|
 |
905b4d |
From fe5108b091e77dac505fd433c2df9c8b5736b21f Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
905b4d |
Date: Sat, 11 Oct 2014 20:22:42 +0200
|
|
|
905b4d |
Subject: [PATCH 65/71] BUILD: Install ldap_child and as setuid if running
|
|
|
905b4d |
under non-privileged user
|
|
|
905b4d |
MIME-Version: 1.0
|
|
|
905b4d |
Content-Type: text/plain; charset=UTF-8
|
|
|
905b4d |
Content-Transfer-Encoding: 8bit
|
|
|
905b4d |
|
|
|
905b4d |
The ldap_child permissions should be 4750, owned by root.sssd,
|
|
|
905b4d |
to make sure only root and sssd can execute the child and if executed by
|
|
|
905b4d |
sssd, the child will run as root.
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
905b4d |
---
|
|
|
905b4d |
Makefile.am | 5 +++++
|
|
|
905b4d |
contrib/sssd.spec.in | 2 +-
|
|
|
905b4d |
2 files changed, 6 insertions(+), 1 deletion(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/Makefile.am b/Makefile.am
|
|
|
905b4d |
index 60bc67f1ac60c72dc64b3d1adccc9ef1ec989ad5..02b087ea37b4e55da7eeb7fb199d282d72129e40 100644
|
|
|
905b4d |
--- a/Makefile.am
|
|
|
905b4d |
+++ b/Makefile.am
|
|
|
905b4d |
@@ -2844,6 +2844,11 @@ else
|
|
|
905b4d |
$(MKDIR_P) $(DESTDIR)$(initdir)
|
|
|
905b4d |
endif
|
|
|
905b4d |
|
|
|
905b4d |
+if SSSD_USER
|
|
|
905b4d |
+ chgrp $(SSSD_USER) $(sssdlibexecdir)/ldap_child
|
|
|
905b4d |
+ chmod 4750 $(sssdlibexecdir)/ldap_child
|
|
|
905b4d |
+endif
|
|
|
905b4d |
+
|
|
|
905b4d |
install-data-hook:
|
|
|
905b4d |
rm $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 \
|
|
|
905b4d |
$(DESTDIR)/$(nsslibdir)/libnss_sss.so
|
|
|
905b4d |
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
|
|
905b4d |
index db3bbcb09d6b27ca785f511ce6414fbeaaf445c6..d2e6cec2610e4c00cb376683cf7e64eb5cdafc5c 100644
|
|
|
905b4d |
--- a/contrib/sssd.spec.in
|
|
|
905b4d |
+++ b/contrib/sssd.spec.in
|
|
|
905b4d |
@@ -645,7 +645,7 @@ rm -rf $RPM_BUILD_ROOT
|
|
|
905b4d |
%defattr(-,root,root,-)
|
|
|
905b4d |
%doc COPYING
|
|
|
905b4d |
%{_libdir}/%{name}/libsss_krb5_common.so
|
|
|
905b4d |
-%{_libexecdir}/%{servicename}/ldap_child
|
|
|
905b4d |
+%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/ldap_child
|
|
|
905b4d |
%{_libexecdir}/%{servicename}/krb5_child
|
|
|
905b4d |
|
|
|
905b4d |
%files krb5 -f sssd_krb5.lang
|
|
|
905b4d |
--
|
|
|
905b4d |
1.9.3
|
|
|
905b4d |
|