From 3be9e26dcd169d44ae105f1b8a0674464c700b77 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2015 16:29:31 +0100
Subject: p11: allow p11_child to run completely unprivileged

To only operation of p11_child which requires special privileges is the
communication to pcscd which handles the Smartcard access. pcscd uses
policy-kit for access control so access can easily be configured by
dropping config snippets into the right directory.

If SSSD is configured to run as un-privileged user this patch creates
the needed config snippet for policy-kit and installs it in a suitable
directory. As a result p11_child does not have to be installed with
SETUID or SETGID bits set.

Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/p11_child/p11_child_nss.c | 27 ++++++---------------------
 1 file changed, 6 insertions(+), 21 deletions(-)

(limited to 'src/p11_child')

diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index 8a383a044..41d9fd11f 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -482,10 +482,13 @@ int main(int argc, const char *argv[])
     debug_level = SSSDBG_INVALID;
 
     /*
-     * This child runs as root (setuid(0)), so we need clear environment and
-     * set permissions for security reasons.
+     * This child can run as root or as sssd user relying on policy kit to
+     * grant access to pcscd. This means that no setuid or setgid bit must be
+     * set on the binary. We still should make sure to run with a restrictive
+     * umask but do not have to make additional precautions like clearing the
+     * environment. This would allow to use e.g. pkcs11-spy.so for further
+     * debugging.
      */
-    clearenv();
     umask(SSS_DFL_UMASK);
 
     pc = poptGetContext(argv[0], argc, argv, long_options, 0);
@@ -582,24 +585,6 @@ int main(int argc, const char *argv[])
           "Running with effective IDs: [%"SPRIuid"][%"SPRIgid"].\n",
           geteuid(), getegid());
 
-    if (getuid() != 0) {
-        ret = setuid(0);
-        if (ret == -1) {
-            ret = errno;
-            DEBUG(SSSDBG_CRIT_FAILURE,
-                  "setuid failed: %d, p11_child might not work!\n", ret);
-        }
-    }
-
-    if (getgid() != 0) {
-        ret = setgid(0);
-        if (ret == -1) {
-            ret = errno;
-            DEBUG(SSSDBG_CRIT_FAILURE,
-                  "setgid failed: %d, p11_child might not work!\n", ret);
-        }
-    }
-
     DEBUG(SSSDBG_TRACE_INTERNAL,
           "Running with real IDs [%"SPRIuid"][%"SPRIgid"].\n",
           getuid(), getgid());
-- 
cgit