From 954637494fc8453f71e2b5d93b3d1ea97e31d646 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 19 Oct 2014 19:15:52 +0200
Subject: [PATCH 68/71] LDAP: Drop privileges after kinit in ldap_child
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After ldap_child initializes privileges using root-owned keytab, it
drops privileges to the SSSD user, minimizing the amount of code that
runs as root.

Reviewed-by: Michal Židek <mzidek@redhat.com>
---
 Makefile.am                             |  4 +-
 src/providers/ldap/ldap_child.c         | 96 ++++++++++++++++++++-------------
 src/providers/ldap/sdap_child_helpers.c |  8 ++-
 3 files changed, 70 insertions(+), 38 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 02b087ea37b4e55da7eeb7fb199d282d72129e40..ea296c40f89c552d5825cbce8e95afdc517e8bb5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2517,7 +2517,9 @@ ldap_child_SOURCES = \
     src/util/atomic_io.c \
     src/util/authtok.c \
     src/util/util.c \
-    src/util/signal.c
+    src/util/signal.c \
+    src/util/become_user.c \
+    $(NULL)
 ldap_child_CFLAGS = \
     $(AM_CFLAGS) \
     $(POPT_CFLAGS) \
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index e1abc9fd73f2ae95f0a0c28159589ebd36d2cf06..a922b181715c5e89301e9f50bdb81723d1ff2a6a 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -49,6 +49,8 @@ struct input_buffer {
     const char *princ_str;
     const char *keytab_name;
     krb5_deltat lifetime;
+    uid_t uid;
+    gid_t gid;
 };
 
 static errno_t unpack_buffer(uint8_t *buf, size_t size,
@@ -99,6 +101,12 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
     SAFEALIGN_COPY_UINT32_CHECK(&ibuf->lifetime, buf + p, size, &p);
     DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %u\n", ibuf->lifetime);
 
+    /* UID and GID to run as */
+    SAFEALIGN_COPY_UINT32_CHECK(&ibuf->uid, buf + p, size, &p);
+    SAFEALIGN_COPY_UINT32_CHECK(&ibuf->gid, buf + p, size, &p);
+    DEBUG(SSSDBG_FUNC_DATA,
+          "Will run as [%"SPRIuid"][%"SPRIgid"].\n", ibuf->uid, ibuf->gid);
+
     return EOK;
 }
 
@@ -242,6 +250,8 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
                                                const char *princ_str,
                                                const char *keytab_name,
                                                const krb5_deltat lifetime,
+                                               uid_t uid,
+                                               gid_t gid,
                                                const char **ccname_out,
                                                time_t *expire_time_out)
 {
@@ -372,42 +382,6 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
         goto done;
     }
 
-    ccname_file_dummy = talloc_asprintf(tmp_ctx, "%s/ccache_%s_XXXXXX",
-                                        DB_PATH, realm_name);
-    ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s",
-                                  DB_PATH, realm_name);
-    if (ccname_file_dummy == NULL || ccname_file == NULL) {
-        ret = ENOMEM;
-        goto done;
-    }
-
-    old_umask = umask(077);
-    fd = mkstemp(ccname_file_dummy);
-    umask(old_umask);
-    if (fd == -1) {
-        ret = errno;
-        goto done;
-    }
-    /* We only care about creating a unique file name here, we don't
-     * need the fd
-     */
-    close(fd);
-
-    ccname_dummy = talloc_asprintf(tmp_ctx, "FILE:%s", ccname_file_dummy);
-    ccname = talloc_asprintf(tmp_ctx, "FILE:%s", ccname_file);
-    if (ccname_dummy == NULL || ccname == NULL) {
-        krberr = ENOMEM;
-        goto done;
-    }
-    DEBUG(SSSDBG_TRACE_INTERNAL, "keytab ccname: [%s]\n", ccname_dummy);
-
-    krberr = krb5_cc_resolve(context, ccname_dummy, &ccache);
-    if (krberr) {
-        DEBUG(SSSDBG_OP_FAILURE, "Failed to set cache name: %s\n",
-                  sss_krb5_get_error_message(context, krberr));
-        goto done;
-    }
-
     memset(&my_creds, 0, sizeof(my_creds));
     memset(&options, 0, sizeof(options));
 
