From e9091aba9c0cbcc1f00f5f0656c200554cc485a3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 2 Aug 2019 13:44:18 +0200
Subject: [PATCH 14/16] pam: make sure p11_child.log has the right permissions

If SSSD runs a unprivileged user we should make sure the log files for
child processes have the right permission so that the child process can
write to them.

Related to https://pagure.io/SSSD/sssd/issue/4056

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/responder/pam/pamsrv.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 38db6fc9b..4f5b9b664 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -399,6 +399,15 @@ int main(int argc, const char *argv[])
         }
     }
 
+    /* server_setup() might switch to an unprivileged user, so the permissions
+     * for p11_child.log have to be fixed first. */
+    ret = chown_debug_file("p11_child", uid, gid);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Cannot chown the p11_child debug file, "
+              "debugging might not work!\n");
+    }
+
     ret = server_setup("sssd[pam]", 0, uid, gid, CONFDB_PAM_CONF_ENTRY, &main_ctx);
     if (ret != EOK) return 2;
 
-- 
2.20.1