On (25/11/14 17:31), Jakub Hrozek wrote:
On Tue, Nov 25, 2014 at 04:39:02PM +0100, Lukas Slebodnik wrote:
> On (25/11/14 15:52), Pavel Reichl wrote:
> >
> >On 11/25/2014 03:48 PM, Pavel Reichl wrote:
> >>
> >>On 11/25/2014 03:38 PM, Lukas Slebodnik wrote:
> >>>On (25/11/14 14:26), Pavel Reichl wrote:
> >>>>On 11/19/2014 10:45 AM, Jakub Hrozek wrote:
> >>>>
> >>>>Thanks.
> >>>>From 649aae0d47299229f2afe51fa27e6c315d967ae1 Mon Sep 17 00:00:00
2001
> >>>>From: Pavel Reichl <preichl(a)redhat.com>
> >>>>Date: Thu, 30 Oct 2014 10:13:54 +0000
> >>>>Subject: [PATCH] BUILD: restrict perms. when installing from source
> >>>>
> >>>>Resolves:
> >>>>https://fedorahosted.org/sssd/ticket/2467
> >>>>---
> >>>>Makefile.am | 3 +++
> >>>>1 file changed, 3 insertions(+)
> >>>>
> >>>>diff --git a/Makefile.am b/Makefile.am
> >>>>index
56a562c761d39ff5f54bc034ede563c40bf21ef8..21f02388efe360ecea9cdd157f91ffe172b08f91
> >>>>100644
> >>>>--- a/Makefile.am
> >>>>+++ b/Makefile.am
> >>>>@@ -2831,6 +2831,9 @@ if SSSD_USER
> >>>> -chown $(SSSD_USER):$(SSSD_USER) \
> >>>> $(SSSD_USER_DIRS)
> >>>>endif
> >>>>+ $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath)
> >>>>$(DESTDIR)$(pipepath)/private
> >>>>+ $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath)
> >>>>$(DESTDIR)$(pubconfpath) $(DESTDIR)$(pubconfpath)/krb5.include.d
> >>>>$(DESTDIR)$(gpocachepath)
> >>>I would like to apologize for nitpicking but previous two lines are
> >>>longer
> >>>than 80 characters.
> >>>
> >>>LS
> >>No need to apologize, I just hope you like the formatting of continuous
> >>lines.
> >>
> >>
> >Sorry, I used tab instead of spaces on one of the continuous lines, updated
> >patch attached.
>
> >From 4364ca79d714105082057806f320b73ef1fc1a67 Mon Sep 17 00:00:00 2001
> >From: Pavel Reichl <preichl(a)redhat.com>
> >Date: Thu, 30 Oct 2014 10:13:54 +0000
> >Subject: [PATCH] BUILD: restrict perms. when installing from source
> >
> >Resolves:
> >https://fedorahosted.org/sssd/ticket/2467
> >---
> > Makefile.am | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> >diff --git a/Makefile.am b/Makefile.am
> >index
56a562c761d39ff5f54bc034ede563c40bf21ef8..84f22fd0ce7bb59dd90609ced3c26a3b91c3c74d 100644
> >--- a/Makefile.am
> >+++ b/Makefile.am
> >@@ -2831,6 +2831,12 @@ if SSSD_USER
> > -chown $(SSSD_USER):$(SSSD_USER) \
> > $(SSSD_USER_DIRS)
> > endif
> >+ $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \
> >+ $(DESTDIR)$(pipepath)/private
> >+ $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \
> >+ $(DESTDIR)$(pubconfpath) \
> >+ $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
> >+ $(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir)
> Two directories has different permissions with and without patch.
>
> Before:
> [root@e6078a90f933 /]# ls -ld /var/log/sssd/
> drwxr-x---. 2 root root 4096 Sep 25 08:54 /var/log/sssd/
I would prefer to lock down the logfiles as much as possible, even
though 'others' have no access here.
I don't have problem with this change.
>
> [root@e6078a90f933 /]# ls -ld /etc/sssd/
> drwx------. 2 root root 4096 Sep 25 08:54 /etc/sssd/
>
> After:
> [root@bd7fb00d6a7a /usr/local]# ls -ld ./var/log/sssd/
> drwx------. 2 root root 40 Nov 25 16:15 ./var/log/sssd/
> [root@bd7fb00d6a7a /usr/local]# ls -ld ./etc/sssd/
> drwx--x--x. 2 root root 40 Nov 25 16:15 ./etc/sssd/
>
> I don't want to say it's wrong
> Could you explain it?
I think I know what's going on. In the specfiles, we relaxed the
/etc/sssd/ permissions so that the configAPI files are accessible for
non-root.
Why it should be accessible for other if they cannot read it?
only owner can read/modify sssd.conf
Check out the permissions in Fedora in RHEL, I would expect them to
be
711 as well.
centos 6.6:
bash-4.1# ls -ld /etc/sssd/
drwx------. 2 root root 4096 Oct 16 14:31 /etc/sssd/
centos 7.0:
bash-4.2# ls -ld /etc/sssd/
drwx------. 2 root root 4096 Nov 6 14:09 /etc/sssd/
fedora 19:
sh-4.2# ls -ld /etc/sssd
drwx------. 2 root root 4096 Apr 11 2014 /etc/sssd
fedora 20:
sh-4.2# ls -ld /etc/sssd
drwx------. 2 root root 4096 Sep 25 08:54 /etc/sssd
fedora 21:
sh-4.3# ls -ld /etc/sssd
drwx------. 2 root root 4096 Oct 22 11:26 /etc/sssd
LS