@@ -423,8 +397,36 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
     }
     sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
 
+    ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s",
+                                  DB_PATH, realm_name);
+    if (ccname_file == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    ccname_file_dummy = talloc_asprintf(tmp_ctx, "%s/ccache_%s_XXXXXX",
+                                        DB_PATH, realm_name);
+    if (ccname_file_dummy == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    old_umask = umask(077);
+    fd = mkstemp(ccname_file_dummy);
+    umask(old_umask);
+    if (fd == -1) {
+        ret = errno;
+        goto done;
+    }
+    /* We only care about creating a unique file name here, we don't
+     * need the fd
+     */
+    close(fd);
+
     krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
                                         keytab, 0, NULL, &options);
+    krb5_kt_close(context, keytab);
+    keytab = NULL;
     if (krberr) {
         DEBUG(SSSDBG_FATAL_FAILURE,
               "Failed to init credentials: %s\n",
@@ -438,6 +440,27 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
     }
     DEBUG(SSSDBG_TRACE_INTERNAL, "credentials initialized\n");
 
+    krberr = become_user(uid, gid);
+    if (krberr != 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
+        goto done;
+    }
+
+    ccname_dummy = talloc_asprintf(tmp_ctx, "FILE:%s", ccname_file_dummy);
+    ccname = talloc_asprintf(tmp_ctx, "FILE:%s", ccname_file);
+    if (ccname_dummy == NULL || ccname == NULL) {
+        krberr = ENOMEM;
+        goto done;
+    }
+    DEBUG(SSSDBG_TRACE_INTERNAL, "keytab ccname: [%s]\n", ccname_dummy);
+
+    krberr = krb5_cc_resolve(context, ccname_dummy, &ccache);
+    if (krberr) {
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to set cache name: %s\n",
+                  sss_krb5_get_error_message(context, krberr));
+        goto done;
+    }
+
     /* Use updated principal if changed due to canonicalization. */
     krberr = krb5_cc_initialize(context, ccache, my_creds.client);
     if (krberr) {
@@ -643,6 +666,7 @@ int main(int argc, const char *argv[])
     kerr = ldap_child_get_tgt_sync(main_ctx,
                                    ibuf->realm_str, ibuf->princ_str,
                                    ibuf->keytab_name, ibuf->lifetime,
+                                   ibuf->uid, ibuf->gid,
                                    &ccname, &expire_time);
     if (kerr != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE, "ldap_child_get_tgt_sync failed.\n");
diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c
index 448c5af10e9da8949bcaa39d8a3fa05ec309e16f..e5d46b9b756cd50fadb212da72ad1cc9bdd93330 100644
--- a/src/providers/ldap/sdap_child_helpers.c
+++ b/src/providers/ldap/sdap_child_helpers.c
@@ -152,7 +152,7 @@ static errno_t create_tgt_req_send_buffer(TALLOC_CTX *mem_ctx,
         return ENOMEM;
     }
 
-    buf->size = 4 * sizeof(uint32_t);
+    buf->size = 6 * sizeof(uint32_t);
     if (realm_str) {
         buf->size += strlen(realm_str);
     }
@@ -201,6 +201,12 @@ static errno_t create_tgt_req_send_buffer(TALLOC_CTX *mem_ctx,
     /* lifetime */
     SAFEALIGN_SET_UINT32(&buf->data[rp], lifetime, &rp);
 
+    /* UID and GID to drop privileges to, if needed. The ldap_child process runs as
+     * setuid if the back end runs unprivileged as it needs to access the keytab
+     */
+    SAFEALIGN_SET_UINT32(&buf->data[rp], geteuid(), &rp);
+    SAFEALIGN_SET_UINT32(&buf->data[rp], getegid(), &rp);
+
     *io_buf = buf;
     return EOK;
 }
-- 
1.9.3