|
 |
d6181b |
From 8119ee216a9471ed2f01b16ed17068f5dc8b83cb Mon Sep 17 00:00:00 2001
|
|
|
d6181b |
From: Sumit Bose <sbose@redhat.com>
|
|
|
d6181b |
Date: Mon, 5 Aug 2019 17:04:14 +0200
|
|
|
d6181b |
Subject: [PATCH 15/16] ssh: make sure p11_child.log has the right permissions
|
|
|
d6181b |
|
|
|
d6181b |
If SSSD runs a unprivileged user we should make sure the log files for
|
|
|
d6181b |
child processes have the right permission so that the child process can
|
|
|
d6181b |
write to them.
|
|
|
d6181b |
|
|
|
d6181b |
Related to https://pagure.io/SSSD/sssd/issue/4056
|
|
|
d6181b |
|
|
|
d6181b |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
d6181b |
---
|
|
|
d6181b |
src/responder/ssh/sshsrv.c | 10 ++++++++++
|
|
|
d6181b |
1 file changed, 10 insertions(+)
|
|
|
d6181b |
|
|
|
d6181b |
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
|
|
|
d6181b |
index ef2c9d01b..07397834c 100644
|
|
|
d6181b |
--- a/src/responder/ssh/sshsrv.c
|
|
|
d6181b |
+++ b/src/responder/ssh/sshsrv.c
|
|
|
d6181b |
@@ -187,6 +187,16 @@ int main(int argc, const char *argv[])
|
|
|
d6181b |
|
|
|
d6181b |
sss_set_logger(opt_logger);
|
|
|
d6181b |
|
|
|
d6181b |
+ /* server_setup() might switch to an unprivileged user, so the permissions
|
|
|
d6181b |
+ * for p11_child.log have to be fixed first. We might call p11_child to
|
|
|
d6181b |
+ * validate certificates. */
|
|
|
d6181b |
+ ret = chown_debug_file("p11_child", uid, gid);
|
|
|
d6181b |
+ if (ret != EOK) {
|
|
|
d6181b |
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
d6181b |
+ "Cannot chown the p11_child debug file, "
|
|
|
d6181b |
+ "debugging might not work!\n");
|
|
|
d6181b |
+ }
|
|
|
d6181b |
+
|
|
|
d6181b |
ret = server_setup("sssd[ssh]", 0, uid, gid,
|
|
|
d6181b |
CONFDB_SSH_CONF_ENTRY, &main_ctx);
|
|
|
d6181b |
if (ret != EOK) {
|
|
|
d6181b |
--
|
|
|
d6181b |
2.20.1
|
|
|
d6181b |
|