rpms/sssd/devel 0001-Tighten-up-permission.patch, NONE, 1.1 0002-Fix-infinite-loop-with-empty-group-enumeration.patch, NONE, 1.1 sssd.spec, 1.19, 1.20
Stephen Gallagher
sgallagh at fedoraproject.org
Tue Sep 29 12:19:20 UTC 2009
- Previous message: rpms/sssd/F-12 0001-Tighten-up-permission.patch, NONE, 1.1 0002-Fix-infinite-loop-with-empty-group-enumeration.patch, NONE, 1.1 sssd.spec, 1.19, 1.20
- Next message: rpms/festival/devel festival-speech-tools-pulse.patch, NONE, 1.1 festival.spec, 1.43, 1.44
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: sgallagh
Update of /cvs/pkgs/rpms/sssd/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19188/devel
Modified Files:
sssd.spec
Added Files:
0001-Tighten-up-permission.patch
0002-Fix-infinite-loop-with-empty-group-enumeration.patch
Log Message:
Add two patches
1) Ensure that the configuration upgrade script always writes the config
file with 0600 permissions
2) Eliminate an infinite loop in group enumerations
0001-Tighten-up-permission.patch:
contrib/sssd.spec.in | 2 +-
server/upgrade/upgrade_config.py | 14 ++++++++++++--
2 files changed, 13 insertions(+), 3 deletions(-)
--- NEW FILE 0001-Tighten-up-permission.patch ---
>From 5ab9ed3c42781ae1911d253d56d67dc0288d55f7 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce at redhat.com>
Date: Mon, 28 Sep 2009 07:51:26 -0400
Subject: [PATCH 1/2] Tighten up permission.
SSSD may contain passwords and other sensitive data, make sure we always keep its
permission tight. Also make /etc/sssd permission very strict, just in case,
admins may inadvertently copy an sssd.conf file without checking it's
permissions.
---
contrib/sssd.spec.in | 2 +-
server/upgrade/upgrade_config.py | 13 ++++++++++++-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 5dc45d2..9513a6b 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -129,7 +129,7 @@ rm -rf $RPM_BUILD_ROOT
%attr(755,root,root) %dir %{pipepath}
%attr(700,root,root) %dir %{pipepath}/private
%attr(750,root,root) %dir %{_var}/log/%{name}
-%dir %{_sysconfdir}/sssd
+%attr(700,root,root) %dir %{_sysconfdir}/sssd
%config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%{_mandir}/man5/sssd.conf.5*
%{_mandir}/man5/sssd-krb5.5*
diff --git a/server/upgrade/upgrade_config.py b/server/upgrade/upgrade_config.py
index 412fad5..87e3990 100644
--- a/server/upgrade/upgrade_config.py
+++ b/server/upgrade/upgrade_config.py
@@ -20,6 +20,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+import os
import sys
import shutil
import traceback
@@ -91,6 +92,9 @@ class SSSDConfigFile(object):
" Copy the file we operate on to a backup location "
shutil.copy(self.file_name, self.file_name+".bak")
+ # make sure we don't leak data, force permissions on the backup
+ os.chmod(self.file_name+".bak", 0600)
+
def _migrate_if_exists(self, to_section, to_option, from_section, from_option):
"""
Move value of parameter from one section to another, renaming the parameter
@@ -281,8 +285,12 @@ class SSSDConfigFile(object):
# Migrate domains
self._migrate_domains()
- # all done, write the file
+ # all done, open the file for writing
of = open(out_file_name, "wb")
+
+ # make sure it has the right permissions too
+ os.chmod(out_file_name, 0600)
+
self._new_config.write(of)
def parse_options():
@@ -337,6 +345,9 @@ def main():
print >>sys.stderr, "Can only upgrade from v1 to v2, file %s looks like version %d" % (options.filename, config.get_version())
return 1
+ # make sure we keep strict settings when creating new files
+ os.umask(0077)
+
try:
config.upgrade_v2(options.outfile, options.backup)
except Exception, e:
--
1.6.2.5
0002-Fix-infinite-loop-with-empty-group-enumeration.patch:
nsssrv_cmd.c | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
--- NEW FILE 0002-Fix-infinite-loop-with-empty-group-enumeration.patch ---
>From 5cada7fa7f822ac064f3f5d452f7f32fc4595bd4 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh at redhat.com>
Date: Tue, 29 Sep 2009 07:34:30 -0400
Subject: [PATCH 2/2] Fix infinite loop with empty group enumeration
Loop control variable was not being incremented.
I also converted a goto loop into a do...while loop to make it
easier to follow the logic.
---
server/responder/nss/nsssrv_cmd.c | 28 +++++++++++++++-------------
1 files changed, 15 insertions(+), 13 deletions(-)
diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c
index 8ca0be6..ebfd1d5 100644
--- a/server/responder/nss/nsssrv_cmd.c
+++ b/server/responder/nss/nsssrv_cmd.c
@@ -2645,26 +2645,28 @@ static int nss_cmd_retgrent(struct cli_ctx *cctx, int num)
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
gctx = nctx->gctx;
-retry:
- if (gctx->cur >= gctx->num) goto none;
-
- gdom = &gctx->doms[gctx->cur];
+ do {
+ if (gctx->cur >= gctx->num) goto none;
- n = gdom->res->count - gdom->cur;
- if (n == 0 && (gctx->cur+1 < gctx->num)) {
- gctx->cur++;
gdom = &gctx->doms[gctx->cur];
+
n = gdom->res->count - gdom->cur;
- }
+ if (n == 0 && (gctx->cur+1 < gctx->num)) {
+ gctx->cur++;
+ gdom = &gctx->doms[gctx->cur];
+ n = gdom->res->count - gdom->cur;
+ }
- if (!n) goto none;
+ if (!n) goto none;
- msgs = &(gdom->res->msgs[gdom->cur]);
+ msgs = &(gdom->res->msgs[gdom->cur]);
- ret = fill_grent(cctx->creq->out, gdom->domain, nctx, true, msgs, num, &n);
- if (ret == ENOENT) goto retry;
+ ret = fill_grent(cctx->creq->out, gdom->domain, nctx, true, msgs, num, &n);
+
+ gdom->cur += n;
+
+ } while(ret == ENOENT);
- gdom->cur += n;
return ret;
none:
--
1.6.2.5
Index: sssd.spec
===================================================================
RCS file: /cvs/pkgs/rpms/sssd/devel/sssd.spec,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -p -r1.19 -r1.20
--- sssd.spec 28 Sep 2009 08:51:24 -0000 1.19
+++ sssd.spec 29 Sep 2009 12:19:20 -0000 1.20
@@ -15,6 +15,9 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{na
### Patches ###
+Patch1: 0001-Tighten-up-permission.patch
+Patch2: 0002-Fix-infinite-loop-with-empty-group-enumeration.patch
+
### Dependencies ###
Requires: libldb >= 0.9.3
@@ -74,6 +77,9 @@ service.
%prep
%setup -q
+%patch1 -p1 -b .tighten_permission
+%patch2 -p1 -b .infinite_group_loop
+
%build
%configure \
--without-tests \
- Previous message: rpms/sssd/F-12 0001-Tighten-up-permission.patch, NONE, 1.1 0002-Fix-infinite-loop-with-empty-group-enumeration.patch, NONE, 1.1 sssd.spec, 1.19, 1.20
- Next message: rpms/festival/devel festival-speech-tools-pulse.patch, NONE, 1.1 festival.spec, 1.43, 1.44
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list