dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0004-SSSD-Add-the-options-to-specify-a-UID-and-GID-to-run.patch

905b4d
From b967aefd1c7463ecad93f63d67c77446584cc829 Mon Sep 17 00:00:00 2001
905b4d
From: Jakub Hrozek <jhrozek@redhat.com>
905b4d
Date: Mon, 6 Oct 2014 16:28:13 +0200
905b4d
Subject: [PATCH 04/22] SSSD: Add the options to specify a UID and GID to run
905b4d
 as
905b4d
905b4d
Adds new command line options --uid and --gid to all SSSD servers,
905b4d
making it possible to switch to another user ID if needed.
905b4d
905b4d
So far all code still runs as root.
905b4d
905b4d
Reviewed-by: Pavel Reichl <preichl@redhat.com>
905b4d
---
905b4d
 Makefile.am                       | 7 +++++--
905b4d
 src/monitor/monitor.c             | 3 ++-
905b4d
 src/providers/data_provider_be.c  | 5 ++++-
905b4d
 src/providers/proxy/proxy_child.c | 5 ++++-
905b4d
 src/responder/autofs/autofssrv.c  | 6 +++++-
905b4d
 src/responder/ifp/ifpsrv.c        | 6 +++++-
905b4d
 src/responder/nss/nsssrv.c        | 5 ++++-
905b4d
 src/responder/pac/pacsrv.c        | 5 ++++-
905b4d
 src/responder/pam/pamsrv.c        | 5 ++++-
905b4d
 src/responder/ssh/sshsrv.c        | 5 ++++-
905b4d
 src/responder/sudo/sudosrv.c      | 6 +++++-
905b4d
 src/util/server.c                 | 8 ++++++++
905b4d
 src/util/util.h                   | 7 +++++++
905b4d
 13 files changed, 61 insertions(+), 12 deletions(-)
905b4d
905b4d
diff --git a/Makefile.am b/Makefile.am
905b4d
index 49acdb107cb45410493dfabe30a2ea4553a23669..b949c9c24070026570de970b545918a7eb279c6d 100644
905b4d
--- a/Makefile.am
905b4d
+++ b/Makefile.am
905b4d
@@ -706,14 +706,17 @@ libsss_util_la_SOURCES = \
905b4d
     src/util/util_sss_idmap.c \
905b4d
     src/util/well_known_sids.c \
905b4d
     src/util/string_utils.c \
905b4d
+    src/util/become_user.c \
905b4d
     $(NULL)
905b4d
 libsss_util_la_CFLAGS = \
905b4d
     $(AM_CFLAGS) \
905b4d
-    $(SYSTEMD_LOGIN_CFLAGS)
905b4d
+    $(SYSTEMD_LOGIN_CFLAGS) \
905b4d
+    $(NULL)
905b4d
 libsss_util_la_LIBADD = \
905b4d
     $(SSSD_LIBS) \
905b4d
     $(SYSTEMD_LOGIN_LIBS) \
905b4d
-    $(UNICODE_LIBS)
905b4d
+    $(UNICODE_LIBS) \
905b4d
+    $(NULL)
905b4d
 if BUILD_SUDO
905b4d
     libsss_util_la_SOURCES += src/db/sysdb_sudo.c
905b4d
 endif
905b4d
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
905b4d
index 624e45026b01842ab81d8c37d50751977185d20c..edd1c2dfc674d8a7ca9d069d6499c0dcc959f210 100644
905b4d
--- a/src/monitor/monitor.c
905b4d
+++ b/src/monitor/monitor.c
905b4d
@@ -2855,7 +2855,8 @@ int main(int argc, const char *argv[])
905b4d
     ret = close(STDIN_FILENO);
905b4d
     if (ret != EOK) return 6;
905b4d
 
905b4d
-    ret = server_setup(MONITOR_NAME, flags, monitor->conf_path, &main_ctx);
905b4d
+    ret = server_setup(MONITOR_NAME, flags, 0, 0,
905b4d
+                       monitor->conf_path, &main_ctx);
905b4d
     if (ret != EOK) return 2;
905b4d
 
