From 9339c445b4b98a28146ff834fec2af42bd3a6340 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 5 Aug 2019 17:05:00 +0200 Subject: [PATCH 16/16] BE: make sure child log files have the right permissions If SSSD runs a unprivileged user we should make sure the log files for child processes have the right permission so that the child process can write to them. Related to https://pagure.io/SSSD/sssd/issue/4056 Reviewed-by: Jakub Hrozek --- src/providers/data_provider_be.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index 6dce8286d..ce00231ff 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -554,6 +554,27 @@ done: return ret; } +static void fix_child_log_permissions(uid_t uid, gid_t gid) +{ + int ret; + const char *child_names[] = { "krb5_child", + "ldap_child", + "selinux_child", + "ad_gpo_child", + "proxy_child", + NULL }; + size_t c; + + for (c = 0; child_names[c] != NULL; c++) { + ret = chown_debug_file(child_names[c], uid, gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot chown the [%s] debug file, " + "debugging might not work!\n", child_names[c]); + } + } +} + static void dp_initialized(struct tevent_req *req) { struct tevent_signal *tes; @@ -609,6 +630,8 @@ static void dp_initialized(struct tevent_req *req) "Cannot chown the debug files, debugging might not work!\n"); } + fix_child_log_permissions(be_ctx->uid, be_ctx->gid); + ret = become_user(be_ctx->uid, be_ctx->gid); if (ret != EOK) { DEBUG(SSSDBG_FUNC_DATA, -- 2.20.1