From fe5108b091e77dac505fd433c2df9c8b5736b21f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sat, 11 Oct 2014 20:22:42 +0200
Subject: [PATCH 65/71] BUILD: Install ldap_child and as setuid if running
 under non-privileged user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The ldap_child permissions should be 4750, owned by root.sssd,
to make sure only root and sssd can execute the child and if executed by
sssd, the child will run as root.

Reviewed-by: Michal Židek <mzidek@redhat.com>
---
 Makefile.am          | 5 +++++
 contrib/sssd.spec.in | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index 60bc67f1ac60c72dc64b3d1adccc9ef1ec989ad5..02b087ea37b4e55da7eeb7fb199d282d72129e40 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2844,6 +2844,11 @@ else
 	$(MKDIR_P) $(DESTDIR)$(initdir)
 endif
 
+if SSSD_USER
+	chgrp $(SSSD_USER) $(sssdlibexecdir)/ldap_child
+	chmod 4750 $(sssdlibexecdir)/ldap_child
+endif
+
 install-data-hook:
 	rm $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 \
        $(DESTDIR)/$(nsslibdir)/libnss_sss.so
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index db3bbcb09d6b27ca785f511ce6414fbeaaf445c6..d2e6cec2610e4c00cb376683cf7e64eb5cdafc5c 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -645,7 +645,7 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(-,root,root,-)
 %doc COPYING
 %{_libdir}/%{name}/libsss_krb5_common.so
-%{_libexecdir}/%{servicename}/ldap_child
+%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/ldap_child
 %{_libexecdir}/%{servicename}/krb5_child
 
 %files krb5 -f sssd_krb5.lang
-- 
1.9.3