|
 |
905b4d |
From 2bb5d331997232e5b1c589062b7960215fd08047 Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
905b4d |
Date: Wed, 15 Oct 2014 15:58:58 +0200
|
|
|
905b4d |
Subject: [PATCH 29/46] BE: Own the sbus socket as the SSSD user
|
|
|
905b4d |
|
|
|
905b4d |
In some cases, the back end might still be running as root, but the
|
|
|
905b4d |
responder would be running unprivileged. In this case, we need to allow
|
|
|
905b4d |
connecting from the SSSD user ID.
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
905b4d |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
905b4d |
(cherry picked from commit 19e9c1c1a21790974400db9349637788727b6564)
|
|
|
905b4d |
---
|
|
|
905b4d |
src/monitor/monitor.c | 8 ++++++++
|
|
|
905b4d |
src/providers/data_provider_be.c | 16 ++++++++++++----
|
|
|
905b4d |
src/providers/dp_backend.h | 2 ++
|
|
|
905b4d |
3 files changed, 22 insertions(+), 4 deletions(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
|
|
905b4d |
index fc6b2963fff41a2a2aefdaf502817f6764e95b1e..905e66f25601d155557487ae9c7eb6d3145d3a83 100644
|
|
|
905b4d |
--- a/src/monitor/monitor.c
|
|
|
905b4d |
+++ b/src/monitor/monitor.c
|
|
|
905b4d |
@@ -1306,6 +1306,14 @@ static int get_provider_config(struct mt_ctx *ctx, const char *name,
|
|
|
905b4d |
return ENOMEM;
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
+ svc->command = talloc_asprintf_append(svc->command,
|
|
|
905b4d |
+ " --uid %"SPRIuid" --gid %"SPRIgid,
|
|
|
905b4d |
+ ctx->uid, ctx->gid);
|
|
|
905b4d |
+ if (!svc->command) {
|
|
|
905b4d |
+ talloc_free(svc);
|
|
|
905b4d |
+ return ENOMEM;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
if (cmdline_debug_level != SSSDBG_UNRESOLVED) {
|
|
|
905b4d |
svc->command = talloc_asprintf_append(
|
|
|
905b4d |
svc->command, " -d %#.4x", cmdline_debug_level
|
|
|
905b4d |
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
|
|
905b4d |
index 122c5b091751b641f815ddff5c56ac99ace69939..2716e4a8b38f3ff9a5b48a861ecc31f18f9fcbce 100644
|
|
|
905b4d |
--- a/src/providers/data_provider_be.c
|
|
|
905b4d |
+++ b/src/providers/data_provider_be.c
|
|
|
905b4d |
@@ -2226,6 +2226,9 @@ static int be_client_init(struct sbus_connection *conn, void *data)
|
|
|
905b4d |
becli->conn = conn;
|
|
|
905b4d |
becli->initialized = false;
|
|
|
905b4d |
|
|
|
905b4d |
+ /* Allow access from the SSSD user */
|
|
|
905b4d |
+ sbus_allow_uid(conn, &bectx->uid);
|
|
|
905b4d |
+
|
|
|
905b4d |
/* 5 seconds should be plenty */
|
|
|
905b4d |
tv = tevent_timeval_current_ofs(5, 0);
|
|
|
905b4d |
|
|
|
905b4d |
@@ -2251,7 +2254,8 @@ static int be_client_init(struct sbus_connection *conn, void *data)
|
|
|
905b4d |
|
|
|
905b4d |
/* be_srv_init
|
|
|
905b4d |
* set up per-domain sbus channel */
|
|
|
905b4d |
-static int be_srv_init(struct be_ctx *ctx)
|
|
|
905b4d |
+static int be_srv_init(struct be_ctx *ctx,
|
|
|
905b4d |
+ uid_t uid, gid_t gid)
|
|
|
905b4d |
{
|
|
|
905b4d |
char *sbus_address;
|
|
|
905b4d |
int ret;
|
|
|
905b4d |
@@ -2263,7 +2267,10 @@ static int be_srv_init(struct be_ctx *ctx)
|
|
|
905b4d |
return ret;
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
- ret = sbus_new_server(ctx, ctx->ev, sbus_address, 0, 0,
|
|
|
905b4d |
+ ctx->uid = uid;
|
|
|
905b4d |
+ ctx->gid = gid;
|
|
|
905b4d |
+
|
|
|
905b4d |
+ ret = sbus_new_server(ctx, ctx->ev, sbus_address, uid, gid,
|
|
|
905b4d |
true, &ctx->sbus_srv, be_client_init, ctx);
|
|
|
905b4d |
if (ret != EOK) {
|
|
|
905b4d |
DEBUG(SSSDBG_FATAL_FAILURE, "Could not set up sbus server.\n");
|
|
|
905b4d |
@@ -2554,6 +2561,7 @@ done:
|
|
|
905b4d |
|
|
|
905b4d |
int be_process_init(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
const char *be_domain,
|
|
|
905b4d |
+ uid_t uid, gid_t gid,
|
|
|
905b4d |
struct tevent_context *ev,
|
|
|
905b4d |
struct confdb_ctx *cdb)
|
|
|
905b4d |
{
|
|
|
905b4d |
@@ -2609,7 +2617,7 @@ int be_process_init(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
goto fail;
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
- ret = be_srv_init(ctx);
|
|
|
905b4d |
+ ret = be_srv_init(ctx, uid, gid);
|
|
|
905b4d |
if (ret != EOK) {
|
|
|
905b4d |
DEBUG(SSSDBG_FATAL_FAILURE, "fatal error setting up server bus\n");
|
|
|
905b4d |
goto fail;
|
|
|
905b4d |
@@ -2870,7 +2878,7 @@ int main(int argc, const char *argv[])
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
ret = be_process_init(main_ctx,
|
|
|
905b4d |
- be_domain,
|
|
|
905b4d |
+ be_domain, uid, gid,
|
|
|
905b4d |
main_ctx->event_ctx,
|
|
|
905b4d |
main_ctx->confdb_ctx);
|
|
|
905b4d |
if (ret != EOK) {
|
|
|
905b4d |
diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
|
|
|
905b4d |
index 075681ff9dd641daf56929c05cb94170cd1b292a..e4213b44b32e8b9cb942dfcfef4998aa732d113c 100644
|
|
|
905b4d |
--- a/src/providers/dp_backend.h
|
|
|
905b4d |
+++ b/src/providers/dp_backend.h
|
|
|
905b4d |
@@ -116,6 +116,8 @@ struct be_ctx {
|
|
|
905b4d |
struct sss_domain_info *domain;
|
|
|
905b4d |
const char *identity;
|
|
|
905b4d |
const char *conf_path;
|
|
|
905b4d |
+ uid_t uid;
|
|
|
905b4d |
+ gid_t gid;
|
|
|
905b4d |
struct be_failover_ctx *be_fo;
|
|
|
905b4d |
struct be_resolv_ctx *be_res;
|
|
|
905b4d |
|
|
|
905b4d |
--
|
|
|
905b4d |
1.9.3
|
|
|
905b4d |
|