p11: allow p11_child to run completely unprivileged

To only operation of p11_child which requires special privileges is the
communication to pcscd which handles the Smartcard access. pcscd uses
policy-kit for access control so access can easily be configured by
dropping config snippets into the right directory.

If SSSD is configured to run as un-privileged user this patch creates
the needed config snippet for policy-kit and installs it in a suitable
directory. As a result p11_child does not have to be installed with
SETUID or SETGID bits set.

Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

2 files changed, 27 insertions, 1 deletions

diff --git a/contrib/sssd-pcsc.rules.in b/contrib/sssd-pcsc.rules.in
new file mode 100644
index 000000000..31d2dbe4f
--- /dev/null
+++ b/contrib/sssd-pcsc.rules.in
@@ -0,0 +1,15 @@
+// Please put this file in /usr/share/polkit-1/rules.d/ if SSSD is running as
+// unprivileged user '@SSSD_USER@' to allow access to the Smartcard via pcscd.
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.debian.pcsc-lite.access_card" &&
+        subject.user == "@SSSD_USER@") {
+            return polkit.Result.YES;
+    }
+});
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
+        subject.user == "@SSSD_USER@") {
+            return polkit.Result.YES;
+    }
+});
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index e0367e460..cff77b29e 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -19,6 +19,12 @@
     %global use_systemd 1
 %endif
 
+# on Fedora and RHEL7 p11_child needs a polkit config snippet to be allowed to
+# talk to pcscd if SSSD runs as unpriviledged user
+%if (0%{?fedora} || 0%{?rhel} >= 7)
+    %global install_pcscd_polkit_rule 1
+%endif
+
 %if (0%{?use_systemd} == 1)
     %global with_initscript --with-initscript=systemd --with-systemdunitdir=%{_unitdir}
     %global with_syslog --with-syslog=journald
@@ -559,6 +565,7 @@ autoreconf -ivf
     --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
     --disable-static \
     --disable-rpath \
+    --with-sssd-user=sssd \
     %{with_initscript} \
     %{?with_syslog} \
     %{?with_cifs_utils_plugin_option} \
@@ -684,7 +691,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_libexecdir}/%{servicename}/sssd_autofs
 %{_libexecdir}/%{servicename}/sssd_ssh
 %{_libexecdir}/%{servicename}/sssd_sudo
-%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/p11_child
+%{_libexecdir}/%{servicename}/p11_child
+
+%if (0%{?install_pcscd_polkit_rule} == 1)
+%{_datadir}/polkit-1/rules.d/*
+%endif
 
 %dir %{_libdir}/%{name}
 %{_libdir}/%{name}/libsss_simple.so