From b8a3625690f39e22d8cd699598384bad472b6373 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 5 Aug 2014 13:52:48 +0200 Subject: [PATCH 26/46] SSSD: Load a user to run a service as from configuration Related: https://fedorahosted.org/sssd/ticket/2370 Adds a option, user to run as, that is specified in the [sssd] section. When this option is specified, SSSD will run as this user and his private group. When these are not specified, SSSD will run as the configure-time user and group (usually root). Currently all services and providers are started as root. There is a temporary svc_supported_as_nonroot() function that returns true for a service if that service runs and was tested as nonroot and false otherwise. Currently this function always returns false, but will be amended in future patches. Reviewed-by: Pavel Reichl Reviewed-by: Simo Sorce (cherry picked from commit a10ac1d0a7210def232205a48c53a075930e82f6) --- src/confdb/confdb.h | 1 + src/config/SSSDConfig/__init__.py.in | 1 + src/config/SSSDConfigTest.py | 1 + src/config/etc/sssd.api.conf | 1 + src/man/sssd.conf.5.xml | 13 +++++++++ src/monitor/monitor.c | 56 ++++++++++++++++++++++++++++++++++++ 6 files changed, 73 insertions(+) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 34d4610654c24017bcad8608332c71232d665d40..159aa9f2c44ed91c94a40c98d5a7710793f0aa85 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -69,6 +69,7 @@ #define CONFDB_MONITOR_KRB5_RCACHEDIR "krb5_rcache_dir" #define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix" #define CONFDB_MONITOR_OVERRIDE_SPACE "override_space" +#define CONFDB_MONITOR_USER_RUNAS "user" /* Both monitor and domains */ #define CONFDB_NAME_REGEX "re_expression" diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 6c95530868d7c078ccf13622f3ba916392b0c732..b4560ea2b33f2c3b82bff42fb6a36302a146c99f 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -56,6 +56,7 @@ option_strings = { 'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'), 'krb5_rcache_dir' : _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'), 'default_domain_suffix' : _('Domain to add to names without a domain component.'), + 'user' : _('The user to drop privileges to'), # [nss] 'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 2d12bc02af1768d22c8bfa9a21b1fc24bf199af4..78e22f6eff19aac8289d769dc9f565b2d548f4b3 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -280,6 +280,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase): 're_expression', 'full_name_format', 'krb5_rcache_dir', + 'user', 'default_domain_suffix', 'debug_level', 'debug_timestamps', diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index a20f5aa44dbadd24f644bffc9954df9e088979b9..c16769a3985f495922d255dacebccc11f6a0ea1d 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -23,6 +23,7 @@ sbus_timeout = int, None, false re_expression = str, None, false full_name_format = str, None, false krb5_rcache_dir = str, None, false +user = str, None, false default_domain_suffix = str, None, false [nss] diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 77690432b841221328d65403830cf4a1ac12dba0..e2cb0b81b61063750995064b6ce83f9615049534 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -297,6 +297,19 @@ + user (string) + + + The user to drop the privileges to where + appropriate to avoid running as the + root user. + + + Default: not set, process will run as root + + + + default_domain_suffix (string) diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index edd1c2dfc674d8a7ca9d069d6499c0dcc959f210..df1cd5ca14c759f7aab98094a2b8ad35731c35e6 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -170,6 +170,10 @@ struct mt_ctx { struct sss_sigchild_ctx *sigchld_ctx; bool is_daemon; pid_t parent_pid; + + /* For running unprivileged services */ + uid_t uid; + gid_t gid; }; static int start_service(struct mt_svc *mt_svc); @@ -910,6 +914,29 @@ static char *check_services(char **services) return NULL; } +static int get_service_user(struct mt_ctx *ctx) +{ + errno_t ret; + char *user_str; + + ret = confdb_get_string(ctx->cdb, ctx, CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_USER_RUNAS, + SSSD_USER, &user_str); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get the user to run as\n"); + return ret; + } + + ret = sss_user_by_name_or_uid(user_str, &ctx->uid, &ctx->gid); + talloc_free(user_str); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n"); + return ret; + } + + return EOK; +} + static int get_monitor_config(struct mt_ctx *ctx) { int ret; @@ -955,6 +982,12 @@ static int get_monitor_config(struct mt_ctx *ctx) ctx->num_services++; } + ret = get_service_user(ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to get the unprivileged user\n"); + return ret; + } + ret = confdb_get_domains(ctx->cdb, &ctx->domains); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured.\n"); @@ -1020,6 +1053,14 @@ static errno_t get_ping_config(struct mt_ctx *ctx, const char *path, return EOK; } +/* This is a temporary function that returns false if the service + * being started was only tested when running as root. + */ +static bool svc_supported_as_nonroot(const char *svc_name) +{ + return false; +} + static int get_service_config(struct mt_ctx *ctx, const char *name, struct mt_svc **svc_cfg) { @@ -1027,6 +1068,8 @@ static int get_service_config(struct mt_ctx *ctx, const char *name, char *path; struct mt_svc *svc; time_t now = time(NULL); + uid_t uid = 0; + gid_t gid = 0; *svc_cfg = NULL; @@ -1066,6 +1109,11 @@ static int get_service_config(struct mt_ctx *ctx, const char *name, return ret; } + if (svc_supported_as_nonroot(svc->name)) { + uid = ctx->uid; + gid = ctx->gid; + } + if (!svc->command) { svc->command = talloc_asprintf( svc, "%s/sssd_%s", SSSD_LIBEXEC_PATH, svc->name @@ -1075,6 +1123,14 @@ static int get_service_config(struct mt_ctx *ctx, const char *name, return ENOMEM; } + svc->command = talloc_asprintf_append(svc->command, + " --uid %"SPRIuid" --gid %"SPRIgid, + uid, gid); + if (!svc->command) { + talloc_free(svc); + return ENOMEM; + } + if (cmdline_debug_level != SSSDBG_UNRESOLVED) { svc->command = talloc_asprintf_append( svc->command, " -d %#.4x", cmdline_debug_level -- 1.9.3