dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0026-IPA-Handle-sssd-owned-keytabs-when-running-as-root.patch

6cf099
From dba7ccc7594be1881967aa274090d61a97aec5fa Mon Sep 17 00:00:00 2001
6cf099
From: Jakub Hrozek <jhrozek@redhat.com>
6cf099
Date: Wed, 22 Jul 2015 17:20:11 +0200
6cf099
Subject: [PATCH 26/27] IPA: Handle sssd-owned keytabs when running as root
6cf099
6cf099
https://fedorahosted.org/sssd/ticket/2718
6cf099
6cf099
This patch handles the case where the keytab is created with sssd:sssd
6cf099
ownership (perhaps by the IPA oddjob script) but SSSD runs as root,
6cf099
which is the default in many distributions.
6cf099
6cf099
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
6cf099
---
6cf099
 src/providers/ipa/ipa_subdomains.h        |  3 ++
6cf099
 src/providers/ipa/ipa_subdomains_server.c | 46 +++++++++++++++++++++++++------
6cf099
 2 files changed, 41 insertions(+), 8 deletions(-)
6cf099
6cf099
diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h
6cf099
index 5bc63a173a1a8967eb5de30a2da84a81377d3900..2302c5f03e80de2ea1efad424769e777cd6dd8d5 100644
6cf099
--- a/src/providers/ipa/ipa_subdomains.h
6cf099
+++ b/src/providers/ipa/ipa_subdomains.h
6cf099
@@ -94,6 +94,9 @@ struct ipa_server_mode_ctx {
6cf099
 
6cf099
     struct ipa_ad_server_ctx *trusts;
6cf099
     struct ipa_ext_groups *ext_groups;
6cf099
+
6cf099
+    uid_t kt_owner_uid;
6cf099
+    uid_t kt_owner_gid;
6cf099
 };
6cf099
 
6cf099
 int ipa_ad_subdom_init(struct be_ctx *be_ctx,
6cf099
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
6cf099
index a9e2c1f700ef47716be868bad68590b8d5d0d42a..4bfea61e6dd0a02f6b723a39f7ba236c914009b0 100644
6cf099
--- a/src/providers/ipa/ipa_subdomains_server.c
6cf099
+++ b/src/providers/ipa/ipa_subdomains_server.c
6cf099
@@ -520,16 +520,28 @@ static errno_t ipa_getkeytab_recv(struct tevent_req *req, int *child_status)
6cf099
     return EOK;
6cf099
 }
6cf099
 
6cf099
-static errno_t ipa_check_keytab(const char *keytab)
6cf099
+static errno_t ipa_check_keytab(const char *keytab,
6cf099
+                                uid_t kt_owner_uid,
6cf099
+                                gid_t kt_owner_gid)
6cf099
 {
6cf099
     errno_t ret;
6cf099
 
6cf099
     ret = check_file(keytab, getuid(), getgid(), S_IFREG|0600, 0, NULL, false);
6cf099
-    if (ret != EOK) {
6cf099
-        if (ret != ENOENT) {
6cf099
-            DEBUG(SSSDBG_OP_FAILURE, "Failed to check for %s\n", keytab);
6cf099
-        } else {
6cf099
-            DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
6cf099
+    if (ret == ENOENT) {
6cf099
+        DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
6cf099
+        goto done;
6cf099
+    } else if (ret != EOK) {
6cf099
+        if (kt_owner_uid) {
6cf099
+            ret = check_file(keytab, kt_owner_uid, kt_owner_gid,
6cf099
+                             S_IFREG|0600, 0, NULL, false);
6cf099
+        }
6cf099
+
6cf099
+        if (ret != EOK) {
6cf099
+            if (ret != ENOENT) {
6cf099
+                DEBUG(SSSDBG_OP_FAILURE, "Failed to check for %s\n", keytab);
6cf099
+            } else {
6cf099
+                DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
6cf099
+            }
6cf099
         }
6cf099
         goto done;
6cf099
     }
6cf099
@@ -648,7 +660,9 @@ static errno_t ipa_server_trust_add_1way(struct tevent_req *req)
6cf099
         return EIO;
6cf099
     }
6cf099
 
6cf099
-    ret = ipa_check_keytab(state->keytab);
6cf099
+    ret = ipa_check_keytab(state->keytab,
6cf099
+                           state->id_ctx->server_mode->kt_owner_uid,
6cf099
+                           state->id_ctx->server_mode->kt_owner_gid);
6cf099
     if (ret == EOK) {
6cf099
         DEBUG(SSSDBG_TRACE_FUNC,
6cf099
               "Keytab already present, can add the trust\n");
6cf099
@@ -704,7 +718,9 @@ static void ipa_server_trust_1way_kt_done(struct tevent_req *subreq)
6cf099
     DEBUG(SSSDBG_TRACE_FUNC,
6cf099
           "Keytab successfully retrieved to %s\n", state->keytab);
6cf099
 
6cf099
-    ret = ipa_check_keytab(state->keytab);
6cf099
+    ret = ipa_check_keytab(state->keytab,
6cf099
+                           state->id_ctx->server_mode->kt_owner_uid,
6cf099
+                           state->id_ctx->server_mode->kt_owner_gid);
6cf099
     if (ret != EOK) {
6cf099
         DEBUG(SSSDBG_OP_FAILURE, "ipa_check_keytab failed: %d\n", ret);
6cf099
         tevent_req_error(req, ret);
6cf099
@@ -1029,6 +1045,20 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx,
6cf099
     id_ctx->server_mode->hostname = hostname;
6cf099
     id_ctx->server_mode->trusts = NULL;
6cf099
     id_ctx->server_mode->ext_groups = NULL;
6cf099
+    id_ctx->server_mode->kt_owner_uid = 0;
6cf099
+    id_ctx->server_mode->kt_owner_gid = 0;
6cf099
+
6cf099
+    if (getuid() == 0) {
6cf099
+        /* We need to handle keytabs created by IPA oddjob script gracefully
6cf099
+         * even if we're running as root and IPA creates them as the SSSD user
6cf099
+         */
6cf099
+        ret = sss_user_by_name_or_uid(SSSD_USER,
6cf099
+                                      &id_ctx->server_mode->kt_owner_uid,
6cf099
+                                      &id_ctx->server_mode->kt_owner_gid);
6cf099
+        if (ret != EOK) {
6cf099
+            DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get ID of %s\n", SSSD_USER);
6cf099
+        }
6cf099
+    }
6cf099
 
6cf099
     ret = ipa_ad_subdom_reinit(be_ctx, be_ctx->ev,
6cf099
                                be_ctx, id_ctx, be_ctx->domain);
6cf099
-- 
6cf099
2.4.3
6cf099