diff options
author | Sumit Bose <sbose@redhat.com> | 2015-10-30 16:29:31 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-11-20 14:56:34 +0100 |
commit | 3be9e26dcd169d44ae105f1b8a0674464c700b77 (patch) | |
tree | 5b7a6c35bd3a9b2b1e2dbf104fb6e60e69fafd50 /contrib | |
parent | aedc71fe8360a51785933523f14bb5c4e7e2c38b (diff) | |
download | sssd-3be9e26dcd169d44ae105f1b8a0674464c700b77.tar.gz sssd-3be9e26dcd169d44ae105f1b8a0674464c700b77.tar.xz sssd-3be9e26dcd169d44ae105f1b8a0674464c700b77.zip |
p11: allow p11_child to run completely unprivileged
To only operation of p11_child which requires special privileges is the
communication to pcscd which handles the Smartcard access. pcscd uses
policy-kit for access control so access can easily be configured by
dropping config snippets into the right directory.
If SSSD is configured to run as un-privileged user this patch creates
the needed config snippet for policy-kit and installs it in a suitable
directory. As a result p11_child does not have to be installed with
SETUID or SETGID bits set.
Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/sssd-pcsc.rules.in | 15 | ||||
-rw-r--r-- | contrib/sssd.spec.in | 13 |
2 files changed, 27 insertions, 1 deletions
diff --git a/contrib/sssd-pcsc.rules.in b/contrib/sssd-pcsc.rules.in new file mode 100644 index 000000000..31d2dbe4f --- /dev/null +++ b/contrib/sssd-pcsc.rules.in @@ -0,0 +1,15 @@ +// Please put this file in /usr/share/polkit-1/rules.d/ if SSSD is running as +// unprivileged user '@SSSD_USER@' to allow access to the Smartcard via pcscd. +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_card" && + subject.user == "@SSSD_USER@") { + return polkit.Result.YES; + } +}); + +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_pcsc" && + subject.user == "@SSSD_USER@") { + return polkit.Result.YES; + } +}); diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index e0367e460..cff77b29e 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -19,6 +19,12 @@ %global use_systemd 1 %endif +# on Fedora and RHEL7 p11_child needs a polkit config snippet to be allowed to +# talk to pcscd if SSSD runs as unpriviledged user +%if (0%{?fedora} || 0%{?rhel} >= 7) + %global install_pcscd_polkit_rule 1 +%endif + %if (0%{?use_systemd} == 1) %global with_initscript --with-initscript=systemd --with-systemdunitdir=%{_unitdir} %global with_syslog --with-syslog=journald @@ -559,6 +565,7 @@ autoreconf -ivf --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \ --disable-static \ --disable-rpath \ + --with-sssd-user=sssd \ %{with_initscript} \ %{?with_syslog} \ %{?with_cifs_utils_plugin_option} \ @@ -684,7 +691,11 @@ rm -rf $RPM_BUILD_ROOT %{_libexecdir}/%{servicename}/sssd_autofs %{_libexecdir}/%{servicename}/sssd_ssh %{_libexecdir}/%{servicename}/sssd_sudo -%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/p11_child +%{_libexecdir}/%{servicename}/p11_child + +%if (0%{?install_pcscd_polkit_rule} == 1) +%{_datadir}/polkit-1/rules.d/* +%endif %dir %{_libdir}/%{name} %{_libdir}/%{name}/libsss_simple.so |