|
 |
ca1eb8 |
From 261ff6442294b11261c11262d2a6acf379803e36 Mon Sep 17 00:00:00 2001
|
|
|
ca1eb8 |
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
|
ca1eb8 |
Date: Tue, 24 Jul 2018 18:52:08 +0000
|
|
|
ca1eb8 |
Subject: [PATCH] SUDO: Fix running in unprivileged responder
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
There are strict checks for private sockets which does not work with
|
|
|
ca1eb8 |
unprivileged responder
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
Resolves:
|
|
|
ca1eb8 |
https://pagure.io/SSSD/sssd/issue/3778
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
Merges: https://pagure.io/SSSD/sssd/pull-request/3784
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ca1eb8 |
(cherry picked from commit 4900b8e59bdbb89fbc1c9718969aabe26f3db34a)
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
DOWNSTREAM:
|
|
|
ca1eb8 |
Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails
|
|
|
ca1eb8 |
---
|
|
|
ca1eb8 |
src/responder/sudo/sudosrv.c | 31 +++++++++++++++++++++++++++----
|
|
|
ca1eb8 |
1 file changed, 27 insertions(+), 4 deletions(-)
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
|
|
|
ca1eb8 |
index e87a24499c2d82fafaa8e1f9b386e44332394266..82315e0a8f7879595e02458a9aa79e7332b04734 100644
|
|
|
ca1eb8 |
--- a/src/responder/sudo/sudosrv.c
|
|
|
ca1eb8 |
+++ b/src/responder/sudo/sudosrv.c
|
|
|
ca1eb8 |
@@ -67,7 +67,8 @@ static void sudo_dp_reconnect_init(struct sbus_connection *conn,
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
int sudo_process_init(TALLOC_CTX *mem_ctx,
|
|
|
ca1eb8 |
struct tevent_context *ev,
|
|
|
ca1eb8 |
- struct confdb_ctx *cdb)
|
|
|
ca1eb8 |
+ struct confdb_ctx *cdb,
|
|
|
ca1eb8 |
+ int pipe_fd)
|
|
|
ca1eb8 |
{
|
|
|
ca1eb8 |
struct resp_ctx *rctx;
|
|
|
ca1eb8 |
struct sss_cmd_table *sudo_cmds;
|
|
|
ca1eb8 |
@@ -79,8 +80,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
|
|
|
ca1eb8 |
sudo_cmds = get_sudo_cmds();
|
|
|
ca1eb8 |
ret = sss_process_init(mem_ctx, ev, cdb,
|
|
|
ca1eb8 |
sudo_cmds,
|
|
|
ca1eb8 |
- NULL, -1, /* No public socket */
|
|
|
ca1eb8 |
- SSS_SUDO_SOCKET_NAME, -1, /* Private socket only */
|
|
|
ca1eb8 |
+ SSS_SUDO_SOCKET_NAME, pipe_fd, /* custom permissions on socket */
|
|
|
ca1eb8 |
+ NULL, -1, /* No private socket */
|
|
|
ca1eb8 |
CONFDB_SUDO_CONF_ENTRY,
|
|
|
ca1eb8 |
SSS_SUDO_SBUS_SERVICE_NAME,
|
|
|
ca1eb8 |
SSS_SUDO_SBUS_SERVICE_VERSION,
|
|
|
ca1eb8 |
@@ -182,6 +183,7 @@ int main(int argc, const char *argv[])
|
|
|
ca1eb8 |
char *opt_logger = NULL;
|
|
|
ca1eb8 |
struct main_context *main_ctx;
|
|
|
ca1eb8 |
int ret;
|
|
|
ca1eb8 |
+ int pipe_fd = -1;
|
|
|
ca1eb8 |
uid_t uid;
|
|
|
ca1eb8 |
gid_t gid;
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
@@ -219,6 +221,27 @@ int main(int argc, const char *argv[])
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
sss_set_logger(opt_logger);
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
+ if (!is_socket_activated()) {
|
|
|
ca1eb8 |
+ /* Create pipe file descriptors here with right ownerschip */
|
|
|
ca1eb8 |
+ ret = create_pipe_fd(SSS_SUDO_SOCKET_NAME, &pipe_fd, SSS_DFL_UMASK);
|
|
|
ca1eb8 |
+ if (ret != EOK) {
|
|
|
ca1eb8 |
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
|
|
ca1eb8 |
+ "create_pipe_fd failed [%d]: %s.\n",
|
|
|
ca1eb8 |
+ ret, sss_strerror(ret));
|
|
|
ca1eb8 |
+ return 4;
|
|
|
ca1eb8 |
+ }
|
|
|
ca1eb8 |
+
|
|
|
ca1eb8 |
+ ret = chown(SSS_SUDO_SOCKET_NAME, uid, 0);
|
|
|
ca1eb8 |
+ if (ret != 0) {
|
|
|
ca1eb8 |
+ ret = errno;
|
|
|
ca1eb8 |
+ close(pipe_fd);
|
|
|
ca1eb8 |
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
|
|
ca1eb8 |
+ "create_pipe_fd failed [%d]: %s.\n",
|
|
|
ca1eb8 |
+ ret, sss_strerror(ret));
|
|
|
ca1eb8 |
+ return 5;
|
|
|
ca1eb8 |
+ }
|
|
|
ca1eb8 |
+ }
|
|
|
ca1eb8 |
+
|
|
|
ca1eb8 |
ret = server_setup("sssd[sudo]", 0, uid, gid, CONFDB_SUDO_CONF_ENTRY,
|
|
|
ca1eb8 |
&main_ctx);
|
|
|
ca1eb8 |
if (ret != EOK) {
|
|
|
ca1eb8 |
@@ -234,7 +257,7 @@ int main(int argc, const char *argv[])
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
ret = sudo_process_init(main_ctx,
|
|
|
ca1eb8 |
main_ctx->event_ctx,
|
|
|
ca1eb8 |
- main_ctx->confdb_ctx);
|
|
|
ca1eb8 |
+ main_ctx->confdb_ctx, pipe_fd);
|
|
|
ca1eb8 |
if (ret != EOK) {
|
|
|
ca1eb8 |
return 3;
|
|
|
ca1eb8 |
}
|
|
|
ca1eb8 |
--
|
|
|
ca1eb8 |
2.14.4
|
|
|
ca1eb8 |
|