905b4d
     monitor->is_daemon = !opt_interactive;
905b4d
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
905b4d
index e7f345f922361b60775e149c1b28f45cf16ed00e..18b50214b0795709d583d5891bf4f6fd220bcb11 100644
905b4d
--- a/src/providers/data_provider_be.c
905b4d
+++ b/src/providers/data_provider_be.c
905b4d
@@ -2804,10 +2804,13 @@ int main(int argc, const char *argv[])
905b4d
     struct main_context *main_ctx;
905b4d
     char *confdb_path;
905b4d
     int ret;
905b4d
+    uid_t uid;
905b4d
+    gid_t gid;
905b4d
 
905b4d
     struct poptOption long_options[] = {
905b4d
         POPT_AUTOHELP
905b4d
         SSSD_MAIN_OPTS
905b4d
+        SSSD_SERVER_OPTS(uid, gid)
905b4d
         {"domain", 0, POPT_ARG_STRING, &be_domain, 0,
905b4d
          _("Domain of the information provider (mandatory)"), NULL },
905b4d
         POPT_TABLEEND
905b4d
@@ -2847,7 +2850,7 @@ int main(int argc, const char *argv[])
905b4d
     confdb_path = talloc_asprintf(NULL, CONFDB_DOMAIN_PATH_TMPL, be_domain);
905b4d
     if (!confdb_path) return 2;
905b4d
 
905b4d
-    ret = server_setup(srv_name, 0, confdb_path, &main_ctx);
905b4d
+    ret = server_setup(srv_name, 0, 0, 0, confdb_path, &main_ctx);
905b4d
     if (ret != EOK) {
905b4d
         DEBUG(SSSDBG_FATAL_FAILURE, "Could not set up mainloop [%d]\n", ret);
905b4d
         return 2;
905b4d
diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c
905b4d
index 6bee1c7f63c4bb5b33f11601c2be32df05206756..e261b2f588a89a27ed6fe78f7fc5cfa053b49833 100644
905b4d
--- a/src/providers/proxy/proxy_child.c
905b4d
+++ b/src/providers/proxy/proxy_child.c
905b4d
@@ -504,10 +504,13 @@ int main(int argc, const char *argv[])
905b4d
     int ret;
905b4d
     long id;
905b4d
     char *pam_target = NULL;
905b4d
+    uid_t uid;
905b4d
+    gid_t gid;
905b4d
 
905b4d
     struct poptOption long_options[] = {
905b4d
         POPT_AUTOHELP
905b4d
         SSSD_MAIN_OPTS
905b4d
+        SSSD_SERVER_OPTS(uid, gid)
905b4d
         {"domain", 0, POPT_ARG_STRING, &domain, 0,
905b4d
          _("Domain of the information provider (mandatory)"), NULL },
905b4d
         {"id", 0, POPT_ARG_LONG, &id, 0,
905b4d
@@ -557,7 +560,7 @@ int main(int argc, const char *argv[])
905b4d
     conf_entry = talloc_asprintf(NULL, CONFDB_DOMAIN_PATH_TMPL, domain);
905b4d
     if (!conf_entry) return 2;
905b4d
 
905b4d
-    ret = server_setup(srv_name, 0, conf_entry, &main_ctx);
905b4d
+    ret = server_setup(srv_name, 0, 0, 0, conf_entry, &main_ctx);
905b4d
     if (ret != EOK) {
905b4d
         DEBUG(SSSDBG_FATAL_FAILURE, "Could not set up mainloop [%d]\n", ret);
905b4d
         return 2;
905b4d
diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c
905b4d
index bd5aa135a3fb64a020e74a9dd39fa1b67dc76533..931cf018bfe15b37bf8e5f93a21c7ab61d238c18 100644
905b4d
--- a/src/responder/autofs/autofssrv.c
905b4d
+++ b/src/responder/autofs/autofssrv.c
905b4d
@@ -207,10 +207,13 @@ int main(int argc, const char *argv[])
905b4d
     poptContext pc;
905b4d
     struct main_context *main_ctx;
905b4d
     int ret;
905b4d
+    uid_t uid;
905b4d
+    gid_t gid;
905b4d
 
905b4d
     struct poptOption long_options[] = {
905b4d
         POPT_AUTOHELP
905b4d
         SSSD_MAIN_OPTS
905b4d
+        SSSD_SERVER_OPTS(uid, gid)
905b4d
         POPT_TABLEEND
905b4d
     };
905b4d
 
