From 9339c445b4b98a28146ff834fec2af42bd3a6340 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Mon, 5 Aug 2019 17:05:00 +0200

Subject: [PATCH 16/16] BE: make sure child log files have the right

 permissions

If SSSD runs a unprivileged user we should make sure the log files for

child processes have the right permission so that the child process can

write to them.

Related to https://pagure.io/SSSD/sssd/issue/4056

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

---

 src/providers/data_provider_be.c | 23 +++++++++++++++++++++++

 1 file changed, 23 insertions(+)

diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c

index 6dce8286d..ce00231ff 100644

--- a/src/providers/data_provider_be.c

+++ b/src/providers/data_provider_be.c

@@ -554,6 +554,27 @@ done:

     return ret;

 }

+static void fix_child_log_permissions(uid_t uid, gid_t gid)

+{

+    int ret;

+    const char *child_names[] = { "krb5_child",

+                                  "ldap_child",

+                                  "selinux_child",

+                                  "ad_gpo_child",

+                                  "proxy_child",

+                                  NULL };

+    size_t c;

+

+    for (c = 0; child_names[c] != NULL; c++) {

+        ret = chown_debug_file(child_names[c], uid, gid);

+        if (ret != EOK) {

+            DEBUG(SSSDBG_MINOR_FAILURE,

+                  "Cannot chown the [%s] debug file, "

+                  "debugging might not work!\n", child_names[c]);

+        }

+    }

+}

+

 static void dp_initialized(struct tevent_req *req)

 {

     struct tevent_signal *tes;

@@ -609,6 +630,8 @@ static void dp_initialized(struct tevent_req *req)

               "Cannot chown the debug files, debugging might not work!\n");

     }

+    fix_child_log_permissions(be_ctx->uid, be_ctx->gid);

+

     ret = become_user(be_ctx->uid, be_ctx->gid);

     if (ret != EOK) {

         DEBUG(SSSDBG_FUNC_DATA,

-- 

2.20.1