dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From 2bb5d331997232e5b1c589062b7960215fd08047 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 15 Oct 2014 15:58:58 +0200
Subject: [PATCH 29/46] BE: Own the sbus socket as the SSSD user

In some cases, the back end might still be running as root, but the
responder would be running unprivileged. In this case, we need to allow
connecting from the SSSD user ID.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit 19e9c1c1a21790974400db9349637788727b6564)
---
 src/monitor/monitor.c            |  8 ++++++++
 src/providers/data_provider_be.c | 16 ++++++++++++----
 src/providers/dp_backend.h       |  2 ++
 3 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index fc6b2963fff41a2a2aefdaf502817f6764e95b1e..905e66f25601d155557487ae9c7eb6d3145d3a83 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -1306,6 +1306,14 @@ static int get_provider_config(struct mt_ctx *ctx, const char *name,
             return ENOMEM;
         }
 
+        svc->command = talloc_asprintf_append(svc->command,
+                " --uid %"SPRIuid" --gid %"SPRIgid,
+                ctx->uid, ctx->gid);
+        if (!svc->command) {
+            talloc_free(svc);
+            return ENOMEM;
+        }
+
         if (cmdline_debug_level != SSSDBG_UNRESOLVED) {
             svc->command = talloc_asprintf_append(
                 svc->command, " -d %#.4x", cmdline_debug_level
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 122c5b091751b641f815ddff5c56ac99ace69939..2716e4a8b38f3ff9a5b48a861ecc31f18f9fcbce 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -2226,6 +2226,9 @@ static int be_client_init(struct sbus_connection *conn, void *data)
     becli->conn = conn;
     becli->initialized = false;
 
+    /* Allow access from the SSSD user */
+    sbus_allow_uid(conn, &bectx->uid);
+
     /* 5 seconds should be plenty */
     tv = tevent_timeval_current_ofs(5, 0);
 
@@ -2251,7 +2254,8 @@ static int be_client_init(struct sbus_connection *conn, void *data)
 
 /* be_srv_init
  * set up per-domain sbus channel */
-static int be_srv_init(struct be_ctx *ctx)
+static int be_srv_init(struct be_ctx *ctx,
+                       uid_t uid, gid_t gid)
 {
     char *sbus_address;
     int ret;
@@ -2263,7 +2267,10 @@ static int be_srv_init(struct be_ctx *ctx)
         return ret;
     }
 
-    ret = sbus_new_server(ctx, ctx->ev, sbus_address, 0, 0,
+    ctx->uid = uid;
+    ctx->gid = gid;
+
+    ret = sbus_new_server(ctx, ctx->ev, sbus_address, uid, gid,
                           true, &ctx->sbus_srv, be_client_init, ctx);
     if (ret != EOK) {
         DEBUG(SSSDBG_FATAL_FAILURE, "Could not set up sbus server.\n");
@@ -2554,6 +2561,7 @@ done:
 
 int be_process_init(TALLOC_CTX *mem_ctx,
                     const char *be_domain,
+                    uid_t uid, gid_t gid,
                     struct tevent_context *ev,
                     struct confdb_ctx *cdb)
 {
@@ -2609,7 +2617,7 @@ int be_process_init(TALLOC_CTX *mem_ctx,
         goto fail;
     }
 
-    ret = be_srv_init(ctx);
+    ret = be_srv_init(ctx, uid, gid);
     if (ret != EOK) {
         DEBUG(SSSDBG_FATAL_FAILURE, "fatal error setting up server bus\n");
         goto fail;
@@ -2870,7 +2878,7 @@ int main(int argc, const char *argv[])
     }
 
     ret = be_process_init(main_ctx,
-                          be_domain,
+                          be_domain, uid, gid,
                           main_ctx->event_ctx,
                           main_ctx->confdb_ctx);
     if (ret != EOK) {
diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
index 075681ff9dd641daf56929c05cb94170cd1b292a..e4213b44b32e8b9cb942dfcfef4998aa732d113c 100644
--- a/src/providers/dp_backend.h
+++ b/src/providers/dp_backend.h
@@ -116,6 +116,8 @@ struct be_ctx {
     struct sss_domain_info *domain;
     const char *identity;
     const char *conf_path;
+    uid_t uid;
+    gid_t gid;
     struct be_failover_ctx *be_fo;
     struct be_resolv_ctx *be_res;
 
-- 
1.9.3