/2014 03:48 PM, Pavel Reichl wrote:
On 11/25/2014 03:38 PM, Lukas Slebodnik wrote:
On (25/11/14 14:26), Pavel Reichl wrote: > On 11/19/2014 10:45 AM, Jakub Hrozek wrote: > > Thanks. >From 649aae0d47299229f2afe51fa27e6c315d967ae1 Mon Sep 17 00:00:00 2001 > From: Pavel Reichl preichl@redhat.com > Date: Thu, 30 Oct 2014 10:13:54 +0000 > Subject: [PATCH] BUILD: restrict perms. when installing from source > > Resolves: > https://fedorahosted.org/sssd/ticket/2467 > --- > Makefile.am | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/Makefile.am b/Makefile.am > index 56a562c761d39ff5f54bc034ede563c40bf21ef8..21f02388efe360ecea9cdd157f91ffe172b08f91 > 100644 > --- a/Makefile.am > +++ b/Makefile.am > @@ -2831,6 +2831,9 @@ if SSSD_USER > -chown $(SSSD_USER):$(SSSD_USER) \ > $(SSSD_USER_DIRS) > endif > + $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) > $(DESTDIR)$(pipepath)/private > + $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) > $(DESTDIR)$(pubconfpath) $(DESTDIR)$(pubconfpath)/krb5.include.d > $(DESTDIR)$(gpocachepath) I would like to apologize for nitpicking but previous two lines are longer than 80 characters.
LS
No need to apologize, I just hope you like the formatting of continuous lines.
Sorry, I used tab instead of spaces on one of the continuous lines, updated patch attached. From 4364ca79d714105082057806f320b73ef1fc1a67 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/Makefile.am b/Makefile.am index 56a562c761d39ff5f54bc034ede563c40bf21ef8..84f22fd0ce7bb59dd90609ced3c26a3b91c3c74d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2831,6 +2831,12 @@ if SSSD_USER -chown $(SSSD_USER):$(SSSD_USER) \ $(SSSD_USER_DIRS) endif
- $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \
$(DESTDIR)$(pipepath)/private- $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \
$(DESTDIR)$(pubconfpath) \$(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)- $(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir)
Two directories has different permissions with and without patch.
Before: [root@e6078a90f933 /]# ls -ld /var/log/sssd/ drwxr-x---. 2 root root 4096 Sep 25 08:54 /var/log/sssd/
I would prefer to lock down the logfiles as much as possible, even though 'others' have no access here.
I don't have problem with this change.
[root@e6078a90f933 /]# ls -ld /etc/sssd/ drwx------. 2 root root 4096 Sep 25 08:54 /etc/sssd/
After: [root@bd7fb00d6a7a /usr/local]# ls -ld ./var/log/sssd/ drwx------. 2 root root 40 Nov 25 16:15 ./var/log/sssd/ [root@bd7fb00d6a7a /usr/local]# ls -ld ./etc/sssd/ drwx--x--x. 2 root root 40 Nov 25 16:15 ./etc/sssd/
I don't want to say it's wrong Could you explain it?
I think I know what's going on. In the specfiles, we relaxed the /etc/sssd/ permissions so that the configAPI files are accessible for non-root.
Why it should be accessible for other if they cannot read it? only owner can read/modify sssd.conf
Stephen's explanation:
The idea was that we could allow non-root users to read the API configuration (*not* the sssd.conf) and be able to generate prototype sssd.conf files. It still required root to be able to put the file in place.
Check out the permissions in Fedora in RHEL, I would expect them to be 711 as well.
centos 6.6: bash-4.1# ls -ld /etc/sssd/ drwx------. 2 root root 4096 Oct 16 14:31 /etc/sssd/
centos 7.0: bash-4.2# ls -ld /etc/sssd/ drwx------. 2 root root 4096 Nov 6 14:09 /etc/sssd/
fedora 19: sh-4.2# ls -ld /etc/sssd drwx------. 2 root root 4096 Apr 11 2014 /etc/sssd
fedora 20: sh-4.2# ls -ld /etc/sssd drwx------. 2 root root 4096 Sep 25 08:54 /etc/sssd
fedora 21: sh-4.3# ls -ld /etc/sssd drwx------. 2 root root 4096 Oct 22 11:26 /etc/sssd
LS _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On (01/12/14 16:02), Pavel Reichl wrote:
On 11/26/2014 01:36 PM, Lukas Slebodnik wrote:
On (25/11/14 17:31), Jakub Hrozek wrote:
On Tue, Nov 25, 2014 at 04:39:02PM +0100, Lukas Slebodnik wrote:
On (25/11/14 15:52), Pavel Reichl wrote:
On 11/25/2014 03:48 PM, Pavel Reichl wrote:
On 11/25/2014 03:38 PM, Lukas Slebodnik wrote: >On (25/11/14 14:26), Pavel Reichl wrote: >>On 11/19/2014 10:45 AM, Jakub Hrozek wrote: >> >>Thanks. >>From 649aae0d47299229f2afe51fa27e6c315d967ae1 Mon Sep 17 00:00:00 2001 >>From: Pavel Reichl preichl@redhat.com >>Date: Thu, 30 Oct 2014 10:13:54 +0000 >>Subject: [PATCH] BUILD: restrict perms. when installing from source >> >>Resolves: >>https://fedorahosted.org/sssd/ticket/2467 >>--- >>Makefile.am | 3 +++ >>1 file changed, 3 insertions(+) >> >>diff --git a/Makefile.am b/Makefile.am >>index 56a562c761d39ff5f54bc034ede563c40bf21ef8..21f02388efe360ecea9cdd157f91ffe172b08f91 >>100644 >>--- a/Makefile.am >>+++ b/Makefile.am >>@@ -2831,6 +2831,9 @@ if SSSD_USER >> -chown $(SSSD_USER):$(SSSD_USER) \ >> $(SSSD_USER_DIRS) >>endif >>+ $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) >>$(DESTDIR)$(pipepath)/private >>+ $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) >>$(DESTDIR)$(pubconfpath) $(DESTDIR)$(pubconfpath)/krb5.include.d >>$(DESTDIR)$(gpocachepath) >I would like to apologize for nitpicking but previous two lines are >longer >than 80 characters. > >LS No need to apologize, I just hope you like the formatting of continuous lines.
