diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-26 15:15:29 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-27 18:07:25 +0100 |
| commit | 6772568c21cbea19c63ff047a5f668dc3372a114 (patch) | |
| tree | 7a6145ab782b4c05d33d2abb2cf8231aedbf29e3 /src/providers/ipa/selinux_child.c | |
| parent | 42aa9151b9f01bb4fe9d81313f65e9cac0c0aaf1 (diff) | |
| download | sssd-6772568c21cbea19c63ff047a5f668dc3372a114.tar.gz sssd-6772568c21cbea19c63ff047a5f668dc3372a114.tar.xz sssd-6772568c21cbea19c63ff047a5f668dc3372a114.zip | |
SELINUX: Call setuid(0)/setgid(0) to also set the real IDs to root
https://fedorahosted.org/sssd/ticket/2564
libselinux uses many access(2) calls and access() uses the real UID,
not the effective UID for the check. Therefore, the setuid selinux_child,
which only has effective UID of root would fail the check.
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 486f0d5227a9b81815aaaf7d9a2c39aafcbfdf6a)
Diffstat (limited to 'src/providers/ipa/selinux_child.c')
| -rw-r--r-- | src/providers/ipa/selinux_child.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c index cb6f96415..6390d43cb 100644 --- a/src/providers/ipa/selinux_child.c +++ b/src/providers/ipa/selinux_child.c @@ -197,7 +197,23 @@ int main(int argc, const char *argv[]) DEBUG(SSSDBG_TRACE_FUNC, "selinux_child started.\n"); DEBUG(SSSDBG_TRACE_INTERNAL, - "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid()); + "Running with effective IDs: [%"SPRIuid"][%"SPRIgid"].\n", + geteuid(), getegid()); + + /* libsemanage calls access(2) which works with real IDs, not effective. + * We need to switch also the real ID to 0. + */ + if (getuid() != 0) { + setuid(0); + } + + if (getgid() != 0) { + setgid(0); + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Running with real IDs [%"SPRIuid"][%"SPRIgid"].\n", + getuid(), getgid()); main_ctx = talloc_new(NULL); if (main_ctx == NULL) { |