diff options
-rw-r--r-- | contrib/sssd.spec.in | 2 | ||||
-rw-r--r-- | server/upgrade/upgrade_config.py | 13 |
2 files changed, 13 insertions, 2 deletions
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 5dc45d28..9513a6b6 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -129,7 +129,7 @@ rm -rf $RPM_BUILD_ROOT %attr(755,root,root) %dir %{pipepath} %attr(700,root,root) %dir %{pipepath}/private %attr(750,root,root) %dir %{_var}/log/%{name} -%dir %{_sysconfdir}/sssd +%attr(700,root,root) %dir %{_sysconfdir}/sssd %config(noreplace) %{_sysconfdir}/sssd/sssd.conf %{_mandir}/man5/sssd.conf.5* %{_mandir}/man5/sssd-krb5.5* diff --git a/server/upgrade/upgrade_config.py b/server/upgrade/upgrade_config.py index 412fad53..87e3990d 100644 --- a/server/upgrade/upgrade_config.py +++ b/server/upgrade/upgrade_config.py @@ -20,6 +20,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import os import sys import shutil import traceback @@ -91,6 +92,9 @@ class SSSDConfigFile(object): " Copy the file we operate on to a backup location " shutil.copy(self.file_name, self.file_name+".bak") + # make sure we don't leak data, force permissions on the backup + os.chmod(self.file_name+".bak", 0600) + def _migrate_if_exists(self, to_section, to_option, from_section, from_option): """ Move value of parameter from one section to another, renaming the parameter @@ -281,8 +285,12 @@ class SSSDConfigFile(object): # Migrate domains self._migrate_domains() - # all done, write the file + # all done, open the file for writing of = open(out_file_name, "wb") + + # make sure it has the right permissions too + os.chmod(out_file_name, 0600) + self._new_config.write(of) def parse_options(): @@ -337,6 +345,9 @@ def main(): print >>sys.stderr, "Can only upgrade from v1 to v2, file %s looks like version %d" % (options.filename, config.get_version()) return 1 + # make sure we keep strict settings when creating new files + os.umask(0077) + try: config.upgrade_v2(options.outfile, options.backup) except Exception, e: |