905b4d
@@ -235,7 +238,8 @@ int main(int argc, const char *argv[])
905b4d
     /* set up things like debug, signals, daemonization, etc... */
905b4d
     debug_log_file = "sssd_autofs";
905b4d
 
905b4d
-    ret = server_setup("sssd[autofs]", 0, CONFDB_AUTOFS_CONF_ENTRY, &main_ctx);
905b4d
+    ret = server_setup("sssd[autofs]", 0, 0, 0,
905b4d
+                       CONFDB_AUTOFS_CONF_ENTRY, &main_ctx);
905b4d
     if (ret != EOK) {
905b4d
         return 2;
905b4d
     }
905b4d
diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
905b4d
index 4af836543d3945603d22099b7ab98a90588bce35..8d8fe885abb8ef53ee7f49e763ba78c4dda9a983 100644
905b4d
--- a/src/responder/ifp/ifpsrv.c
905b4d
+++ b/src/responder/ifp/ifpsrv.c
905b4d
@@ -441,10 +441,13 @@ int main(int argc, const char *argv[])
905b4d
     poptContext pc;
905b4d
     struct main_context *main_ctx;
905b4d
     int ret;
905b4d
+    uid_t uid;
905b4d
+    gid_t gid;
905b4d
 
905b4d
     struct poptOption long_options[] = {
905b4d
         POPT_AUTOHELP
905b4d
         SSSD_MAIN_OPTS
905b4d
+        SSSD_SERVER_OPTS(uid, gid)
905b4d
         POPT_TABLEEND
905b4d
     };
905b4d
 
905b4d
@@ -469,7 +472,8 @@ int main(int argc, const char *argv[])
905b4d
     /* set up things like debug, signals, daemonization, etc... */
905b4d
     debug_log_file = "sssd_ifp";
905b4d
 
905b4d
-    ret = server_setup("sssd[ifp]", 0, CONFDB_IFP_CONF_ENTRY, &main_ctx);
905b4d
+    ret = server_setup("sssd[ifp]", 0, 0, 0,
905b4d
+                       CONFDB_IFP_CONF_ENTRY, &main_ctx);
905b4d
     if (ret != EOK) return 2;
905b4d
 
905b4d
     ret = die_if_parent_died();
905b4d
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
905b4d
index 84a6b7fedd096a7d4159b7ac6670820c1d8fd941..420fd3d316959a67737f23e9a8b3d1c797583ea3 100644
905b4d
--- a/src/responder/nss/nsssrv.c
905b4d
+++ b/src/responder/nss/nsssrv.c
905b4d
@@ -537,10 +537,13 @@ int main(int argc, const char *argv[])
905b4d
     poptContext pc;
905b4d
     struct main_context *main_ctx;
905b4d
     int ret;
905b4d
+    uid_t uid;
905b4d
+    gid_t gid;
905b4d
 
905b4d
     struct poptOption long_options[] = {
905b4d
         POPT_AUTOHELP
905b4d
         SSSD_MAIN_OPTS
905b4d
+        SSSD_SERVER_OPTS(uid, gid)
905b4d
         POPT_TABLEEND
905b4d
     };
905b4d
 
905b4d
@@ -565,7 +568,7 @@ int main(int argc, const char *argv[])
905b4d
     /* set up things like debug, signals, daemonization, etc... */
905b4d
     debug_log_file = "sssd_nss";
905b4d
 
905b4d
-    ret = server_setup("sssd[nss]", 0, CONFDB_NSS_CONF_ENTRY, &main_ctx);
905b4d
+    ret = server_setup("sssd[nss]", 0, 0, 0, CONFDB_NSS_CONF_ENTRY, &main_ctx);
905b4d
     if (ret != EOK) return 2;
905b4d
 
905b4d
     ret = die_if_parent_died();
905b4d
diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c
905b4d
index 47a9d1a68fbf1615277af41cef297b4955e7f7c3..b76691de829b4f40937a07ea83825a606950aa1e 100644
905b4d
--- a/src/responder/pac/pacsrv.c
905b4d
+++ b/src/responder/pac/pacsrv.c
905b4d
@@ -216,10 +216,13 @@ int main(int argc, const char *argv[])
905b4d
     poptContext pc;
905b4d
     struct main_context *main_ctx;
905b4d
     int ret;
905b4d
+    uid_t uid;
905b4d
+    gid_t gid;
905b4d
 
