Skip to content

Commit

Permalink
IFP: allow running under non-root user
Browse files Browse the repository at this point in the history 
:relnote: Infopipe responder (ifp) can now be run under non-privileged
'sssd' user if SSSD is configured and built `--with-sssd-user=sssd` option.
As with other components, for 'monitor' activated 'ifp' service feature is
enabled by setting `user=sssd` sssd.conf option.
For dbus-socket activated 'ifp' service it's a matter of User=/Group= in
'sssd-ifp.service' (configured to 'sssd' by default).
  • Loading branch information
@alexey-tikhonov
alexey-tikhonov committed Aug 11, 2023
1 parent d91c944 commit f5aec6a
Show file tree
Hide file tree
Showing 7 changed files with 29 additions and 35 deletions.
24 changes: 17 additions & 7 deletions Makefile.am
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,9 +91,8 @@ deskprofilepath = $(sss_statedir)/deskprofile

if HAVE_SYSTEMD_UNIT
ifp_dbus_exec_comment = \# If system is configured to use systemd ifp service ("SystemdService=") then "Exec=" and "User=" options are not used
ifp_exec_cmd = $(sssdlibexecdir)/sssd_ifp --uid 0 --gid 0 --dbus-activated
ifp_dbus_exec_cmd = $(sssdlibexecdir)/sssd_ifp --dbus-activated
ifp_systemdservice = SystemdService=sssd-ifp.service
ifp_restart = Restart=on-failure
# SSSD requires a configuration file (either /etc/sssd/sssd.conf,
# or some snippet under /etc/sssd/sssd.conf.d/) to be present.
condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectoryNotEmpty=\|/etc/sssd/conf.d/
Expand All @@ -107,9 +106,8 @@ additional_caps = CAP_DAC_OVERRIDE
endif
else
ifp_dbus_exec_comment = \# "sss_signal" is used to force SSSD monitor to trigger "sssd_ifp" reconnection to dbus
ifp_exec_cmd = $(sssdlibexecdir)/sss_signal
ifp_dbus_exec_cmd = $(sssdlibexecdir)/sss_signal
ifp_systemdservice =
ifp_restart =
endif

secdbpath = @secdbpath@
Expand All @@ -121,6 +119,12 @@ INSTALL = @INSTALL@

SSSD_USER = @SSSD_USER@

if SSSD_NON_ROOT_USER
ifp_non_root_owner_policy = <policy user="$(SSSD_USER)"> <allow own="org.freedesktop.sssd.infopipe"/> </policy>
else
ifp_non_root_owner_policy =
endif


AM_CFLAGS =
if WANT_AUX_INFO
Expand Down Expand Up @@ -1744,13 +1748,14 @@ dist_dbusservice_DATA = \

EXTRA_DIST += \
src/responder/ifp/org.freedesktop.sssd.infopipe.service.in \
src/responder/ifp/org.freedesktop.sssd.infopipe.conf.in \
$(NULL)

ifp_edit_cmd = $(edit_cmd) \
-e 's|@ifp_exec_cmd[@]|$(ifp_exec_cmd)|g' \
-e 's|@ifp_non_root_owner_policy[@]|$(ifp_non_root_owner_policy)|g' \
-e 's|@ifp_dbus_exec_cmd[@]|$(ifp_dbus_exec_cmd)|g' \
-e 's|@ifp_dbus_exec_comment[@]|$(ifp_dbus_exec_comment)|g' \
-e 's|@ifp_systemdservice[@]|$(ifp_systemdservice)|g' \
-e 's|@ifp_restart[@]|$(ifp_restart)|g'
-e 's|@ifp_systemdservice[@]|$(ifp_systemdservice)|g'

ifp_replace_script = \
@rm -f $@ $@.tmp; \
Expand All @@ -1762,6 +1767,10 @@ ifp_replace_script = \
src/responder/ifp/org.freedesktop.sssd.infopipe.service: src/responder/ifp/org.freedesktop.sssd.infopipe.service.in Makefile
$(ifp_replace_script)

src/responder/ifp/org.freedesktop.sssd.infopipe.conf: src/responder/ifp/org.freedesktop.sssd.infopipe.conf.in Makefile
$(ifp_replace_script)


endif

if BUILD_KCM
Expand Down Expand Up @@ -5592,6 +5601,7 @@ endif
done;
rm -Rf ldb_mod_test_dir
rm -f $(builddir)/src/responder/ifp/org.freedesktop.sssd.infopipe.service
rm -f $(builddir)/src/responder/ifp/org.freedesktop.sssd.infopipe.conf
rm -f $(builddir)/src/sysv/systemd/sssd.service
rm -f $(builddir)/src/sysv/systemd/sssd-autofs.socket
rm -f $(builddir)/src/sysv/systemd/sssd-autofs.service
Expand Down
20 changes: 1 addition & 19 deletions src/monitor/monitor.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -934,26 +934,13 @@ static int get_monitor_config(struct mt_ctx *ctx)
return EOK;
}

