From 9339c445b4b98a28146ff834fec2af42bd3a6340 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 5 Aug 2019 17:05:00 +0200
Subject: [PATCH 16/16] BE: make sure child log files have the right
 permissions

If SSSD runs a unprivileged user we should make sure the log files for
child processes have the right permission so that the child process can
write to them.

Related to https://pagure.io/SSSD/sssd/issue/4056

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/providers/data_provider_be.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 6dce8286d..ce00231ff 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -554,6 +554,27 @@ done:
     return ret;
 }
 
+static void fix_child_log_permissions(uid_t uid, gid_t gid)
+{
+    int ret;
+    const char *child_names[] = { "krb5_child",
+                                  "ldap_child",
+                                  "selinux_child",
+                                  "ad_gpo_child",
+                                  "proxy_child",
+                                  NULL };
+    size_t c;
+
+    for (c = 0; child_names[c] != NULL; c++) {
+        ret = chown_debug_file(child_names[c], uid, gid);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Cannot chown the [%s] debug file, "
+                  "debugging might not work!\n", child_names[c]);
+        }
+    }
+}
+
 static void dp_initialized(struct tevent_req *req)
 {
     struct tevent_signal *tes;
@@ -609,6 +630,8 @@ static void dp_initialized(struct tevent_req *req)
               "Cannot chown the debug files, debugging might not work!\n");
     }
 
+    fix_child_log_permissions(be_ctx->uid, be_ctx->gid);
+
     ret = become_user(be_ctx->uid, be_ctx->gid);
     if (ret != EOK) {
         DEBUG(SSSDBG_FUNC_DATA,
-- 
2.20.1