905b4d
     struct poptOption long_options[] = {
905b4d
         POPT_AUTOHELP
905b4d
         SSSD_MAIN_OPTS
905b4d
+        SSSD_SERVER_OPTS(uid, gid)
905b4d
         POPT_TABLEEND
905b4d
     };
905b4d
 
905b4d
@@ -244,7 +247,7 @@ int main(int argc, const char *argv[])
905b4d
     /* set up things like debug, signals, daemonization, etc... */
905b4d
     debug_log_file = "sssd_pac";
905b4d
 
905b4d
-    ret = server_setup("sssd[pac]", 0, CONFDB_PAC_CONF_ENTRY, &main_ctx);
905b4d
+    ret = server_setup("sssd[pac]", 0, 0, 0, CONFDB_PAC_CONF_ENTRY, &main_ctx);
905b4d
     if (ret != EOK) return 2;
905b4d
 
905b4d
     ret = die_if_parent_died();
905b4d
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
905b4d
index 428b252acb56406291e3cac5d2a13e6f6b581c36..91b395080820b27f5d57341e59dd739e674be31a 100644
905b4d
--- a/src/responder/pam/pamsrv.c
905b4d
+++ b/src/responder/pam/pamsrv.c
905b4d
@@ -316,10 +316,13 @@ int main(int argc, const char *argv[])
905b4d
     poptContext pc;
905b4d
     struct main_context *main_ctx;
905b4d
     int ret;
905b4d
+    uid_t uid;
905b4d
+    gid_t gid;
905b4d
 
905b4d
     struct poptOption long_options[] = {
905b4d
         POPT_AUTOHELP
905b4d
         SSSD_MAIN_OPTS
905b4d
+        SSSD_SERVER_OPTS(uid, gid)
905b4d
         POPT_TABLEEND
905b4d
     };
905b4d
 
905b4d
@@ -344,7 +347,7 @@ int main(int argc, const char *argv[])
905b4d
     /* set up things like debug, signals, daemonization, etc... */
905b4d
     debug_log_file = "sssd_pam";
905b4d
 
905b4d
-    ret = server_setup("sssd[pam]", 0, CONFDB_PAM_CONF_ENTRY, &main_ctx);
905b4d
+    ret = server_setup("sssd[pam]", 0, 0, 0, CONFDB_PAM_CONF_ENTRY, &main_ctx);
905b4d
     if (ret != EOK) return 2;
905b4d
 
905b4d
     ret = die_if_parent_died();
905b4d
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
905b4d
index 8aa603d79dddb327606f02d9e7ddf2b18a98e700..1328d1746b9e2d6474d6c2f8ce2825be463ca3e7 100644
905b4d
--- a/src/responder/ssh/sshsrv.c
905b4d
+++ b/src/responder/ssh/sshsrv.c
905b4d
@@ -184,10 +184,13 @@ int main(int argc, const char *argv[])
905b4d
     poptContext pc;
905b4d
     struct main_context *main_ctx;
905b4d
     int ret;
905b4d
+    uid_t uid;
905b4d
+    gid_t gid;
905b4d
 
905b4d
     struct poptOption long_options[] = {
905b4d
         POPT_AUTOHELP
905b4d
         SSSD_MAIN_OPTS
905b4d
+        SSSD_SERVER_OPTS(uid, gid)
905b4d
         POPT_TABLEEND
905b4d
     };
905b4d
 
905b4d
@@ -212,7 +215,7 @@ int main(int argc, const char *argv[])
905b4d
     /* set up things like debug, signals, daemonization, etc... */
905b4d
     debug_log_file = "sssd_ssh";
905b4d
 
905b4d
-    ret = server_setup("sssd[ssh]", 0, CONFDB_SSH_CONF_ENTRY, &main_ctx);
905b4d
+    ret = server_setup("sssd[ssh]", 0, 0, 0, CONFDB_SSH_CONF_ENTRY, &main_ctx);
905b4d
     if (ret != EOK) {
905b4d
         return 2;
905b4d
     }
905b4d
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
905b4d
index 8a197159b23abde45953b65121ff2e3fc3f2f67a..30752c9dacdc390b24fe837c0630333b5e171448 100644
905b4d
--- a/src/responder/sudo/sudosrv.c
905b4d
+++ b/src/responder/sudo/sudosrv.c
905b4d
@@ -164,10 +164,13 @@ int main(int argc, const char *argv[])
905b4d
     poptContext pc;
905b4d
     struct main_context *main_ctx;
905b4d
     int ret;
905b4d
+    uid_t uid;
905b4d
+    gid_t gid;
905b4d
 
