phosphor-ldap-conf: change the permissions of the nslcd.conf file

If bindDN password is being written in the file then
change the permission of the file to 640 so that it is
not world readable.

If bindDN password is not written then permission would
be 644 which is default.

Change-Id: I567285ad75e18c2a38c37918d3d3a5e61b0b39ea
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

1 files changed, 17 insertions, 0 deletions

diff --git a/phosphor-ldap-config/ldap_configuration.cpp b/phosphor-ldap-config/ldap_configuration.cpp
index c84927d..4bbcbed 100644
--- a/phosphor-ldap-config/ldap_configuration.cpp
+++ b/phosphor-ldap-config/ldap_configuration.cpp
@@ -69,6 +69,8 @@ void Config::delete_()
 void Config::writeConfig()
 {
     std::stringstream confData;
+    auto isPwdTobeWritten = false;
+
     confData << "uid root\n";
     confData << "gid root\n\n";
     confData << "ldap_version 3\n\n";
@@ -82,6 +84,7 @@ void Config::writeConfig()
     if (!lDAPBINDDNpassword().empty())
     {
         confData << "bindpw " << lDAPBINDDNpassword() << "\n";
+        isPwdTobeWritten = true;
     }
     confData << "\n";
     switch (lDAPSearchScope())
@@ -137,6 +140,20 @@ void Config::writeConfig()
     try
     {
         std::fstream stream(configFilePath.c_str(), std::fstream::out);
+        // remove the read permission from others if password is being written.
+        // nslcd forces this behaviour.
+        auto permission = fs::perms::owner_read | fs::perms::owner_write |
+                          fs::perms::group_read;
+        if (isPwdTobeWritten)
+        {
+            fs::permissions(configFilePath, permission);
+        }
+        else
+        {
+            fs::permissions(configFilePath,
+                            permission | fs::perms::others_read);
+        }
+
         stream << confData.str();
         stream.flush();
         stream.close();