From 5ab9ed3c42781ae1911d253d56d67dc0288d55f7 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 28 Sep 2009 07:51:26 -0400 Subject: Tighten up permission. SSSD may contain passwords and other sensitive data, make sure we always keep its permission tight. Also make /etc/sssd permission very strict, just in case, admins may inadvertently copy an sssd.conf file without checking it's permissions. --- server/upgrade/upgrade_config.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'server/upgrade/upgrade_config.py') diff --git a/server/upgrade/upgrade_config.py b/server/upgrade/upgrade_config.py index 412fad53..87e3990d 100644 --- a/server/upgrade/upgrade_config.py +++ b/server/upgrade/upgrade_config.py @@ -20,6 +20,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import os import sys import shutil import traceback @@ -91,6 +92,9 @@ class SSSDConfigFile(object): " Copy the file we operate on to a backup location " shutil.copy(self.file_name, self.file_name+".bak") + # make sure we don't leak data, force permissions on the backup + os.chmod(self.file_name+".bak", 0600) + def _migrate_if_exists(self, to_section, to_option, from_section, from_option): """ Move value of parameter from one section to another, renaming the parameter @@ -281,8 +285,12 @@ class SSSDConfigFile(object): # Migrate domains self._migrate_domains() - # all done, write the file + # all done, open the file for writing of = open(out_file_name, "wb") + + # make sure it has the right permissions too + os.chmod(out_file_name, 0600) + self._new_config.write(of) def parse_options(): @@ -337,6 +345,9 @@ def main(): print >>sys.stderr, "Can only upgrade from v1 to v2, file %s looks like version %d" % (options.filename, config.get_version()) return 1 + # make sure we keep strict settings when creating new files + os.umask(0077) + try: config.upgrade_v2(options.outfile, options.backup) except Exception, e: -- cgit