/* This is a temporary function that returns false if the service
* being started was only tested when running as root.
*/
static bool svc_supported_as_nonroot(const char *svc_name)
{
if (strcmp(svc_name, "ifp") == 0) {
return false;
}
return true;
}

static int get_service_config(struct mt_ctx *ctx, const char *name,
struct mt_svc **svc_cfg)
{
int ret;
char *path;
struct mt_svc *svc;
time_t now = time(NULL);
uid_t uid = 0;
gid_t gid = 0;

*svc_cfg = NULL;

Expand Down Expand Up @@ -993,11 +980,6 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
return ret;
}

if (svc_supported_as_nonroot(svc->name)) {
uid = ctx->uid;
gid = ctx->gid;
}

if (!svc->command) {
svc->command = talloc_asprintf(
svc, "%s/sssd_%s", SSSD_LIBEXEC_PATH, svc->name
Expand All @@ -1009,7 +991,7 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,

svc->command = talloc_asprintf_append(svc->command,
" --uid %"SPRIuid" --gid %"SPRIgid,
uid, gid);
ctx->uid, ctx->gid);
if (!svc->command) {
talloc_free(svc);
return ENOMEM;
Expand Down
2 changes: 1 addition & 1 deletion src/responder/ifp/ifpsrv.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -341,7 +341,7 @@ int main(int argc, const char *argv[])
debug_log_file = "sssd_ifp";
DEBUG_INIT(debug_level, opt_logger);

ret = server_setup("ifp", true, 0, 0, 0,
ret = server_setup("ifp", true, 0, uid, gid,
CONFDB_IFP_CONF_ENTRY, &main_ctx, true);
if (ret != EOK) return 2;

Expand Down
7 changes: 3 additions & 4 deletions ...er/ifp/org.freedesktop.sssd.infopipe.conf → ...ifp/org.freedesktop.sssd.infopipe.conf.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,9 @@
<!-- This configuration file specifies the required security policies
for the SSSD InfoPipe to work. -->

<!-- Only root can own (provide) the SSSD service -->
<policy user="root">
<allow own="org.freedesktop.sssd.infopipe"/>
</policy>
<!-- Define who can own (provide) the SSSD IFP service -->
<policy user="root"> <allow own="org.freedesktop.sssd.infopipe"/> </policy>
@ifp_non_root_owner_policy@

<!-- Allow all methods on the interface -->
<!-- Right now, this will be handled by a limited ACL
Expand Down
2 changes: 1 addition & 1 deletion src/responder/ifp/org.freedesktop.sssd.infopipe.service.in
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[D-BUS Service]
Name=org.freedesktop.sssd.infopipe
@ifp_dbus_exec_comment@
Exec=@ifp_exec_cmd@
Exec=@ifp_dbus_exec_cmd@
User=root
@ifp_systemdservice@
7 changes: 5 additions & 2 deletions src/sysv/systemd/sssd-ifp.service.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-@environment_file@
Type=dbus
BusName=org.freedesktop.sssd.infopipe
ExecStart=@ifp_exec_cmd@ ${DEBUG_LOGGER}
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ifp.log
ExecStart=@libexecdir@/sssd/sssd_ifp ${DEBUG_LOGGER} --dbus-activated
CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID
@ifp_restart@
Restart=on-failure
User=@SSSD_USER@
Group=@SSSD_USER@
2 changes: 1 addition & 1 deletion src/util/server.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -524,7 +524,7 @@ int server_setup(const char *name, bool is_responder,
sss_strerror(ret), ret);
}

if (!is_socket_activated()) {
if (!is_socket_activated() && !is_dbus_activated()) {
ret = chown_debug_file(NULL, uid, gid);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
Expand Down

0 comments on commit f5aec6a

Please sign in to comment.