rpms/sssd
5
0
Fork 0
Code Issues Pull Requests Releases Activity
306f2f008c
sssd/0002-CONFDB-Change-ownership-of-config.ldb.patch
Pavel Březina 306f2f008c sssd-2.6.0-2: pull latest upstream code
2021-11-01 19:10:28 +01:00

144 lines
4.5 KiB
Diff
Raw Blame History

From 92e1679943fd2a2a50c9e0e176a10a875cb3ac56 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Fri, 15 Oct 2021 11:03:19 +0200
Subject: [PATCH 03/17] CONFDB: Change ownership of config.ldb
Config database is owned by root. This prevents our socket
activated services to start because they are started under
the sssd user. Changing the ownership to sssd fixes the issue.
Resolves: https://github.com/SSSD/sssd/issues/5781
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/confdb/confdb.c | 3 +++
src/monitor/monitor.c | 5 ++++-
src/tests/cwrap/group | 1 +
src/tests/cwrap/passwd | 1 +
src/util/usertools.c | 42 ++++++++++++++++++++++++++++++++++++++++++
src/util/util.h | 3 +++
6 files changed, 54 insertions(+), 1 deletion(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index b7a73d97b34bfa60aa59855c1eec2a17ed0a4ec0..7a718cc628343570d484135da639250ad83e8b01 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -673,8 +673,11 @@ int confdb_init(TALLOC_CTX *mem_ctx,
}
old_umask = umask(SSS_DFL_UMASK);
+ sss_set_sssd_user_eid();
ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL);
+
+ sss_restore_sssd_user_eid();
umask(old_umask);
if (ret != LDB_SUCCESS) {
DEBUG(SSSDBG_FATAL_FAILURE, "Unable to open config database [%s]\n",
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index b5fee7e7a78cb75ee267279f5a97725d8dedca52..c7610cb69b77899103d99bf44bb3b9f426482e65 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -1551,6 +1551,8 @@ errno_t load_configuration(TALLOC_CTX *mem_ctx,
errno_t ret;
struct mt_ctx *ctx;
char *cdb_file = NULL;
+ uid_t sssd_uid;
+ gid_t sssd_gid;
ctx = talloc_zero(mem_ctx, struct mt_ctx);
if(!ctx) {
@@ -1591,7 +1593,8 @@ errno_t load_configuration(TALLOC_CTX *mem_ctx,
/* Allow configuration database to be accessible
* when SSSD runs as nonroot */
- ret = chown(cdb_file, ctx->uid, ctx->gid);
+ sss_sssd_user_uid_and_gid(&sssd_uid, &sssd_gid);
+ ret = chown(cdb_file, sssd_uid, sssd_gid);
if (ret != 0) {
ret = errno;
DEBUG(SSSDBG_FATAL_FAILURE,
diff --git a/src/tests/cwrap/group b/src/tests/cwrap/group
index d0cea659ea030d14a293f5d941f473f8f3786886..1a3766e6307274b2935737d5060e3d8531d0bed2 100644
--- a/src/tests/cwrap/group
+++ b/src/tests/cwrap/group
@@ -1,2 +1,3 @@
+root:x:0:
sssd:x:123:
foogroup:x:10001:
diff --git a/src/tests/cwrap/passwd b/src/tests/cwrap/passwd
index 862ccfe03e40d43c60c56b0c50f328f494d7e6b9..0511a91bcb2ee3e12d582c98ca0bc6bb358816d3 100644
--- a/src/tests/cwrap/passwd
+++ b/src/tests/cwrap/passwd
@@ -1,2 +1,3 @@
+root:x:0:0:root:/root:/bin/bash
sssd:x:123:456:sssd unprivileged user:/:/sbin/nologin
foobar:x:10001:10001:User for SSSD testing:/home/foobar:/bin/bash
diff --git a/src/util/usertools.c b/src/util/usertools.c
index 8c2ed4e2de764edcb0549eac02a524e7e9975c4f..6f93a4cef288a245a95c2e510a62233f904034fb 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -835,3 +835,45 @@ done:
talloc_zfree(tmp_ctx);
return ret;
}
+
+void sss_sssd_user_uid_and_gid(uid_t *_uid, gid_t *_gid)
+{
+ uid_t sssd_uid;
+ gid_t sssd_gid;
+ errno_t ret;
+
+ ret = sss_user_by_name_or_uid(SSSD_USER, &sssd_uid, &sssd_gid);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "failed to get sssd user (" SSSD_USER ") uid/gid, using root\n");
+ sssd_uid = 0;
+ sssd_gid = 0;
+ }
+
+ if (_uid != NULL) {
+ *_uid = sssd_uid;
+ }
+
+ if (_gid != NULL) {
+ *_gid = sssd_gid;
+ }
+}
+
+void sss_set_sssd_user_eid(void)
+{
+ uid_t uid;
+ gid_t gid;
+
+ if (geteuid() == 0) {
+ sss_sssd_user_uid_and_gid(&uid, &gid);
+ seteuid(uid);
+ setegid(gid);
+ }
+}
+
+void sss_restore_sssd_user_eid(void)
+{
+ if (getuid() == 0) {
+ seteuid(getuid());
+ setegid(getgid());
+ }
+}
diff --git a/src/util/util.h b/src/util/util.h
index e85cd12022c4ef39c8dd6859bc9adf28e0314129..6dfd2540cc209a728f385273082221b65d05249f 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -383,6 +383,9 @@ errno_t sss_canonicalize_ip_address(TALLOC_CTX *mem_ctx,
const char * const * get_known_services(void);
errno_t sss_user_by_name_or_uid(const char *input, uid_t *_uid, gid_t *_gid);
+void sss_sssd_user_uid_and_gid(uid_t *_uid, gid_t *_gid);
+void sss_set_sssd_user_eid(void);
+void sss_restore_sssd_user_eid(void);
int split_on_separator(TALLOC_CTX *mem_ctx, const char *str,
const char sep, bool trim, bool skip_empty,
--
2.31.1
Reference in New Issue View Git Blame Copy Permalink