From 8119ee216a9471ed2f01b16ed17068f5dc8b83cb Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 5 Aug 2019 17:04:14 +0200
Subject: [PATCH 15/16] ssh: make sure p11_child.log has the right permissions

If SSSD runs a unprivileged user we should make sure the log files for
child processes have the right permission so that the child process can
write to them.

Related to https://pagure.io/SSSD/sssd/issue/4056

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/responder/ssh/sshsrv.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
index ef2c9d01b..07397834c 100644
--- a/src/responder/ssh/sshsrv.c
+++ b/src/responder/ssh/sshsrv.c
@@ -187,6 +187,16 @@ int main(int argc, const char *argv[])
 
     sss_set_logger(opt_logger);
 
+    /* server_setup() might switch to an unprivileged user, so the permissions
+     * for p11_child.log have to be fixed first. We might call p11_child to
+     * validate certificates. */
+    ret = chown_debug_file("p11_child", uid, gid);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Cannot chown the p11_child debug file, "
+              "debugging might not work!\n");
+    }
+
     ret = server_setup("sssd[ssh]", 0, uid, gid,
                        CONFDB_SSH_CONF_ENTRY, &main_ctx);
     if (ret != EOK) {
-- 
2.20.1