IFP: allow running under non-root user

SSSD · Aug 7, 2023 · 27a1b8c · 27a1b8c
1 parent 91d32fe
commit 27a1b8c
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 29 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -92,7 +92,6 @@ deskprofilepath = $(sss_statedir)/deskprofile
 if HAVE_SYSTEMD_UNIT
 ifp_exec_cmd = $(sssdlibexecdir)/sssd_ifp --uid 0 --gid 0 --dbus-activated
 ifp_systemdservice = SystemdService=sssd-ifp.service
-ifp_restart = Restart=on-failure
 # SSSD requires a configuration file (either /etc/sssd/sssd.conf,
 # or some snippet under /etc/sssd/sssd.conf.d/) to be present.
 condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectoryNotEmpty=\|/etc/sssd/conf.d/
@@ -107,7 +106,6 @@ endif
 else
 ifp_exec_cmd = $(sssdlibexecdir)/sss_signal
 ifp_systemdservice =
-ifp_restart =
 endif
 
 secdbpath = @secdbpath@
@@ -1742,12 +1740,12 @@ dist_dbusservice_DATA = \
 
 EXTRA_DIST += \
     src/responder/ifp/org.freedesktop.sssd.infopipe.service.in \
+    src/responder/ifp/org.freedesktop.sssd.infopipe.conf.in \
     $(NULL)
 
 ifp_edit_cmd = $(edit_cmd) \
         -e 's|@ifp_exec_cmd[@]|$(ifp_exec_cmd)|g' \
-        -e 's|@ifp_systemdservice[@]|$(ifp_systemdservice)|g' \
-        -e 's|@ifp_restart[@]|$(ifp_restart)|g'
+        -e 's|@ifp_systemdservice[@]|$(ifp_systemdservice)|g'
 
 ifp_replace_script = \
     @rm -f $@ $@.tmp; \
@@ -1759,6 +1757,9 @@ ifp_replace_script = \
 src/responder/ifp/org.freedesktop.sssd.infopipe.service: src/responder/ifp/org.freedesktop.sssd.infopipe.service.in Makefile
 	$(ifp_replace_script)
 
+src/responder/ifp/org.freedesktop.sssd.infopipe.conf: src/responder/ifp/org.freedesktop.sssd.infopipe.conf.in Makefile
+	$(replace_script)
+
 endif
 
 if BUILD_KCM
@@ -5589,6 +5590,7 @@ endif
 	done;
 	rm -Rf ldb_mod_test_dir
 	rm -f $(builddir)/src/responder/ifp/org.freedesktop.sssd.infopipe.service
+	rm -f $(builddir)/src/responder/ifp/org.freedesktop.sssd.infopipe.conf
 	rm -f $(builddir)/src/sysv/systemd/sssd.service
 	rm -f $(builddir)/src/sysv/systemd/sssd-autofs.socket
 	rm -f $(builddir)/src/sysv/systemd/sssd-autofs.service

diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
@@ -934,26 +934,13 @@ static int get_monitor_config(struct mt_ctx *ctx)
     return EOK;
 }
 
-/* This is a temporary function that returns false if the service
- * being started was only tested when running as root.
- */
-static bool svc_supported_as_nonroot(const char *svc_name)
-{
-    if (strcmp(svc_name, "ifp") == 0) {
-        return false;
-    }
-    return true;
-}
-
 static int get_service_config(struct mt_ctx *ctx, const char *name,
                               struct mt_svc **svc_cfg)
 {
     int ret;
     char *path;
     struct mt_svc *svc;
     time_t now = time(NULL);
-    uid_t uid = 0;
-    gid_t gid = 0;
 
     *svc_cfg = NULL;
 
@@ -993,11 +980,6 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
         return ret;
     }
 
-    if (svc_supported_as_nonroot(svc->name)) {
-        uid = ctx->uid;
-        gid = ctx->gid;
-    }
-
     if (!svc->command) {
         svc->command = talloc_asprintf(
             svc, "%s/sssd_%s", SSSD_LIBEXEC_PATH, svc->name
@@ -1009,7 +991,7 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
 
         svc->command = talloc_asprintf_append(svc->command,
                 " --uid %"SPRIuid" --gid %"SPRIgid,
-                uid, gid);
+                ctx->uid, ctx->gid);
         if (!svc->command) {
             talloc_free(svc);
             return ENOMEM;

diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
@@ -341,7 +341,7 @@ int main(int argc, const char *argv[])
     debug_log_file = "sssd_ifp";
     DEBUG_INIT(debug_level, opt_logger);
 
-    ret = server_setup("ifp", true, 0, 0, 0,
+    ret = server_setup("ifp", true, 0, uid, gid,
                        CONFDB_IFP_CONF_ENTRY, &main_ctx, true);
     if (ret != EOK) return 2;
 

diff --git a/...er/ifp/org.freedesktop.sssd.infopipe.conf → ...ifp/org.freedesktop.sssd.infopipe.conf.in b/...er/ifp/org.freedesktop.sssd.infopipe.conf → ...ifp/org.freedesktop.sssd.infopipe.conf.in
@@ -7,8 +7,7 @@
   <!-- This configuration file specifies the required security policies
        for the SSSD InfoPipe to work. -->
 
-  <!-- Only root can own (provide) the SSSD service -->
-  <policy user="root">
+  <policy user="@SSSD_USER@">
     <allow own="org.freedesktop.sssd.infopipe"/>
   </policy>
 
@@ -40,7 +39,7 @@
     <allow send_interface="org.freedesktop.sssd.infopipe.Cache.Object"/>
   </policy>
 
-  <policy user="root">
+  <policy user="@SSSD_USER@">
     <allow send_interface="org.freedesktop.sssd.infopipe.Components"/>
   </policy>
 

diff --git a/src/responder/ifp/org.freedesktop.sssd.infopipe.service.in b/src/responder/ifp/org.freedesktop.sssd.infopipe.service.in
@@ -1,5 +1,5 @@
 [D-BUS Service]
 Name=org.freedesktop.sssd.infopipe
 Exec=@ifp_exec_cmd@
-User=root
+User=@SSSD_USER@
 @ifp_systemdservice@
diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in
@@ -11,4 +11,4 @@ Type=dbus
 BusName=org.freedesktop.sssd.infopipe
 ExecStart=@ifp_exec_cmd@ ${DEBUG_LOGGER}
 CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID
-@ifp_restart@
+Restart=on-failure