From 954637494fc8453f71e2b5d93b3d1ea97e31d646 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Sun, 19 Oct 2014 19:15:52 +0200 Subject: [PATCH 68/71] LDAP: Drop privileges after kinit in ldap_child MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After ldap_child initializes privileges using root-owned keytab, it drops privileges to the SSSD user, minimizing the amount of code that runs as root. Reviewed-by: Michal Židek --- Makefile.am | 4 +- src/providers/ldap/ldap_child.c | 96 ++++++++++++++++++++------------- src/providers/ldap/sdap_child_helpers.c | 8 ++- 3 files changed, 70 insertions(+), 38 deletions(-) diff --git a/Makefile.am b/Makefile.am index 02b087ea37b4e55da7eeb7fb199d282d72129e40..ea296c40f89c552d5825cbce8e95afdc517e8bb5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2517,7 +2517,9 @@ ldap_child_SOURCES = \ src/util/atomic_io.c \ src/util/authtok.c \ src/util/util.c \ - src/util/signal.c + src/util/signal.c \ + src/util/become_user.c \ + $(NULL) ldap_child_CFLAGS = \ $(AM_CFLAGS) \ $(POPT_CFLAGS) \ diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index e1abc9fd73f2ae95f0a0c28159589ebd36d2cf06..a922b181715c5e89301e9f50bdb81723d1ff2a6a 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -49,6 +49,8 @@ struct input_buffer { const char *princ_str; const char *keytab_name; krb5_deltat lifetime; + uid_t uid; + gid_t gid; }; static errno_t unpack_buffer(uint8_t *buf, size_t size, @@ -99,6 +101,12 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, SAFEALIGN_COPY_UINT32_CHECK(&ibuf->lifetime, buf + p, size, &p); DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %u\n", ibuf->lifetime); + /* UID and GID to run as */ + SAFEALIGN_COPY_UINT32_CHECK(&ibuf->uid, buf + p, size, &p); + SAFEALIGN_COPY_UINT32_CHECK(&ibuf->gid, buf + p, size, &p); + DEBUG(SSSDBG_FUNC_DATA, + "Will run as [%"SPRIuid"][%"SPRIgid"].\n", ibuf->uid, ibuf->gid); + return EOK; } @@ -242,6 +250,8 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, const char *princ_str, const char *keytab_name, const krb5_deltat lifetime, + uid_t uid, + gid_t gid, const char **ccname_out, time_t *expire_time_out) { @@ -372,42 +382,6 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, goto done; } - ccname_file_dummy = talloc_asprintf(tmp_ctx, "%s/ccache_%s_XXXXXX", - DB_PATH, realm_name); - ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s", - DB_PATH, realm_name); - if (ccname_file_dummy == NULL || ccname_file == NULL) { - ret = ENOMEM; - goto done; - } - - old_umask = umask(077); - fd = mkstemp(ccname_file_dummy); - umask(old_umask); - if (fd == -1) { - ret = errno; - goto done; - } - /* We only care about creating a unique file name here, we don't - * need the fd - */ - close(fd); - - ccname_dummy = talloc_asprintf(tmp_ctx, "FILE:%s", ccname_file_dummy); - ccname = talloc_asprintf(tmp_ctx, "FILE:%s", ccname_file); - if (ccname_dummy == NULL || ccname == NULL) { - krberr = ENOMEM; - goto done; - } - DEBUG(SSSDBG_TRACE_INTERNAL, "keytab ccname: [%s]\n", ccname_dummy); - - krberr = krb5_cc_resolve(context, ccname_dummy, &ccache); - if (krberr) { - DEBUG(SSSDBG_OP_FAILURE, "Failed to set cache name: %s\n", - sss_krb5_get_error_message(context, krberr)); - goto done; - } - memset(&my_creds, 0, sizeof(my_creds)); memset(&options, 0, sizeof(options)); @@ -423,8 +397,36 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, } sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize); + ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s", + DB_PATH, realm_name); + if (ccname_file == NULL) { + ret = ENOMEM; + goto done; + } + + ccname_file_dummy = talloc_asprintf(tmp_ctx, "%s/ccache_%s_XXXXXX", + DB_PATH, realm_name); + if (ccname_file_dummy == NULL) { + ret = ENOMEM; + goto done; + } + + old_umask = umask(077); + fd = mkstemp(ccname_file_dummy); + umask(old_umask); + if (fd == -1) { + ret = errno; + goto done; + } + /* We only care about creating a unique file name here, we don't + * need the fd + */ + close(fd); + krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc, keytab, 0, NULL, &options); + krb5_kt_close(context, keytab); + keytab = NULL; if (krberr) { DEBUG(SSSDBG_FATAL_FAILURE, "Failed to init credentials: %s\n", @@ -438,6 +440,27 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, } DEBUG(SSSDBG_TRACE_INTERNAL, "credentials initialized\n"); + krberr = become_user(uid, gid); + if (krberr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n"); + goto done; + } + + ccname_dummy = talloc_asprintf(tmp_ctx, "FILE:%s", ccname_file_dummy); + ccname = talloc_asprintf(tmp_ctx, "FILE:%s", ccname_file); + if (ccname_dummy == NULL || ccname == NULL) { + krberr = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "keytab ccname: [%s]\n", ccname_dummy); + + krberr = krb5_cc_resolve(context, ccname_dummy, &ccache); + if (krberr) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to set cache name: %s\n", + sss_krb5_get_error_message(context, krberr)); + goto done; + } + /* Use updated principal if changed due to canonicalization. */ krberr = krb5_cc_initialize(context, ccache, my_creds.client); if (krberr) { @@ -643,6 +666,7 @@ int main(int argc, const char *argv[]) kerr = ldap_child_get_tgt_sync(main_ctx, ibuf->realm_str, ibuf->princ_str, ibuf->keytab_name, ibuf->lifetime, + ibuf->uid, ibuf->gid, &ccname, &expire_time); if (kerr != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "ldap_child_get_tgt_sync failed.\n"); diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c index 448c5af10e9da8949bcaa39d8a3fa05ec309e16f..e5d46b9b756cd50fadb212da72ad1cc9bdd93330 100644 --- a/src/providers/ldap/sdap_child_helpers.c +++ b/src/providers/ldap/sdap_child_helpers.c @@ -152,7 +152,7 @@ static errno_t create_tgt_req_send_buffer(TALLOC_CTX *mem_ctx, return ENOMEM; } - buf->size = 4 * sizeof(uint32_t); + buf->size = 6 * sizeof(uint32_t); if (realm_str) { buf->size += strlen(realm_str); } @@ -201,6 +201,12 @@ static errno_t create_tgt_req_send_buffer(TALLOC_CTX *mem_ctx, /* lifetime */ SAFEALIGN_SET_UINT32(&buf->data[rp], lifetime, &rp); + /* UID and GID to drop privileges to, if needed. The ldap_child process runs as + * setuid if the back end runs unprivileged as it needs to access the keytab + */ + SAFEALIGN_SET_UINT32(&buf->data[rp], geteuid(), &rp); + SAFEALIGN_SET_UINT32(&buf->data[rp], getegid(), &rp); + *io_buf = buf; return EOK; } -- 1.9.3