|
|
905b4d |
From 458ab6652130ebea1f305b5d383e263a2fbbcedc Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
905b4d |
Date: Sun, 19 Oct 2014 12:28:13 +0200
|
|
|
905b4d |
Subject: [PATCH 88/92] KRB5: Do not switch_creds() if already the specified
|
|
|
905b4d |
user
|
|
|
905b4d |
MIME-Version: 1.0
|
|
|
905b4d |
Content-Type: text/plain; charset=UTF-8
|
|
|
905b4d |
Content-Transfer-Encoding: 8bit
|
|
|
905b4d |
|
|
|
905b4d |
The code didn't have to handle this case previously as sssd_be was always
|
|
|
905b4d |
running as root and switching to the ccache as the user logging in.
|
|
|
905b4d |
|
|
|
905b4d |
Also handle NULL creds on restore_creds() in case there was no switch.
|
|
|
905b4d |
One less if-condition and fewer indentation levels.
|
|
|
905b4d |
|
|
|
905b4d |
Related:
|
|
|
905b4d |
https://fedorahosted.org/sssd/ticket/2370
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
905b4d |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
905b4d |
---
|
|
|
905b4d |
src/tests/cwrap/test_become_user.c | 7 +++++++
|
|
|
905b4d |
src/util/become_user.c | 29 +++++++++++++++++++++--------
|
|
|
905b4d |
2 files changed, 28 insertions(+), 8 deletions(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/tests/cwrap/test_become_user.c b/src/tests/cwrap/test_become_user.c
|
|
|
905b4d |
index 06d3ad425c4928e9e9bff661fbb8f7b4536b8896..7ecea5aac34bb73ca81d94ad481f05b338e65ed0 100644
|
|
|
905b4d |
--- a/src/tests/cwrap/test_become_user.c
|
|
|
905b4d |
+++ b/src/tests/cwrap/test_become_user.c
|
|
|
905b4d |
@@ -76,6 +76,7 @@ void test_switch_user(void **state)
|
|
|
905b4d |
struct passwd *sssd;
|
|
|
905b4d |
TALLOC_CTX *tmp_ctx;
|
|
|
905b4d |
struct sss_creds *saved_creds;
|
|
|
905b4d |
+ struct sss_creds *saved_creds2 = NULL;
|
|
|
905b4d |
|
|
|
905b4d |
check_leaks_push(global_talloc_context);
|
|
|
905b4d |
tmp_ctx = talloc_new(global_talloc_context);
|
|
|
905b4d |
@@ -102,6 +103,12 @@ void test_switch_user(void **state)
|
|
|
905b4d |
assert_int_equal(saved_creds->uid, 0);
|
|
|
905b4d |
assert_int_equal(saved_creds->gid, 0);
|
|
|
905b4d |
|
|
|
905b4d |
+ /* Attempt to restore creds again */
|
|
|
905b4d |
+ ret = switch_creds(tmp_ctx, sssd->pw_uid, sssd->pw_gid,
|
|
|
905b4d |
+ 0, NULL, &saved_creds2);
|
|
|
905b4d |
+ assert_int_equal(ret, EOK);
|
|
|
905b4d |
+ assert_null(saved_creds2);
|
|
|
905b4d |
+
|
|
|
905b4d |
/* restore root */
|
|
|
905b4d |
ret = restore_creds(saved_creds);
|
|
|
905b4d |
assert_int_equal(ret, EOK);
|
|
|
905b4d |
diff --git a/src/util/become_user.c b/src/util/become_user.c
|
|
|
905b4d |
index b5f94f993cd2c23bd3340fc502d36a530aa729fa..7dd2c752b1d0f289e7d82feee6d93e5974823f95 100644
|
|
|
905b4d |
--- a/src/util/become_user.c
|
|
|
905b4d |
+++ b/src/util/become_user.c
|
|
|
905b4d |
@@ -90,9 +90,14 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
struct sss_creds *ssc = NULL;
|
|
|
905b4d |
int size;
|
|
|
905b4d |
int ret;
|
|
|
905b4d |
+ uid_t myuid;
|
|
|
905b4d |
+ uid_t mygid;
|
|
|
905b4d |
|
|
|
905b4d |
DEBUG(SSSDBG_FUNC_DATA, "Switch user to [%d][%d].\n", uid, gid);
|
|
|
905b4d |
|
|
|
905b4d |
+ myuid = geteuid();
|
|
|
905b4d |
+ mygid = getegid();
|
|
|
905b4d |
+
|
|
|
905b4d |
if (saved_creds) {
|
|
|
905b4d |
/* save current user credentials */
|
|
|
905b4d |
size = getgroups(0, NULL);
|
|
|
905b4d |
@@ -124,8 +129,8 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
/* we care only about effective ids */
|
|
|
905b4d |
- ssc->uid = geteuid();
|
|
|
905b4d |
- ssc->gid = getegid();
|
|
|
905b4d |
+ ssc->uid = myuid;
|
|
|
905b4d |
+ ssc->gid = mygid;
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
/* if we are regaining root set euid first so that we have CAP_SETUID back,
|
|
|
905b4d |
@@ -141,7 +146,12 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
}
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
- /* TODO: use prctl to get/set capabilities too ? */
|
|
|
905b4d |
+ /* TODO: use libcap-ng if we need to get/set capabilities too ? */
|
|
|
905b4d |
+
|
|
|
905b4d |
+ if (myuid == uid && mygid == gid) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_FUNC_DATA, "Already user [%"SPRIuid"].\n", uid);
|
|
|
905b4d |
+ return EOK;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
|
|
|
905b4d |
/* try to setgroups first should always work if CAP_SETUID is set,
|
|
|
905b4d |
* otherwise it will always fail, failure is not critical though as
|
|
|
905b4d |
@@ -177,11 +187,9 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
|
|
|
905b4d |
done:
|
|
|
905b4d |
if (ret) {
|
|
|
905b4d |
- if (ssc) {
|
|
|
905b4d |
- /* attempt to restore creds first */
|
|
|
905b4d |
- restore_creds(ssc);
|
|
|
905b4d |
- talloc_free(ssc);
|
|
|
905b4d |
- }
|
|
|
905b4d |
+ /* attempt to restore creds first */
|
|
|
905b4d |
+ restore_creds(ssc);
|
|
|
905b4d |
+ talloc_free(ssc);
|
|
|
905b4d |
} else if (saved_creds) {
|
|
|
905b4d |
*saved_creds = ssc;
|
|
|
905b4d |
}
|
|
|
905b4d |
@@ -190,6 +198,11 @@ done:
|
|
|
905b4d |
|
|
|
905b4d |
errno_t restore_creds(struct sss_creds *saved_creds)
|
|
|
905b4d |
{
|
|
|
905b4d |
+ if (saved_creds == NULL) {
|
|
|
905b4d |
+ /* In case save_creds was saved with the UID already dropped */
|
|
|
905b4d |
+ return EOK;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
return switch_creds(saved_creds,
|
|
|
905b4d |
saved_creds->uid,
|
|
|
905b4d |
saved_creds->gid,
|
|
|
905b4d |
--
|
|
|
905b4d |
1.9.3
|
|
|
905b4d |
|