SUDO: Make Sudo responder socket-activatable

As part of the effort of making all responder socket-activatable, let's
make Sudo responder ready for this by providing its systemd's units.

In case the administrators want to use Sudo responder taking advantage
of socket-activation they will need to enable sssd-sudo.socket and
after a restart of the sssd service, the Sudo socket will be ready
waiting for any activity in order to start the Sudo responder. Also,
the Sudo responder must be removed from the services line on sssd.conf.

The Sudo responder service is binded to the SSSD service, which means
that the responder will be restarted in case SSSD is restarted and
shutdown in case SSSD is shutdown/crashes.

Related:
https://fedorahosted.org/sssd/ticket/2243

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

5 files changed, 59 insertions, 0 deletions

diff --git a/Makefile.am b/Makefile.am
index 3d38f3de3..9b97c881d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3962,6 +3962,12 @@ if BUILD_SSH
         src/sysv/systemd/sssd-ssh.service \
         $(NULL)
 endif
+if BUILD_SUDO
+    systemdunit_DATA += \
+        src/sysv/systemd/sssd-sudo.socket \
+        src/sysv/systemd/sssd-sudo.service \
+        $(NULL)
+endif
 if WITH_JOURNALD
     systemdconf_DATA += \
         src/sysv/systemd/journal.conf
@@ -4042,6 +4048,12 @@ EXTRA_DIST += \
     src/sysv/systemd/sssd-ssh.service.in \
     $(NULL)
 endif
+if BUILD_SUDO
+EXTRA_DIST += \
+    src/sysv/systemd/sssd-sudo.socket.in \
+    src/sysv/systemd/sssd-sudo.service.in \
+    $(NULL)
+endif
 
 src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile
 	@$(MKDIR_P) src/sysv/systemd/
@@ -4109,6 +4121,16 @@ src/sysv/systemd/sssd-ssh.service: src/sysv/systemd/sssd-ssh.service.in Makefile
 	$(replace_script)
 endif
 
+if BUILD_SUDO
+src/sysv/systemd/sssd-sudo.socket: src/sysv/systemd/sssd-sudo.socket.in Makefile
+	@$(MKDIR_P) src/sysv/systemd/
+	$(replace_script)
+
+src/sysv/systemd/sssd-sudo.service: src/sysv/systemd/sssd-sudo.service.in Makefile
+	@$(MKDIR_P) src/sysv/systemd/
+	$(replace_script)
+endif
+
 SSSD_USER_DIRS = \
     $(DESTDIR)$(dbpath) \
     $(DESTDIR)$(keytabdir) \
@@ -4339,6 +4361,8 @@ endif
 	rm -f $(builddir)/src/sysv/systemd/sssd-pam.service
 	rm -f $(builddir)/src/sysv/systemd/sssd-ssh.socket
 	rm -f $(builddir)/src/sysv/systemd/sssd-ssh.service
+	rm -f $(builddir)/src/sysv/systemd/sssd-sudo.socket
+	rm -f $(builddir)/src/sysv/systemd/sssd-sudo.service
 	rm -f $(builddir)/src/sysv/systemd/sssd-secrets.socket
 	rm -f $(builddir)/src/sysv/systemd/sssd-secrets.service
 	rm -f $(builddir)/src/sysv/systemd/journal.conf
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 786141aa4..0430f425a 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -810,6 +810,8 @@ done
 %{_unitdir}/sssd-pam.service
 %{_unitdir}/sssd-ssh.socket
 %{_unitdir}/sssd-ssh.service
+%{_unitdir}/sssd-sudo.socket
+%{_unitdir}/sssd-sudo.service
 %{_unitdir}/sssd-secrets.socket
 %{_unitdir}/sssd-secrets.service
 %else
@@ -1151,6 +1153,7 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
 %systemd_post sssd-pam-priv.socket
 %systemd_post sssd-secrets.socket
 %systemd_post sssd-ssh.socket
+%systemd_post sssd-sudo.socket
 
 %preun common
 %systemd_preun sssd.service
@@ -1161,6 +1164,7 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
 %systemd_preun sssd-pam-priv.socket
 %systemd_preun sssd-secrets.socket
 %systemd_preun sssd-ssh.socket
+%systemd_preun sssd-sudo.socket
 
 %postun common
 %systemd_postun_with_restart sssd.service
@@ -1177,6 +1181,8 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
 %systemd_postun_with_restart sssd-secrets.service
 %systemd_postun_with_restart sssd-ssh.socket
 %systemd_postun_with_restart sssd-ssh.service
+%systemd_postun_with_restart sssd-sudo.socket
+%systemd_postun_with_restart sssd-sudo.service
 
 %else
 # sysv
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
index 2a82cee3d..b427878d4 100644
--- a/src/responder/sudo/sudosrv.c
+++ b/src/responder/sudo/sudosrv.c
@@ -176,6 +176,7 @@ int main(int argc, const char *argv[])
         POPT_AUTOHELP
         SSSD_MAIN_OPTS
         SSSD_SERVER_OPTS(uid, gid)
+        SSSD_RESPONDER_OPTS
         POPT_TABLEEND
     };
 
diff --git a/src/sysv/systemd/sssd-sudo.service.in b/src/sysv/systemd/sssd-sudo.service.in
new file mode 100644
index 000000000..5b736e8b5
--- /dev/null
+++ b/src/sysv/systemd/sssd-sudo.service.in
@@ -0,0 +1,16 @@
+[Unit]
+Description=SSSD Sudo Service responder
+Documentation=man:sssd.conf(5) man:sssd-sudo(5)
+After=sssd.service
+BindsTo=sssd.service
+
+[Install]
+Also=sssd-sudo.socket
+
+[Service]
+ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_sudo.log
+ExecStart=@libexecdir@/sssd/sssd_sudo --debug-to-files --socket-activated
+Restart=on-failure
+User=@SSSD_USER@
+Group=@SSSD_USER@
+PermissionsStartOnly=true
diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in
new file mode 100644
index 000000000..0b6c0d9c1
--- /dev/null
+++ b/src/sysv/systemd/sssd-sudo.socket.in
@@ -0,0 +1,12 @@
+[Unit]
+Description=SSSD Sudo Service responder socket
+Documentation=man:sssd.conf(5)
+BindsTo=sssd.service
+
+[Socket]
+ListenStream=@pipepath@/sudo
+SocketUser=@SSSD_USER@
+SocketGroup=@SSSD_USER@
+
+[Install]
+WantedBy=sssd.service