diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2014-10-15 15:58:58 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-10-22 15:44:23 +0200 |
| commit | 19e9c1c1a21790974400db9349637788727b6564 (patch) | |
| tree | 6d284f2b8d6cf2f0fc488676bd6cdb923bb668b7 | |
| parent | aa871e019f00493dfa53b48f906132bf94eeae9f (diff) | |
| download | sssd-19e9c1c1a21790974400db9349637788727b6564.tar.gz sssd-19e9c1c1a21790974400db9349637788727b6564.tar.xz sssd-19e9c1c1a21790974400db9349637788727b6564.zip | |
BE: Own the sbus socket as the SSSD user
In some cases, the back end might still be running as root, but the
responder would be running unprivileged. In this case, we need to allow
connecting from the SSSD user ID.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
| -rw-r--r-- | src/monitor/monitor.c | 8 | ||||
| -rw-r--r-- | src/providers/data_provider_be.c | 16 | ||||
| -rw-r--r-- | src/providers/dp_backend.h | 2 |
3 files changed, 22 insertions, 4 deletions
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index fc6b2963f..905e66f25 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -1306,6 +1306,14 @@ static int get_provider_config(struct mt_ctx *ctx, const char *name, return ENOMEM; } + svc->command = talloc_asprintf_append(svc->command, + " --uid %"SPRIuid" --gid %"SPRIgid, + ctx->uid, ctx->gid); + if (!svc->command) { + talloc_free(svc); + return ENOMEM; + } + if (cmdline_debug_level != SSSDBG_UNRESOLVED) { svc->command = talloc_asprintf_append( svc->command, " -d %#.4x", cmdline_debug_level diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index 122c5b091..2716e4a8b 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -2226,6 +2226,9 @@ static int be_client_init(struct sbus_connection *conn, void *data) becli->conn = conn; becli->initialized = false; + /* Allow access from the SSSD user */ + sbus_allow_uid(conn, &bectx->uid); + /* 5 seconds should be plenty */ tv = tevent_timeval_current_ofs(5, 0); @@ -2251,7 +2254,8 @@ static int be_client_init(struct sbus_connection *conn, void *data) /* be_srv_init * set up per-domain sbus channel */ -static int be_srv_init(struct be_ctx *ctx) +static int be_srv_init(struct be_ctx *ctx, + uid_t uid, gid_t gid) { char *sbus_address; int ret; @@ -2263,7 +2267,10 @@ static int be_srv_init(struct be_ctx *ctx) return ret; } - ret = sbus_new_server(ctx, ctx->ev, sbus_address, 0, 0, + ctx->uid = uid; + ctx->gid = gid; + + ret = sbus_new_server(ctx, ctx->ev, sbus_address, uid, gid, true, &ctx->sbus_srv, be_client_init, ctx); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, "Could not set up sbus server.\n"); @@ -2554,6 +2561,7 @@ done: int be_process_init(TALLOC_CTX *mem_ctx, const char *be_domain, + uid_t uid, gid_t gid, struct tevent_context *ev, struct confdb_ctx *cdb) { @@ -2609,7 +2617,7 @@ int be_process_init(TALLOC_CTX *mem_ctx, goto fail; } - ret = be_srv_init(ctx); + ret = be_srv_init(ctx, uid, gid); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, "fatal error setting up server bus\n"); goto fail; @@ -2870,7 +2878,7 @@ int main(int argc, const char *argv[]) } ret = be_process_init(main_ctx, - be_domain, + be_domain, uid, gid, main_ctx->event_ctx, main_ctx->confdb_ctx); if (ret != EOK) { diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h index 075681ff9..e4213b44b 100644 --- a/src/providers/dp_backend.h +++ b/src/providers/dp_backend.h @@ -116,6 +116,8 @@ struct be_ctx { struct sss_domain_info *domain; const char *identity; const char *conf_path; + uid_t uid; + gid_t gid; struct be_failover_ctx *be_fo; struct be_resolv_ctx *be_res; |