diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-26 15:15:29 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-27 17:40:35 +0100 |
| commit | 486f0d5227a9b81815aaaf7d9a2c39aafcbfdf6a (patch) | |
| tree | 879cf8e9d302a5591ed22a1311dcc6beb3a5d1c8 /src/providers | |
| parent | b07a3b729892d2bc2ffa73d93de95e19003cc6c8 (diff) | |
| download | sssd-486f0d5227a9b81815aaaf7d9a2c39aafcbfdf6a.tar.gz sssd-486f0d5227a9b81815aaaf7d9a2c39aafcbfdf6a.tar.xz sssd-486f0d5227a9b81815aaaf7d9a2c39aafcbfdf6a.zip | |
SELINUX: Call setuid(0)/setgid(0) to also set the real IDs to root
https://fedorahosted.org/sssd/ticket/2564
libselinux uses many access(2) calls and access() uses the real UID,
not the effective UID for the check. Therefore, the setuid selinux_child,
which only has effective UID of root would fail the check.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Diffstat (limited to 'src/providers')
| -rw-r--r-- | src/providers/ipa/selinux_child.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c index cb6f96415..6390d43cb 100644 --- a/src/providers/ipa/selinux_child.c +++ b/src/providers/ipa/selinux_child.c @@ -197,7 +197,23 @@ int main(int argc, const char *argv[]) DEBUG(SSSDBG_TRACE_FUNC, "selinux_child started.\n"); DEBUG(SSSDBG_TRACE_INTERNAL, - "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid()); + "Running with effective IDs: [%"SPRIuid"][%"SPRIgid"].\n", + geteuid(), getegid()); + + /* libsemanage calls access(2) which works with real IDs, not effective. + * We need to switch also the real ID to 0. + */ + if (getuid() != 0) { + setuid(0); + } + + if (getgid() != 0) { + setgid(0); + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Running with real IDs [%"SPRIuid"][%"SPRIgid"].\n", + getuid(), getgid()); main_ctx = talloc_new(NULL); if (main_ctx == NULL) { |