From 9891f2f8f330cfe678098342bd1cb536e5810233 Mon Sep 17 00:00:00 2001 From: Ratan Gupta Date: Sat, 6 Oct 2018 12:07:35 +0530 Subject: phosphor-ldap-conf: change the permissions of the nslcd.conf file If bindDN password is being written in the file then change the permission of the file to 640 so that it is not world readable. If bindDN password is not written then permission would be 644 which is default. Change-Id: I567285ad75e18c2a38c37918d3d3a5e61b0b39ea Signed-off-by: Ratan Gupta Signed-off-by: Nagaraju Goruganti --- phosphor-ldap-config/ldap_configuration.cpp | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'phosphor-ldap-config') diff --git a/phosphor-ldap-config/ldap_configuration.cpp b/phosphor-ldap-config/ldap_configuration.cpp index c84927d..4bbcbed 100644 --- a/phosphor-ldap-config/ldap_configuration.cpp +++ b/phosphor-ldap-config/ldap_configuration.cpp @@ -69,6 +69,8 @@ void Config::delete_() void Config::writeConfig() { std::stringstream confData; + auto isPwdTobeWritten = false; + confData << "uid root\n"; confData << "gid root\n\n"; confData << "ldap_version 3\n\n"; @@ -82,6 +84,7 @@ void Config::writeConfig() if (!lDAPBINDDNpassword().empty()) { confData << "bindpw " << lDAPBINDDNpassword() << "\n"; + isPwdTobeWritten = true; } confData << "\n"; switch (lDAPSearchScope()) @@ -137,6 +140,20 @@ void Config::writeConfig() try { std::fstream stream(configFilePath.c_str(), std::fstream::out); + // remove the read permission from others if password is being written. + // nslcd forces this behaviour. + auto permission = fs::perms::owner_read | fs::perms::owner_write | + fs::perms::group_read; + if (isPwdTobeWritten) + { + fs::permissions(configFilePath, permission); + } + else + { + fs::permissions(configFilePath, + permission | fs::perms::others_read); + } + stream << confData.str(); stream.flush(); stream.close(); -- cgit v1.2.1