RESPONDER: Make responders' common code ready for socket activation

Instead of simply setting the unix socket during the process
initialization, let's make it socket-activatable. It's the first step in
order to have socket-activated responders and doesn't introduce any kind
of regression with the current code.

Also, we must avoid setting the responders fds to -1 in all cases as it
may have cause the socket to be unreachable in case the administrator
decides to move back from socket-activation to using the services line
in sssd.conf. With this change, the responders will have to activelly
set their sockets fd to -1 before calling activate_unix_sockets(), which
is already done everyone but in Secrets and in one piece of PAM
responder.

Related:
https://fedorahosted.org/sssd/ticket/2243

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

3 files changed, 38 insertions, 38 deletions

diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index a64334d9d..2a585d2a4 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -771,53 +771,51 @@ int activate_unix_sockets(struct resp_ctx *rctx,
 {
     int ret;
 
-    /* by default we want to open sockets ourselves */
-    rctx->lfd = -1;
-    rctx->priv_lfd = -1;
-
 #ifdef HAVE_SYSTEMD
-    int numfds = (rctx->sock_name ? 1 : 0)
-                + (rctx->priv_sock_name ? 1 : 0);
-    /* but if systemd support is available, check if the sockets
-     * have been opened for us, via socket activation */
-    ret = sd_listen_fds(1);
-    if (ret < 0) {
-        DEBUG(SSSDBG_MINOR_FAILURE,
-              "Unexpected error probing for active sockets. "
-              "Will proceed with no sockets. [Error %d (%s)]\n",
-              -ret, sss_strerror(-ret));
-    } else if (ret > numfds) {
-        DEBUG(SSSDBG_FATAL_FAILURE,
-              "Too many activated sockets have been found, "
-              "expected %d, found %d\n", numfds, ret);
-        ret = E2BIG;
-        goto done;
-    }
-
-    if (ret == numfds) {
-        rctx->lfd = SD_LISTEN_FDS_START;
-        ret = sd_is_socket_unix(rctx->lfd, SOCK_STREAM, 1, NULL, 0);
+    if (rctx->lfd == -1 && rctx->priv_lfd == -1) {
+        int numfds = (rctx->sock_name ? 1 : 0)
+                     + (rctx->priv_sock_name ? 1 : 0);
+        /* but if systemd support is available, check if the sockets
+         * have been opened for us, via socket activation */
+        ret = sd_listen_fds(1);
         if (ret < 0) {
-            DEBUG(SSSDBG_CRIT_FAILURE,
-                  "Activated socket is not a UNIX listening socket\n");
-            ret = EIO;
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Unexpected error probing for active sockets. "
+                  "Will proceed with no sockets. [Error %d (%s)]\n",
+                  -ret, sss_strerror(-ret));
+        } else if (ret > numfds) {
+            DEBUG(SSSDBG_FATAL_FAILURE,
+                  "Too many activated sockets have been found, "
+                  "expected %d, found %d\n", numfds, ret);
+            ret = E2BIG;
             goto done;
         }
 
-        ret = sss_fd_nonblocking(rctx->lfd);
-        if (ret != EOK) goto done;
-        if (numfds == 2) {
-            rctx->priv_lfd = SD_LISTEN_FDS_START + 1;
-            ret = sd_is_socket_unix(rctx->priv_lfd, SOCK_STREAM, 1, NULL, 0);
+        if (ret == numfds) {
+            rctx->lfd = SD_LISTEN_FDS_START;
+            ret = sd_is_socket_unix(rctx->lfd, SOCK_STREAM, 1, NULL, 0);
             if (ret < 0) {
                 DEBUG(SSSDBG_CRIT_FAILURE,
-                    "Activated priv socket is not a UNIX listening socket\n");
+                      "Activated socket is not a UNIX listening socket\n");
                 ret = EIO;
                 goto done;
             }
 
-            ret = sss_fd_nonblocking(rctx->priv_lfd);
+            ret = sss_fd_nonblocking(rctx->lfd);
             if (ret != EOK) goto done;
+            if (numfds == 2) {
+                rctx->priv_lfd = SD_LISTEN_FDS_START + 1;
+                ret = sd_is_socket_unix(rctx->priv_lfd, SOCK_STREAM, 1, NULL, 0);
+                if (ret < 0) {
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "Activated priv socket is not a UNIX listening socket\n");
+                    ret = EIO;
+                    goto done;
+                }
+
+                ret = sss_fd_nonblocking(rctx->priv_lfd);
+                if (ret != EOK) goto done;
+            }
         }
     }
 #endif
@@ -1062,7 +1060,7 @@ int sss_process_init(TALLOC_CTX *mem_ctx,
     }
 
     /* after all initializations we are ready to listen on our socket */
-    ret = set_unix_socket(rctx, conn_setup);
+    ret = activate_unix_sockets(rctx, conn_setup);
     if (ret != EOK) {
         DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing socket\n");
         goto fail;
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 9594f35e5..9ea453603 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -326,8 +326,8 @@ int main(int argc, const char *argv[])
     int ret;
     uid_t uid;
     gid_t gid;
-    int pipe_fd;
-    int priv_pipe_fd;
+    int pipe_fd = -1;
+    int priv_pipe_fd = -1;
 
     struct poptOption long_options[] = {
         POPT_AUTOHELP
diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c
index 09b0d2251..28eca9d20 100644
--- a/src/responder/secrets/secsrv.c
+++ b/src/responder/secrets/secsrv.c
@@ -136,6 +136,8 @@ static int sec_process_init(TALLOC_CTX *mem_ctx,
     rctx->sock_name = SSS_SEC_SOCKET_NAME;
     rctx->confdb_service_path = CONFDB_SEC_CONF_ENTRY;
     rctx->shutting_down = false;
+    rctx->lfd = -1;
+    rctx->priv_lfd = -1;
 
     talloc_set_destructor((TALLOC_CTX*)rctx, sec_responder_ctx_destructor);