BUILD: Install ldap_child and as setuid if running under non-privileg…

…ed user The ldap_child permissions should be 4750, owned by root.sssd, to make sure only root and sssd can execute the child and if executed by sssd, the child will run as root. Reviewed-by: Michal Židek <[email protected]>
SSSD · Nov 5, 2014 · 45414c1 · 45414c1
1 parent f9f513e
commit 45414c1
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/Makefile.am b/Makefile.am
@@ -2844,6 +2844,11 @@ else
 	$(MKDIR_P) $(DESTDIR)$(initdir)
 endif
 
+if SSSD_USER
+	chgrp $(SSSD_USER) $(sssdlibexecdir)/ldap_child
+	chmod 4750 $(sssdlibexecdir)/ldap_child
+endif
+
 install-data-hook:
 	rm $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 \
        $(DESTDIR)/$(nsslibdir)/libnss_sss.so

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
@@ -645,7 +645,7 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(-,root,root,-)
 %doc COPYING
 %{_libdir}/%{name}/libsss_krb5_common.so
-%{_libexecdir}/%{servicename}/ldap_child
+%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/ldap_child
 %{_libexecdir}/%{servicename}/krb5_child
 
 %files krb5 -f sssd_krb5.lang