From 1370bcccaed090f36d75e8a8cebb320ea1612b7e Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 27 May 2015 14:49:14 +0200 Subject: PROXY: proxy_child should work in non-root mode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit According to design page[1], proxy_child should run with root privileges in non-root mode however proxy_child did not have setuid bit. After setting setuid bit proxy_child will be executed with extra privileges. The effective user ID will be 0 but effective group ID will be still the same as egid of sssd_be. Therefore gid of private pipe for proxy_child should be the same. Otherwise proxy_child will fail due to wrong permissions of unix pipe (sbus_client_init -> check_file) [1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD Resolves: https://fedorahosted.org/sssd/ticket/2655 Reviewed-by: Michal Židek --- Makefile.am | 2 ++ contrib/sssd.spec.in | 2 +- src/providers/proxy/proxy_init.c | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/Makefile.am b/Makefile.am index 1970b812e..9927391fe 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3344,6 +3344,8 @@ if SSSD_USER chmod 4750 $(DESTDIR)$(sssdlibexecdir)/ldap_child -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/krb5_child chmod 4750 $(DESTDIR)$(sssdlibexecdir)/krb5_child + -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/proxy_child + chmod 4750 $(DESTDIR)$(sssdlibexecdir)/proxy_child if BUILD_SEMANAGE -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/selinux_child chmod 4750 $(DESTDIR)$(sssdlibexecdir)/selinux_child diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 3cae11787..d4b2a9300 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -780,7 +780,7 @@ rm -rf $RPM_BUILD_ROOT %files proxy %defattr(-,root,root,-) %doc COPYING -%{_libexecdir}/%{servicename}/proxy_child +%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/proxy_child %{_libdir}/%{name}/libsss_proxy.so %files dbus diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c index 791942420..0a6b11d4a 100644 --- a/src/providers/proxy/proxy_init.c +++ b/src/providers/proxy/proxy_init.c @@ -515,7 +515,7 @@ int sssm_proxy_auth_init(struct be_ctx *bectx, goto done; } - ret = sbus_new_server(ctx, bectx->ev, sbus_address, 0, 0, + ret = sbus_new_server(ctx, bectx->ev, sbus_address, 0, bectx->gid, false, &ctx->sbus_srv, proxy_client_init, ctx); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, "Could not set up sbus server.\n"); -- cgit