905b4d
     struct poptOption long_options[] = {
905b4d
         POPT_AUTOHELP
905b4d
         SSSD_MAIN_OPTS
905b4d
+        SSSD_SERVER_OPTS(uid, gid)
905b4d
         POPT_TABLEEND
905b4d
     };
905b4d
 
905b4d
@@ -192,7 +195,8 @@ int main(int argc, const char *argv[])
905b4d
     /* set up things like debug, signals, daemonization, etc... */
905b4d
     debug_log_file = "sssd_sudo";
905b4d
 
905b4d
-    ret = server_setup("sssd[sudo]", 0, CONFDB_SUDO_CONF_ENTRY, &main_ctx);
905b4d
+    ret = server_setup("sssd[sudo]", 0, 0, 0, CONFDB_SUDO_CONF_ENTRY,
905b4d
+                       &main_ctx);
905b4d
     if (ret != EOK) {
905b4d
         return 2;
905b4d
     }
905b4d
diff --git a/src/util/server.c b/src/util/server.c
905b4d
index 51934f8ba287d6f6e395231ed893753e10b4c9b0..3a84dee0cee06cb98c94a1d57209c2bcf7c4340a 100644
905b4d
--- a/src/util/server.c
905b4d
+++ b/src/util/server.c
905b4d
@@ -412,6 +412,7 @@ errno_t server_common_rotate_logs(struct confdb_ctx *confdb,
905b4d
 }
905b4d
 
905b4d
 int server_setup(const char *name, int flags,
905b4d
+                 uid_t uid, gid_t gid,
905b4d
                  const char *conf_entry,
905b4d
                  struct main_context **main_ctx)
905b4d
 {
905b4d
@@ -426,6 +427,13 @@ int server_setup(const char *name, int flags,
905b4d
     struct tevent_signal *tes;
905b4d
     struct logrotate_ctx *lctx;
905b4d
 
905b4d
+    ret = become_user(uid, gid);
905b4d
+    if (ret != EOK) {
905b4d
+        DEBUG(SSSDBG_FUNC_DATA,
905b4d
+              "Cannot become user [%"SPRIuid"][%"SPRIgid"].\n", uid, gid);
905b4d
+        return ret;
905b4d
+    }
905b4d
+
905b4d
     debug_prg_name = strdup(name);
905b4d
     if (!debug_prg_name) {
905b4d
         return ENOMEM;
905b4d
diff --git a/src/util/util.h b/src/util/util.h
905b4d
index 0af4db3fec723ef372f7c1acde0e3f9f013f90e0..cc5588c183006a03525e0540524c28bd9eb4dc57 100644
905b4d
--- a/src/util/util.h
905b4d
+++ b/src/util/util.h
905b4d
@@ -175,6 +175,12 @@ errno_t set_debug_file_from_fd(const int fd);
905b4d
 
905b4d
 #define SSSD_MAIN_OPTS SSSD_DEBUG_OPTS
905b4d
 
905b4d
+#define SSSD_SERVER_OPTS(uid, gid) \
905b4d
+        {"uid", 0, POPT_ARG_INT, &uid, 0, \
905b4d
+          _("The user ID to run the server as"), NULL}, \
905b4d
+        {"gid", 0, POPT_ARG_INT, &gid, 0, \
905b4d
+          _("The group ID to run the server as"), NULL},
905b4d
+
905b4d
 #define FLAGS_NONE 0x0000
905b4d
 #define FLAGS_DAEMON 0x0001
905b4d
 #define FLAGS_INTERACTIVE 0x0002
905b4d
@@ -242,6 +248,7 @@ errno_t server_common_rotate_logs(struct confdb_ctx *confdb,
905b4d
 int die_if_parent_died(void);
905b4d
 int pidfile(const char *path, const char *name);
905b4d
 int server_setup(const char *name, int flags,
905b4d
+                 uid_t uid, gid_t gid,
905b4d
                  const char *conf_entry,
905b4d
                  struct main_context **main_ctx);
905b4d
 void server_loop(struct main_context *main_ctx);
905b4d
-- 
905b4d
1.9.3
905b4d