diff options
author | Fabiano Fidêncio <fidencio@redhat.com> | 2016-11-17 01:03:13 +0100 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-01-23 18:46:37 +0100 |
commit | f37e795cd16310759dc9741c1ab1323b287a9101 (patch) | |
tree | ac767be2413917d0a8bcd4514527660650a80149 | |
parent | b33c275ebac86695f7a2fa866e5766d469e2c578 (diff) | |
download | sssd-f37e795cd16310759dc9741c1ab1323b287a9101.tar.gz sssd-f37e795cd16310759dc9741c1ab1323b287a9101.tar.xz sssd-f37e795cd16310759dc9741c1ab1323b287a9101.zip |
SUDO: Make Sudo responder socket-activatable
As part of the effort of making all responder socket-activatable, let's
make Sudo responder ready for this by providing its systemd's units.
In case the administrators want to use Sudo responder taking advantage
of socket-activation they will need to enable sssd-sudo.socket and
after a restart of the sssd service, the Sudo socket will be ready
waiting for any activity in order to start the Sudo responder. Also,
the Sudo responder must be removed from the services line on sssd.conf.
The Sudo responder service is binded to the SSSD service, which means
that the responder will be restarted in case SSSD is restarted and
shutdown in case SSSD is shutdown/crashes.
Related:
https://fedorahosted.org/sssd/ticket/2243
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-rw-r--r-- | Makefile.am | 24 | ||||
-rw-r--r-- | contrib/sssd.spec.in | 6 | ||||
-rw-r--r-- | src/responder/sudo/sudosrv.c | 1 | ||||
-rw-r--r-- | src/sysv/systemd/sssd-sudo.service.in | 16 | ||||
-rw-r--r-- | src/sysv/systemd/sssd-sudo.socket.in | 12 |
5 files changed, 59 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index 3d38f3de3..9b97c881d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3962,6 +3962,12 @@ if BUILD_SSH src/sysv/systemd/sssd-ssh.service \ $(NULL) endif +if BUILD_SUDO + systemdunit_DATA += \ + src/sysv/systemd/sssd-sudo.socket \ + src/sysv/systemd/sssd-sudo.service \ + $(NULL) +endif if WITH_JOURNALD systemdconf_DATA += \ src/sysv/systemd/journal.conf @@ -4042,6 +4048,12 @@ EXTRA_DIST += \ src/sysv/systemd/sssd-ssh.service.in \ $(NULL) endif +if BUILD_SUDO +EXTRA_DIST += \ + src/sysv/systemd/sssd-sudo.socket.in \ + src/sysv/systemd/sssd-sudo.service.in \ + $(NULL) +endif src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile @$(MKDIR_P) src/sysv/systemd/ @@ -4109,6 +4121,16 @@ src/sysv/systemd/sssd-ssh.service: src/sysv/systemd/sssd-ssh.service.in Makefile $(replace_script) endif +if BUILD_SUDO +src/sysv/systemd/sssd-sudo.socket: src/sysv/systemd/sssd-sudo.socket.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-sudo.service: src/sysv/systemd/sssd-sudo.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) +endif + SSSD_USER_DIRS = \ $(DESTDIR)$(dbpath) \ $(DESTDIR)$(keytabdir) \ @@ -4339,6 +4361,8 @@ endif rm -f $(builddir)/src/sysv/systemd/sssd-pam.service rm -f $(builddir)/src/sysv/systemd/sssd-ssh.socket rm -f $(builddir)/src/sysv/systemd/sssd-ssh.service + rm -f $(builddir)/src/sysv/systemd/sssd-sudo.socket + rm -f $(builddir)/src/sysv/systemd/sssd-sudo.service rm -f $(builddir)/src/sysv/systemd/sssd-secrets.socket rm -f $(builddir)/src/sysv/systemd/sssd-secrets.service rm -f $(builddir)/src/sysv/systemd/journal.conf diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 786141aa4..0430f425a 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -810,6 +810,8 @@ done %{_unitdir}/sssd-pam.service %{_unitdir}/sssd-ssh.socket %{_unitdir}/sssd-ssh.service +%{_unitdir}/sssd-sudo.socket +%{_unitdir}/sssd-sudo.service %{_unitdir}/sssd-secrets.socket %{_unitdir}/sssd-secrets.service %else @@ -1151,6 +1153,7 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %systemd_post sssd-pam-priv.socket %systemd_post sssd-secrets.socket %systemd_post sssd-ssh.socket +%systemd_post sssd-sudo.socket %preun common %systemd_preun sssd.service @@ -1161,6 +1164,7 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %systemd_preun sssd-pam-priv.socket %systemd_preun sssd-secrets.socket %systemd_preun sssd-ssh.socket +%systemd_preun sssd-sudo.socket %postun common %systemd_postun_with_restart sssd.service @@ -1177,6 +1181,8 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %systemd_postun_with_restart sssd-secrets.service %systemd_postun_with_restart sssd-ssh.socket %systemd_postun_with_restart sssd-ssh.service +%systemd_postun_with_restart sssd-sudo.socket +%systemd_postun_with_restart sssd-sudo.service %else # sysv diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c index 2a82cee3d..b427878d4 100644 --- a/src/responder/sudo/sudosrv.c +++ b/src/responder/sudo/sudosrv.c @@ -176,6 +176,7 @@ int main(int argc, const char *argv[]) POPT_AUTOHELP SSSD_MAIN_OPTS SSSD_SERVER_OPTS(uid, gid) + SSSD_RESPONDER_OPTS POPT_TABLEEND }; diff --git a/src/sysv/systemd/sssd-sudo.service.in b/src/sysv/systemd/sssd-sudo.service.in new file mode 100644 index 000000000..5b736e8b5 --- /dev/null +++ b/src/sysv/systemd/sssd-sudo.service.in @@ -0,0 +1,16 @@ +[Unit] +Description=SSSD Sudo Service responder +Documentation=man:sssd.conf(5) man:sssd-sudo(5) +After=sssd.service +BindsTo=sssd.service + +[Install] +Also=sssd-sudo.socket + +[Service] +ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_sudo.log +ExecStart=@libexecdir@/sssd/sssd_sudo --debug-to-files --socket-activated +Restart=on-failure +User=@SSSD_USER@ +Group=@SSSD_USER@ +PermissionsStartOnly=true diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in new file mode 100644 index 000000000..0b6c0d9c1 --- /dev/null +++ b/src/sysv/systemd/sssd-sudo.socket.in @@ -0,0 +1,12 @@ +[Unit] +Description=SSSD Sudo Service responder socket +Documentation=man:sssd.conf(5) +BindsTo=sssd.service + +[Socket] +ListenStream=@pipepath@/sudo +SocketUser=@SSSD_USER@ +SocketGroup=@SSSD_USER@ + +[Install] +WantedBy=sssd.service |