summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimothy Pearson <kb9vqf@pearsoncomputing.net>2019-03-07 18:04:46 -0600
committerSlávek Banko <slavek.banko@axis.cz>2019-03-08 02:43:28 +0100
commit8c6f2507b042e1d4eeb7fc099d12c42672f19be6 (patch)
treecf1e7da96e1117eb75eeaabf4f1c033bd70df270
parent23d8a034c7106ed2800ddc6618ab44d3c1c3224e (diff)
downloadlibtdeldap-8c6f2507b042e1d4eeb7fc099d12c42672f19be6.tar.gz
libtdeldap-8c6f2507b042e1d4eeb7fc099d12c42672f19be6.zip
Fix access to ldap configuration files on non-controller (workstation) systemsr14.0.6
(cherry picked from commit b2d89e08d03d6f50ee68bc0f07bafd2acb184575)
-rw-r--r--src/libtdeldap.cpp16
1 files changed, 13 insertions, 3 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index e1a2d3c..93cd5da 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -2860,9 +2860,19 @@ int LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg, LDAPMachineRole mac
delete systemconfig;
- if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR|S_IWUSR|S_IRGRP) < 0) {
- if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc");
- return -1;
+ if ((machineRole == ROLE_PRIMARY_REALM_CONTROLLER) || (machineRole == ROLE_SECONDARY_REALM_CONTROLLER)) {
+ // The file may contain multi-master replication secrets, therefore only root should be able to read it
+ if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR|S_IWUSR|S_IRGRP) < 0) {
+ if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc");
+ return -1;
+ }
+ }
+ else {
+ // Normal users should be allowed to read realm configuration data in order to launch realm administration utilities
+ if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
+ if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc");
+ return -1;
+ }
}
return 0;