[libtdeldap][r14.0.x] 23d8a034,8c6f2507

src/libtdeldap.cpp

diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp

index e1a2d3c..93cd5da 100644

--- a/src/libtdeldap.cpp

+++ b/src/libtdeldap.cpp

@@ -2860,9 +2860,19 @@

 	delete systemconfig;

-	if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR|S_IWUSR|S_IRGRP) < 0) {

-		if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc");

-		return -1;

+	if ((machineRole == ROLE_PRIMARY_REALM_CONTROLLER) || (machineRole == ROLE_SECONDARY_REALM_CONTROLLER)) {

+		// The file may contain multi-master replication secrets, therefore only root should be able to read it

+		if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR|S_IWUSR|S_IRGRP) < 0) {

+			if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc");

+			return -1;

+		}

+	}

+	else {

+		// Normal users should be allowed to read realm configuration data in order to launch realm administration utilities

+		if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {

+			if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc");

+			return -1;

+		}

 	return 0;

23d8a034	2019-03-08 01:43:24	Timothy Pearson
Properly set umask on login (cherry picked from commit 10472c4c2b98b22c0d8309e3f21ae2df32a6538a)
M src/libtdeldap.cpp
src/libtdeldap.cpp diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index 70b9c15..e1a2d3c 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -4108,6 +4108,9 @@ if (file3.open(IO_WriteOnly)) { TQTextStream stream( &file3 ); + char modestring[8]; + sprintf(modestring, "%04o", pamConfig.autocreate_user_directories_umask); + stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; @@ -4116,9 +4119,8 @@ stream << "session required pam_permit.so" << "\n"; stream << "session required pam_unix.so" << "\n"; stream << "session optional pam_ck_connector.so nox11" << "\n"; + stream << "session optional pam_umask.so usergroups umask=" << modestring << "\n"; if (pamConfig.autocreate_user_directories_enable) { - char modestring[8]; - sprintf(modestring, "%04o", pamConfig.autocreate_user_directories_umask); TQString skelstring; if (pamConfig.autocreate_user_directories_skel != "") { skelstring = " skel=" + pamConfig.autocreate_user_directories_skel;
8c6f2507	2019-03-08 01:43:28	Timothy Pearson
Fix access to ldap configuration files on non-controller (workstation) systems (cherry picked from commit b2d89e08d03d6f50ee68bc0f07bafd2acb184575)
M src/libtdeldap.cpp
src/libtdeldap.cpp diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index e1a2d3c..93cd5da 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -2860,9 +2860,19 @@ delete systemconfig; - if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR\|S_IWUSR\|S_IRGRP) < 0) { - if (errstr) errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc"); - return -1; + if ((machineRole == ROLE_PRIMARY_REALM_CONTROLLER) \|\| (machineRole == ROLE_SECONDARY_REALM_CONTROLLER)) { + // The file may contain multi-master replication secrets, therefore only root should be able to read it + if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR\|S_IWUSR\|S_IRGRP) < 0) { + if (errstr) errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc"); + return -1; + } + } + else { + // Normal users should be allowed to read realm configuration data in order to launch realm administration utilities + if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR\|S_IWUSR\|S_IRGRP\|S_IROTH) < 0) { + if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc"); + return -1; + } } return 0;

Branch: r14.0.x

src/libtdeldap.cpp

src/libtdeldap.cpp