diff options
| author | Sumit Bose <sbose@redhat.com> | 2015-10-30 16:29:31 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-11-20 14:56:34 +0100 |
| commit | 3be9e26dcd169d44ae105f1b8a0674464c700b77 (patch) | |
| tree | 5b7a6c35bd3a9b2b1e2dbf104fb6e60e69fafd50 /src/p11_child | |
| parent | aedc71fe8360a51785933523f14bb5c4e7e2c38b (diff) | |
| download | sssd-3be9e26dcd169d44ae105f1b8a0674464c700b77.tar.gz sssd-3be9e26dcd169d44ae105f1b8a0674464c700b77.tar.xz sssd-3be9e26dcd169d44ae105f1b8a0674464c700b77.zip | |
p11: allow p11_child to run completely unprivileged
To only operation of p11_child which requires special privileges is the
communication to pcscd which handles the Smartcard access. pcscd uses
policy-kit for access control so access can easily be configured by
dropping config snippets into the right directory.
If SSSD is configured to run as un-privileged user this patch creates
the needed config snippet for policy-kit and installs it in a suitable
directory. As a result p11_child does not have to be installed with
SETUID or SETGID bits set.
Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/p11_child')
| -rw-r--r-- | src/p11_child/p11_child_nss.c | 27 |
1 files changed, 6 insertions, 21 deletions
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c index 8a383a044..41d9fd11f 100644 --- a/src/p11_child/p11_child_nss.c +++ b/src/p11_child/p11_child_nss.c @@ -482,10 +482,13 @@ int main(int argc, const char *argv[]) debug_level = SSSDBG_INVALID; /* - * This child runs as root (setuid(0)), so we need clear environment and - * set permissions for security reasons. + * This child can run as root or as sssd user relying on policy kit to + * grant access to pcscd. This means that no setuid or setgid bit must be + * set on the binary. We still should make sure to run with a restrictive + * umask but do not have to make additional precautions like clearing the + * environment. This would allow to use e.g. pkcs11-spy.so for further + * debugging. */ - clearenv(); umask(SSS_DFL_UMASK); pc = poptGetContext(argv[0], argc, argv, long_options, 0); @@ -582,24 +585,6 @@ int main(int argc, const char *argv[]) "Running with effective IDs: [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid()); - if (getuid() != 0) { - ret = setuid(0); - if (ret == -1) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, - "setuid failed: %d, p11_child might not work!\n", ret); - } - } - - if (getgid() != 0) { - ret = setgid(0); - if (ret == -1) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, - "setgid failed: %d, p11_child might not work!\n", ret); - } - } - DEBUG(SSSDBG_TRACE_INTERNAL, "Running with real IDs [%"SPRIuid"][%"SPRIgid"].\n", getuid(), getgid()); |