diff options
-rw-r--r-- | Makefile.am | 19 | ||||
-rw-r--r-- | contrib/sssd.spec.in | 3 | ||||
-rw-r--r-- | src/sysv/systemd/sssd-autofs.socket.in | 1 | ||||
-rw-r--r-- | src/sysv/systemd/sssd-nss.socket.in | 1 | ||||
-rw-r--r-- | src/sysv/systemd/sssd-pac.socket.in | 1 | ||||
-rw-r--r-- | src/sysv/systemd/sssd-pam-priv.socket.in | 1 | ||||
-rw-r--r-- | src/sysv/systemd/sssd-pam.socket.in | 1 | ||||
-rw-r--r-- | src/sysv/systemd/sssd-ssh.socket.in | 1 | ||||
-rw-r--r-- | src/sysv/systemd/sssd-sudo.socket.in | 1 | ||||
-rw-r--r-- | src/tools/sssd_check_socket_activated_responders.c | 197 |
10 files changed, 226 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index 182a84e3a..34da1f002 100644 --- a/Makefile.am +++ b/Makefile.am @@ -190,6 +190,9 @@ endif if BUILD_PAC_RESPONDER sssdlibexec_PROGRAMS += sssd_pac endif +if HAVE_SYSTEMD_UNIT +sssdlibexec_PROGRAMS += sssd_check_socket_activated_responders +endif if HAVE_CHECK non_interactive_check_based_tests = \ @@ -1688,6 +1691,22 @@ sss_ssh_knownhostsproxy_LDADD = \ $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS) endif +if HAVE_SYSTEMD_UNIT +sssd_check_socket_activated_responders_SOURCES = \ + src/tools/sssd_check_socket_activated_responders.c \ + $(NULL) +sssd_check_socket_activated_responders_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +sssd_check_socket_activated_responders_LDADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(INI_CONFIG_LIBS) \ + $(NULL) +endif + ################# # Feature Tests # ################# diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 9b970f1bf..5bd2beb89 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -828,6 +828,9 @@ done %{_libexecdir}/%{servicename}/sssd_ssh %{_libexecdir}/%{servicename}/sssd_sudo %{_libexecdir}/%{servicename}/p11_child +%if (0%{?use_systemd} == 1) +%{_libexecdir}/%{servicename}/sssd_check_socket_activated_responders +%endif %dir %{_libdir}/%{name} %{_libdir}/%{name}/libsss_simple.so diff --git a/src/sysv/systemd/sssd-autofs.socket.in b/src/sysv/systemd/sssd-autofs.socket.in index 48b651f9d..201b33d90 100644 --- a/src/sysv/systemd/sssd-autofs.socket.in +++ b/src/sysv/systemd/sssd-autofs.socket.in @@ -7,6 +7,7 @@ DefaultDependencies=no Conflicts=shutdown.target [Socket] +ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r autofs ListenStream=@pipepath@/autofs SocketUser=@SSSD_USER@ SocketGroup=@SSSD_USER@ diff --git a/src/sysv/systemd/sssd-nss.socket.in b/src/sysv/systemd/sssd-nss.socket.in index d0af6b03f..39d30e8c0 100644 --- a/src/sysv/systemd/sssd-nss.socket.in +++ b/src/sysv/systemd/sssd-nss.socket.in @@ -7,6 +7,7 @@ DefaultDependencies=no Conflicts=shutdown.target [Socket] +ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r nss ListenStream=@pipepath@/nss SocketUser=@SSSD_USER@ SocketGroup=@SSSD_USER@ diff --git a/src/sysv/systemd/sssd-pac.socket.in b/src/sysv/systemd/sssd-pac.socket.in index fc778243e..40dec4491 100644 --- a/src/sysv/systemd/sssd-pac.socket.in +++ b/src/sysv/systemd/sssd-pac.socket.in @@ -7,6 +7,7 @@ DefaultDependencies=no Conflicts=shutdown.target [Socket] +ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pac ListenStream=@pipepath@/pac SocketUser=@SSSD_USER@ SocketGroup=@SSSD_USER@ diff --git a/src/sysv/systemd/sssd-pam-priv.socket.in b/src/sysv/systemd/sssd-pam-priv.socket.in index 490fd0dd1..27f2cf73a 100644 --- a/src/sysv/systemd/sssd-pam-priv.socket.in +++ b/src/sysv/systemd/sssd-pam-priv.socket.in @@ -8,6 +8,7 @@ DefaultDependencies=no Conflicts=shutdown.target [Socket] +ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pam Service=sssd-pam.service ListenStream=@pipepath@/private/pam SocketUser=root diff --git a/src/sysv/systemd/sssd-pam.socket.in b/src/sysv/systemd/sssd-pam.socket.in index d278bcc2f..cbbb7623b 100644 --- a/src/sysv/systemd/sssd-pam.socket.in +++ b/src/sysv/systemd/sssd-pam.socket.in @@ -8,6 +8,7 @@ DefaultDependencies=no Conflicts=shutdown.target [Socket] +ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pam ListenStream=@pipepath@/pam SocketUser=root SocketGroup=root diff --git a/src/sysv/systemd/sssd-ssh.socket.in b/src/sysv/systemd/sssd-ssh.socket.in index 727b6c478..4772ef3c0 100644 --- a/src/sysv/systemd/sssd-ssh.socket.in +++ b/src/sysv/systemd/sssd-ssh.socket.in @@ -7,6 +7,7 @@ DefaultDependencies=no Conflicts=shutdown.target [Socket] +ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r ssh ListenStream=@pipepath@/ssh SocketUser=@SSSD_USER@ SocketGroup=@SSSD_USER@ diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in index 359f6f2cc..c9abb875f 100644 --- a/src/sysv/systemd/sssd-sudo.socket.in +++ b/src/sysv/systemd/sssd-sudo.socket.in @@ -7,6 +7,7 @@ DefaultDependencies=no Conflicts=shutdown.target [Socket] +ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo ListenStream=@pipepath@/sudo SocketUser=@SSSD_USER@ SocketGroup=@SSSD_USER@ diff --git a/src/tools/sssd_check_socket_activated_responders.c b/src/tools/sssd_check_socket_activated_responders.c new file mode 100644 index 000000000..fb9df3909 --- /dev/null +++ b/src/tools/sssd_check_socket_activated_responders.c @@ -0,0 +1,197 @@ +/* + Authors: + Fabiano FidĂȘncio <fidencio@redhat.com> + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "config.h" + +#include <popt.h> +#include <stdio.h> +#include <ini_configobj.h> + +#include "util/util.h" +#include "confdb/confdb.h" + +static errno_t check_socket_activated_responder(const char *responder) +{ + errno_t ret; + struct ini_cfgfile *file_ctx = NULL; + struct ini_cfgobj *ini_config = NULL; + struct ini_cfgobj *modified_ini_config = NULL; + struct value_obj *vobj = NULL; + struct access_check snip_check; + const char *services; + const char *patterns[] = { "^[^\\.].*\\.conf$", NULL }; + const char *sections[] = { "sssd", NULL }; + const char *str; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = ini_config_create(&ini_config); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "ini_config_create() failed [%d][%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = ini_config_file_open(SSSD_CONFIG_FILE, 0, &file_ctx); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "ini_config_file_open() failed [%d][%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + /* Using the same flags used by sss_ini_get_config(), which is used to + * load the config file ... */ + ret = ini_config_parse(file_ctx, + INI_STOP_ON_ANY, + INI_MV1S_OVERWRITE, + INI_PARSE_NOWRAP, + ini_config); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "ini_config_parse() failed [%d][%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + /* And also check the snippets ... */ + snip_check.flags = INI_ACCESS_CHECK_MODE | + INI_ACCESS_CHECK_UID | + INI_ACCESS_CHECK_GID; + snip_check.uid = 0; /* owned by root */ + snip_check.gid = 0; /* owned by root */ + snip_check.mode = S_IRUSR; /* r**------ */ + snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR); + + ret = ini_config_augment(ini_config, + CONFDB_DEFAULT_CONFIG_DIR, + patterns, + sections, + &snip_check, + INI_STOP_ON_ANY, + INI_MV1S_OVERWRITE, + INI_PARSE_NOWRAP, + INI_MV2S_OVERWRITE, + &modified_ini_config, + NULL, + NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "ini_config_augment failed [%d][%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + if (modified_ini_config != NULL) { + ini_config_destroy(ini_config); + ini_config = modified_ini_config; + } + + ret = ini_get_config_valueobj("sssd", "services", ini_config, + INI_GET_FIRST_VALUE, &vobj); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_get_config_valueobj() failed [%d][%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + /* In case there's no services' line at all, just return EOK. */ + if (vobj == NULL) { + ret = EOK; + goto done; + } + + services = ini_get_string_config_value(vobj, &ret); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_get_string_config_value() failed [%d][%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + str = strstr(services, responder); + if (str != NULL) { + ret = EEXIST; + goto done; + } + + ret = EOK; + +done: + ini_config_file_destroy(file_ctx); + ini_config_destroy(ini_config); + talloc_free(tmp_ctx); + + return ret; +} + +int main(int argc, const char *argv[]) +{ + int ret; + int opt; + poptContext pc; + char *responder = NULL; + + struct poptOption long_options[] = { + POPT_AUTOHELP + {"responders", 'r', POPT_ARG_STRING, &responder, 0, + _("The name of the responder to be checked"), NULL}, + POPT_TABLEEND + }; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + ret = 1; + goto done; + } + } + + if (responder == NULL) { + poptPrintUsage(pc, stderr, 0); + ret = 1; + goto done; + } + + ret = check_socket_activated_responder(responder); + if (ret != EOK) { + DEBUG(SSSDBG_DEFAULT, + "Misconfiguration found for the %s responder.\n" + "The %s responder has been configured to be socket-activated " + "but it's still mentioned in the services' line in %s.\n" + "Please, consider either adjusting your services' line in %s " + "or disabling the %s's socket by calling:\n" + "\"systemctl disable sssd-%s.socket\"", + responder, responder, SSSD_CONFIG_FILE, SSSD_CONFIG_FILE, + responder, responder); + goto done; + } + + ret = EOK; +done: + poptFreeContext(pc); + return ret; +} |