From 2c5b03913c54234efdabcff83de368bae72dc799 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Sat, 20 Jan 2018 23:58:14 +0100
Subject: [PATCH 85/88] DESKPROFILE: Fix the permissions and soften the umask
 for user's dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The user dir has been created as 0600 and owned by the user. It doesn't
work anymore as CAP_DAC_OVERRIDE has been dropped from our systemd
service upstream.

In order to have it working again, let's change it to 0700 (as the
executable bit is needed for creating a file inside a folder) and soften
the default umask from (0177) to (0077) to be able to create this dir.

This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
package.

Resolves:
https://pagure.io/SSSD/sssd/issue/3621

Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>

Reviewed-by: Simo Sorce <simo@redhat.com>
---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index 989f3aadd..0846b16f6 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -264,7 +264,11 @@ ipa_deskprofile_rules_create_user_dir(
         goto done;
     }
 
-    ret = sss_create_dir(domain_dir, shortname, 0600, uid, gid);
+    /* In order to read, create and traverse the directory, we need to have its
+     * permissions set as 'rwx------' (700). */
+    old_umask = umask(0077);
+    ret = sss_create_dir(domain_dir, shortname, 0700, uid, gid);
+    umask(old_umask);
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE,
                "Failed to create the directory \"%s/%s/%s\" that would be used "
-- 
2.14.3