From 8c6f2507b042e1d4eeb7fc099d12c42672f19be6 Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Thu, 7 Mar 2019 18:04:46 -0600 Subject: Fix access to ldap configuration files on non-controller (workstation) systems (cherry picked from commit b2d89e08d03d6f50ee68bc0f07bafd2acb184575) --- src/libtdeldap.cpp | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index e1a2d3c..93cd5da 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -2860,9 +2860,19 @@ int LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg, LDAPMachineRole mac delete systemconfig; - if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR|S_IWUSR|S_IRGRP) < 0) { - if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc"); - return -1; + if ((machineRole == ROLE_PRIMARY_REALM_CONTROLLER) || (machineRole == ROLE_SECONDARY_REALM_CONTROLLER)) { + // The file may contain multi-master replication secrets, therefore only root should be able to read it + if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR|S_IWUSR|S_IRGRP) < 0) { + if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc"); + return -1; + } + } + else { + // Normal users should be allowed to read realm configuration data in order to launch realm administration utilities + if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) { + if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc"); + return -1; + } } return 0; -- cgit v1.2.1