On Tue, Nov 25, 2014 at 04:39:02PM +0100, Lukas Slebodnik wrote: > On (25/11/14 15:52), Pavel Reichl wrote: > > > >On 11/25/2014 03:48 PM, Pavel Reichl wrote: > >> > >>On 11/25/2014 03:38 PM, Lukas Slebodnik wrote: > >>>On (25/11/14 14:26), Pavel Reichl wrote: > >>>>On 11/19/2014 10:45 AM, Jakub Hrozek wrote: > >>>> > >>>>Thanks. > >>>>From 649aae0d47299229f2afe51fa27e6c315d967ae1 Mon Sep 17 00:00:00 2001 > >>>>From: Pavel Reichl <[email protected]> > >>>>Date: Thu, 30 Oct 2014 10:13:54 +0000 > >>>>Subject: [PATCH] BUILD: restrict perms. when installing from source > >>>> > >>>>Resolves: > >>>>https://fedorahosted.org/sssd/ticket/2467 > >>>>--- > >>>>Makefile.am | 3 +++ > >>>>1 file changed, 3 insertions(+) > >>>> > >>>>diff --git a/Makefile.am b/Makefile.am > >>>>index > >>>>56a562c761d39ff5f54bc034ede563c40bf21ef8..21f02388efe360ecea9cdd157f91ffe172b08f91 > >>>>100644 > >>>>--- a/Makefile.am > >>>>+++ b/Makefile.am > >>>>@@ -2831,6 +2831,9 @@ if SSSD_USER > >>>> -chown $(SSSD_USER):$(SSSD_USER) \ > >>>> $(SSSD_USER_DIRS) > >>>>endif > >>>>+ $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) > >>>>$(DESTDIR)$(pipepath)/private > >>>>+ $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) > >>>>$(DESTDIR)$(pubconfpath) $(DESTDIR)$(pubconfpath)/krb5.include.d > >>>>$(DESTDIR)$(gpocachepath) > >>>I would like to apologize for nitpicking but previous two lines are > >>>longer > >>>than 80 characters. > >>> > >>>LS > >>No need to apologize, I just hope you like the formatting of continuous > >>lines. > >> > >> > >Sorry, I used tab instead of spaces on one of the continuous lines, updated > >patch attached. > > >From 4364ca79d714105082057806f320b73ef1fc1a67 Mon Sep 17 00:00:00 2001 > >From: Pavel Reichl <[email protected]> > >Date: Thu, 30 Oct 2014 10:13:54 +0000 > >Subject: [PATCH] BUILD: restrict perms. when installing from source > > > >Resolves: > >https://fedorahosted.org/sssd/ticket/2467 > >--- > > Makefile.am | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > >diff --git a/Makefile.am b/Makefile.am > >index > >56a562c761d39ff5f54bc034ede563c40bf21ef8..84f22fd0ce7bb59dd90609ced3c26a3b91c3c74d > > 100644 > >--- a/Makefile.am > >+++ b/Makefile.am > >@@ -2831,6 +2831,12 @@ if SSSD_USER > > -chown $(SSSD_USER):$(SSSD_USER) \ > > $(SSSD_USER_DIRS) > > endif > >+ $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \ > >+ $(DESTDIR)$(pipepath)/private > >+ $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \ > >+ $(DESTDIR)$(pubconfpath) \ > >+ $(DESTDIR)$(pubconfpath)/krb5.include.d > >$(DESTDIR)$(gpocachepath) > >+ $(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir) > Two directories has different permissions with and without patch. > > Before: > [root@e6078a90f933 /]# ls -ld /var/log/sssd/ > drwxr-x---. 2 root root 4096 Sep 25 08:54 /var/log/sssd/
I would prefer to lock down the logfiles as much as possible, even though 'others' have no access here. > > [root@e6078a90f933 /]# ls -ld /etc/sssd/ > drwx------. 2 root root 4096 Sep 25 08:54 /etc/sssd/ > > After: > [root@bd7fb00d6a7a /usr/local]# ls -ld ./var/log/sssd/ > drwx------. 2 root root 40 Nov 25 16:15 ./var/log/sssd/ > [root@bd7fb00d6a7a /usr/local]# ls -ld ./etc/sssd/ > drwx--x--x. 2 root root 40 Nov 25 16:15 ./etc/sssd/ > > I don't want to say it's wrong > Could you explain it? I think I know what's going on. In the specfiles, we relaxed the /etc/sssd/ permissions so that the configAPI files are accessible for non-root. Check out the permissions in Fedora in RHEL, I would expect them to be 711 as well. _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
