From b8a3625690f39e22d8cd699598384bad472b6373 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Tue, 5 Aug 2014 13:52:48 +0200

Subject: [PATCH 26/46] SSSD: Load a user to run a service as from

 configuration

Related:

    https://fedorahosted.org/sssd/ticket/2370

Adds a option, user to run as, that is specified in the [sssd] section. When

this option is specified, SSSD will run as this user and his private

group. When these are not specified, SSSD will run as the configure-time

user and group (usually root).

Currently all services and providers are started as root. There is a

temporary svc_supported_as_nonroot() function that returns true for a

service if that service runs and was tested as nonroot and false

otherwise. Currently this function always returns false, but will be

amended in future patches.

Reviewed-by: Pavel Reichl <preichl@redhat.com>

Reviewed-by: Simo Sorce <simo@redhat.com>

(cherry picked from commit a10ac1d0a7210def232205a48c53a075930e82f6)

---

 src/confdb/confdb.h                  |  1 +

 src/config/SSSDConfig/__init__.py.in |  1 +

 src/config/SSSDConfigTest.py         |  1 +

 src/config/etc/sssd.api.conf         |  1 +

 src/man/sssd.conf.5.xml              | 13 +++++++++

 src/monitor/monitor.c                | 56 ++++++++++++++++++++++++++++++++++++

 6 files changed, 73 insertions(+)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h

index 34d4610654c24017bcad8608332c71232d665d40..159aa9f2c44ed91c94a40c98d5a7710793f0aa85 100644

--- a/src/confdb/confdb.h

+++ b/src/confdb/confdb.h

@@ -69,6 +69,7 @@

 #define CONFDB_MONITOR_KRB5_RCACHEDIR "krb5_rcache_dir"

 #define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix"

 #define CONFDB_MONITOR_OVERRIDE_SPACE "override_space"

+#define CONFDB_MONITOR_USER_RUNAS "user"

 /* Both monitor and domains */

 #define CONFDB_NAME_REGEX   "re_expression"

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in

index 6c95530868d7c078ccf13622f3ba916392b0c732..b4560ea2b33f2c3b82bff42fb6a36302a146c99f 100644

--- a/src/config/SSSDConfig/__init__.py.in

+++ b/src/config/SSSDConfig/__init__.py.in

@@ -56,6 +56,7 @@ option_strings = {

     'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'),

     'krb5_rcache_dir' : _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'),

     'default_domain_suffix' : _('Domain to add to names without a domain component.'),

+    'user' : _('The user to drop privileges to'),

     # [nss]

     'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),

diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py

index 2d12bc02af1768d22c8bfa9a21b1fc24bf199af4..78e22f6eff19aac8289d769dc9f565b2d548f4b3 100755

--- a/src/config/SSSDConfigTest.py

+++ b/src/config/SSSDConfigTest.py

@@ -280,6 +280,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase):

             're_expression',

             'full_name_format',

             'krb5_rcache_dir',

+            'user',

             'default_domain_suffix',

             'debug_level',

             'debug_timestamps',

diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf

index a20f5aa44dbadd24f644bffc9954df9e088979b9..c16769a3985f495922d255dacebccc11f6a0ea1d 100644

--- a/src/config/etc/sssd.api.conf

+++ b/src/config/etc/sssd.api.conf

@@ -23,6 +23,7 @@ sbus_timeout = int, None, false

 re_expression = str, None, false

 full_name_format = str, None, false

 krb5_rcache_dir = str, None, false

+user = str, None, false

 default_domain_suffix = str, None, false

 [nss]

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml

index 77690432b841221328d65403830cf4a1ac12dba0..e2cb0b81b61063750995064b6ce83f9615049534 100644

--- a/src/man/sssd.conf.5.xml

+++ b/src/man/sssd.conf.5.xml

@@ -297,6 +297,19 @@

                         </listitem>

                     </varlistentry>

                     <varlistentry>

+                        <term>user (string)</term>

+                        <listitem>

+                            <para>

+                                The user to drop the privileges to where

+                                appropriate to avoid running as the

+                                root user.

+                            </para>

+                            <para>

+                                Default: not set, process will run as root

+                            </para>

+                        </listitem>

+                    </varlistentry>

+                    <varlistentry>

                         <term>default_domain_suffix (string)</term>

                         <listitem>

                             <para>

diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c

index edd1c2dfc674d8a7ca9d069d6499c0dcc959f210..df1cd5ca14c759f7aab98094a2b8ad35731c35e6 100644

--- a/src/monitor/monitor.c

+++ b/src/monitor/monitor.c

@@ -170,6 +170,10 @@ struct mt_ctx {

     struct sss_sigchild_ctx *sigchld_ctx;

     bool is_daemon;

     pid_t parent_pid;

+

+    /* For running unprivileged services */

+    uid_t uid;

+    gid_t gid;

 };

 static int start_service(struct mt_svc *mt_svc);

@@ -910,6 +914,29 @@ static char *check_services(char **services)

     return NULL;

 }

+static int get_service_user(struct mt_ctx *ctx)

+{

+    errno_t ret;

+    char *user_str;

+

+    ret = confdb_get_string(ctx->cdb, ctx, CONFDB_MONITOR_CONF_ENTRY,

+                            CONFDB_MONITOR_USER_RUNAS,

+                            SSSD_USER, &user_str);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get the user to run as\n");

+        return ret;

+    }

+

+    ret = sss_user_by_name_or_uid(user_str, &ctx->uid, &ctx->gid);

+    talloc_free(user_str);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n");

+        return ret;

+    }

+

+    return EOK;

+}

+

 static int get_monitor_config(struct mt_ctx *ctx)

 {

     int ret;

@@ -955,6 +982,12 @@ static int get_monitor_config(struct mt_ctx *ctx)

         ctx->num_services++;

     }

+    ret = get_service_user(ctx);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to get the unprivileged user\n");

+        return ret;

+    }

+

     ret = confdb_get_domains(ctx->cdb, &ctx->domains);

     if (ret != EOK) {

         DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured.\n");

@@ -1020,6 +1053,14 @@ static errno_t get_ping_config(struct mt_ctx *ctx, const char *path,

     return EOK;

 }

+/* This is a temporary function that returns false if the service

+ * being started was only tested when running as root.

+ */

+static bool svc_supported_as_nonroot(const char *svc_name)

+{

+    return false;

+}

+

 static int get_service_config(struct mt_ctx *ctx, const char *name,

                               struct mt_svc **svc_cfg)

 {

@@ -1027,6 +1068,8 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,

     char *path;

     struct mt_svc *svc;

     time_t now = time(NULL);

+    uid_t uid = 0;

+    gid_t gid = 0;

     *svc_cfg = NULL;

@@ -1066,6 +1109,11 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,

         return ret;

     }

+    if (svc_supported_as_nonroot(svc->name)) {

+        uid = ctx->uid;

+        gid = ctx->gid;

+    }

+

     if (!svc->command) {

         svc->command = talloc_asprintf(

             svc, "%s/sssd_%s", SSSD_LIBEXEC_PATH, svc->name

@@ -1075,6 +1123,14 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,

             return ENOMEM;

         }

+        svc->command = talloc_asprintf_append(svc->command,

+                " --uid %"SPRIuid" --gid %"SPRIgid,

+                uid, gid);

+        if (!svc->command) {

+            talloc_free(svc);

+            return ENOMEM;

+        }

+

         if (cmdline_debug_level != SSSDBG_UNRESOLVED) {

             svc->command = talloc_asprintf_append(

                 svc->command, " -d %#.4x", cmdline_debug_level

-- 

1.9.3