summaryrefslogtreecommitdiff
path: root/src/monitor
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2011-11-11 16:59:21 -0500
committerStephen Gallagher <sgallagh@redhat.com>2011-11-22 10:50:48 -0500
commite369fc08906383e6d5c39832f31bb6600a33f887 (patch)
treee9f3868b0656f971c94ae06871c621653596c885 /src/monitor
parent98e0f08e3de3f8f035790adcd614cff6bf6dd34d (diff)
downloadsssd-e369fc08906383e6d5c39832f31bb6600a33f887.tar.gz
sssd-e369fc08906383e6d5c39832f31bb6600a33f887.tar.bz2
sssd-e369fc08906383e6d5c39832f31bb6600a33f887.zip
Set more strict permissions on keyring
We want to confine access to the keyring to the current process and not let root easily peek into the keyring contents.
Diffstat (limited to 'src/monitor')
-rw-r--r--src/monitor/monitor.c27
1 files changed, 27 insertions, 0 deletions
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 1b7f87a9..2db9d541 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -51,6 +51,10 @@
#include "sbus/sssd_dbus.h"
#include "monitor/monitor_interfaces.h"
+#ifdef USE_KEYRING
+#include <keyutils.h>
+#endif
+
/* ping time cannot be less then once every few seconds or the
* monitor will get crazy hammering children with messages */
#define MONITOR_DEF_PING_TIME 10
@@ -2472,6 +2476,29 @@ int main(int argc, const char *argv[])
}
}
+#ifdef USE_KEYRING
+ /* Do this before all the forks, it sets the session key ring so all
+ * keys are private to the daemon and cannot be read by any other process
+ * tree */
+
+ /* make a new session */
+ ret = keyctl_join_session_keyring(NULL);
+ if (ret == -1) {
+ sss_log(SSS_LOG_ALERT,
+ "Could not create private keyring session. "
+ "If you store password there they may be easily accessible "
+ "to the root user. (%d, %s)", errno, strerror(errno));
+ }
+
+ ret = keyctl_setperm(KEY_SPEC_SESSION_KEYRING, KEY_POS_ALL);
+ if (ret == -1) {
+ sss_log(SSS_LOG_ALERT,
+ "Could not set permissions on private keyring. "
+ "If you store password there they may be easily accessible "
+ "to the root user. (%d, %s)", errno, strerror(errno));
+ }
+#endif
+
/* Warn if nscd seems to be running */
ret = check_file(NSCD_SOCKET_PATH, -1, -1, -1, CHECK_SOCK, NULL, false);
if (ret == EOK) {