Tree - rpms/sssd - CentOS Git server

rpms / sssd

Blame SOURCES/0037-SUDO-Fix-running-in-unprivileged-responder.patch

Blob History Raw

		ca1eb8	`From 261ff6442294b11261c11262d2a6acf379803e36 Mon Sep 17 00:00:00 2001`
		ca1eb8	`From: Lukas Slebodnik <lslebodn@redhat.com>`
		ca1eb8	`Date: Tue, 24 Jul 2018 18:52:08 +0000`
		ca1eb8	`Subject: [PATCH] SUDO: Fix running in unprivileged responder`
		ca1eb8
		ca1eb8	`There are strict checks for private sockets which does not work with`
		ca1eb8	`unprivileged responder`
		ca1eb8
		ca1eb8	`Resolves:`
		ca1eb8	`https://pagure.io/SSSD/sssd/issue/3778`
		ca1eb8
		ca1eb8	`Merges: https://pagure.io/SSSD/sssd/pull-request/3784`
		ca1eb8
		ca1eb8	`Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>`
		ca1eb8	`(cherry picked from commit 4900b8e59bdbb89fbc1c9718969aabe26f3db34a)`
		ca1eb8
		ca1eb8	`DOWNSTREAM:`
		ca1eb8	`Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails`
		ca1eb8	`---`
		ca1eb8	`src/responder/sudo/sudosrv.c \| 31 +++++++++++++++++++++++++++----`
		ca1eb8	`1 file changed, 27 insertions(+), 4 deletions(-)`
		ca1eb8
		ca1eb8	`diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c`
		ca1eb8	`index e87a24499c2d82fafaa8e1f9b386e44332394266..82315e0a8f7879595e02458a9aa79e7332b04734 100644`
		ca1eb8	`--- a/src/responder/sudo/sudosrv.c`
		ca1eb8	`+++ b/src/responder/sudo/sudosrv.c`
		ca1eb8	`@@ -67,7 +67,8 @@ static void sudo_dp_reconnect_init(struct sbus_connection *conn,`
		ca1eb8
		ca1eb8	`int sudo_process_init(TALLOC_CTX *mem_ctx,`
		ca1eb8	`struct tevent_context *ev,`
		ca1eb8	`- struct confdb_ctx *cdb)`
		ca1eb8	`+ struct confdb_ctx *cdb,`
		ca1eb8	`+ int pipe_fd)`
		ca1eb8	`{`
		ca1eb8	`struct resp_ctx *rctx;`
		ca1eb8	`struct sss_cmd_table *sudo_cmds;`
		ca1eb8	`@@ -79,8 +80,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,`
		ca1eb8	`sudo_cmds = get_sudo_cmds();`
		ca1eb8	`ret = sss_process_init(mem_ctx, ev, cdb,`
		ca1eb8	`sudo_cmds,`
		ca1eb8	`- NULL, -1, /* No public socket */`
		ca1eb8	`- SSS_SUDO_SOCKET_NAME, -1, /* Private socket only */`
		ca1eb8	`+ SSS_SUDO_SOCKET_NAME, pipe_fd, /* custom permissions on socket */`
		ca1eb8	`+ NULL, -1, /* No private socket */`
		ca1eb8	`CONFDB_SUDO_CONF_ENTRY,`
		ca1eb8	`SSS_SUDO_SBUS_SERVICE_NAME,`
		ca1eb8	`SSS_SUDO_SBUS_SERVICE_VERSION,`
		ca1eb8	`@@ -182,6 +183,7 @@ int main(int argc, const char *argv[])`
		ca1eb8	`char *opt_logger = NULL;`
		ca1eb8	`struct main_context *main_ctx;`
		ca1eb8	`int ret;`
		ca1eb8	`+ int pipe_fd = -1;`
		ca1eb8	`uid_t uid;`
		ca1eb8	`gid_t gid;`
		ca1eb8
		ca1eb8	`@@ -219,6 +221,27 @@ int main(int argc, const char *argv[])`
		ca1eb8
		ca1eb8	`sss_set_logger(opt_logger);`
		ca1eb8
		ca1eb8	`+ if (!is_socket_activated()) {`
		ca1eb8	`+ /* Create pipe file descriptors here with right ownerschip */`
		ca1eb8	`+ ret = create_pipe_fd(SSS_SUDO_SOCKET_NAME, &pipe_fd, SSS_DFL_UMASK);`
		ca1eb8	`+ if (ret != EOK) {`
		ca1eb8	`+ DEBUG(SSSDBG_FATAL_FAILURE,`
		ca1eb8	`+ "create_pipe_fd failed [%d]: %s.\n",`
		ca1eb8	`+ ret, sss_strerror(ret));`
		ca1eb8	`+ return 4;`
		ca1eb8	`+ }`
		ca1eb8	`+`
		ca1eb8	`+ ret = chown(SSS_SUDO_SOCKET_NAME, uid, 0);`
		ca1eb8	`+ if (ret != 0) {`
		ca1eb8	`+ ret = errno;`
		ca1eb8	`+ close(pipe_fd);`
		ca1eb8	`+ DEBUG(SSSDBG_FATAL_FAILURE,`
		ca1eb8	`+ "create_pipe_fd failed [%d]: %s.\n",`
		ca1eb8	`+ ret, sss_strerror(ret));`
		ca1eb8	`+ return 5;`
		ca1eb8	`+ }`
		ca1eb8	`+ }`
		ca1eb8	`+`
		ca1eb8	`ret = server_setup("sssd[sudo]", 0, uid, gid, CONFDB_SUDO_CONF_ENTRY,`
		ca1eb8	`&main_ctx);`
		ca1eb8	`if (ret != EOK) {`
		ca1eb8	`@@ -234,7 +257,7 @@ int main(int argc, const char *argv[])`
		ca1eb8
		ca1eb8	`ret = sudo_process_init(main_ctx,`
		ca1eb8	`main_ctx->event_ctx,`
		ca1eb8	`- main_ctx->confdb_ctx);`
		ca1eb8	`+ main_ctx->confdb_ctx, pipe_fd);`
		ca1eb8	`if (ret != EOK) {`
		ca1eb8	`return 3;`
		ca1eb8	`}`
		ca1eb8	`--`
		ca1eb8	`2.14.4`
		ca1eb8

rpms / sssd

Source Code

Blame SOURCES/0037-SUDO-Fix-running-in-unprivileged-responder.patch