Sorry, I used tab instead of spaces on one of the continuous lines, updated patch attached. From 4364ca79d714105082057806f320b73ef1fc1a67 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/Makefile.am b/Makefile.am index 56a562c761d39ff5f54bc034ede563c40bf21ef8..84f22fd0ce7bb59dd90609ced3c26a3b91c3c74d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2831,6 +2831,12 @@ if SSSD_USER -chown $(SSSD_USER):$(SSSD_USER) \ $(SSSD_USER_DIRS) endif
- $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \
$(DESTDIR)$(pipepath)/private- $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \
$(DESTDIR)$(pubconfpath) \$(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)- $(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir)
Two directories has different permissions with and without patch.
Before: [root@e6078a90f933 /]# ls -ld /var/log/sssd/ drwxr-x---. 2 root root 4096 Sep 25 08:54 /var/log/sssd/
I would prefer to lock down the logfiles as much as possible, even though 'others' have no access here.
I don't have problem with this change.
[root@e6078a90f933 /]# ls -ld /etc/sssd/ drwx------. 2 root root 4096 Sep 25 08:54 /etc/sssd/
After: [root@bd7fb00d6a7a /usr/local]# ls -ld ./var/log/sssd/ drwx------. 2 root root 40 Nov 25 16:15 ./var/log/sssd/ [root@bd7fb00d6a7a /usr/local]# ls -ld ./etc/sssd/ drwx--x--x. 2 root root 40 Nov 25 16:15 ./etc/sssd/
I don't want to say it's wrong Could you explain it?
I think I know what's going on. In the specfiles, we relaxed the /etc/sssd/ permissions so that the configAPI files are accessible for non-root.
Why it should be accessible for other if they cannot read it? only owner can read/modify sssd.conf
Stephen's explanation:
The idea was that we could allow non-root users to read the API configuration (*not* the sssd.conf) and be able to generate prototype sssd.conf files. It still required root to be able to put the file in place.
Thank you for explanation. Make sense.
LS
On (25/11/14 15:52), Pavel Reichl wrote:
On 11/25/2014 03:48 PM, Pavel Reichl wrote:
On 11/25/2014 03:38 PM, Lukas Slebodnik wrote:
On (25/11/14 14:26), Pavel Reichl wrote:
On 11/19/2014 10:45 AM, Jakub Hrozek wrote:
Thanks. From 649aae0d47299229f2afe51fa27e6c315d967ae1 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/Makefile.am b/Makefile.am index 56a562c761d39ff5f54bc034ede563c40bf21ef8..21f02388efe360ecea9cdd157f91ffe172b08f91 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2831,6 +2831,9 @@ if SSSD_USER -chown $(SSSD_USER):$(SSSD_USER) \ $(SSSD_USER_DIRS) endif
- $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath)
$(DESTDIR)$(pipepath)/private
- $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath)
$(DESTDIR)$(pubconfpath) $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
I would like to apologize for nitpicking but previous two lines are longer than 80 characters.
LS
No need to apologize, I just hope you like the formatting of continuous lines.
Sorry, I used tab instead of spaces on one of the continuous lines, updated patch attached.
From 4364ca79d714105082057806f320b73ef1fc1a67 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 30 Oct 2014 10:13:54 +0000 Subject: [PATCH] BUILD: restrict perms. when installing from source
Resolves: https://fedorahosted.org/sssd/ticket/2467
Makefile.am | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/Makefile.am b/Makefile.am index 56a562c761d39ff5f54bc034ede563c40bf21ef8..84f22fd0ce7bb59dd90609ced3c26a3b91c3c74d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2831,6 +2831,12 @@ if SSSD_USER -chown $(SSSD_USER):$(SSSD_USER) \ $(SSSD_USER_DIRS) endif
- $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \
$(DESTDIR)$(pipepath)/private- $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \
$(DESTDIR)$(pubconfpath) \$(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)- $(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir)
if HAVE_DOXYGEN docs:
http://sssd-ci.idm.lab.eng.brq.redhat.com:8080/job/ci/438/
ACK
LS
On Tue, Dec 02, 2014 at 02:14:58PM +0100, Lukas Slebodnik wrote:
http://sssd-ci.idm.lab.eng.brq.redhat.com:8080/job/ci/438/
ACK
LS
* master: eba68b29d934e6ba3879947ab002f1b0a2c24496
sssd-devel@lists.fedorahosted.org
-
Jakub Hrozek -
Lukas Slebodnik -
Pavel Reichl