File 0009-SUDO-Create-the-socket-with-stricter-permissions.patch of Package sssd.6481

From 3425f2bc56bc182bb48c51a45c21ea6096481f14 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 15 Jun 2018 22:29:34 +0200
Subject: [PATCH] SUDO: Create the socket with stricter permissions

This patch switches the sudo responder from being created as a public
responder where the permissions are open and not checked by the sssd
deaamon to a private socket. In this case, sssd creates the pipes with
strict permissions (see the umask in the call to create_pipe_fd() in
set_unix_socket()) and additionaly checks the permissions with every read
via the tevent integrations (see accept_fd_+- Introduce patches:
+  * Create sockets with right permissions:
+    0001-SUDO-Create-the-socket-with-stricter-permissions.patch
+    (bsc#1098377)
+  * Fix for sssd upstream integration tests
+    0002-intg-Do-not-hardcode-nsslibdir.patch
+    (bsc#1098163) 
handler()).
---
 src/responder/sudo/sudosrv.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
index d832686a8572f3729a0477cdca2f77ebcb19fbc0..f035c76187d394712c69d3923706f79cfa5a08e5 100644
--- a/src/responder/sudo/sudosrv.c
+++ b/src/responder/sudo/sudosrv.c
@@ -81,7 +81,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
     sudo_cmds = get_sudo_cmds();
     ret = sss_process_init(mem_ctx, ev, cdb,
                            sudo_cmds,
-                           SSS_SUDO_SOCKET_NAME, -1, NULL, -1,
+                           NULL, -1,                   /* No public socket */
+                           SSS_SUDO_SOCKET_NAME, -1,   /* Private socket only */
                            CONFDB_SUDO_CONF_ENTRY,
                            SSS_SUDO_SBUS_SERVICE_NAME,
                            SSS_SUDO_SBUS_SERVICE_VERSION,
-- 
2.14.3