From 5323dc26df09e7c9cf210b7b725f6514b932784d Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Wed, 2 Aug 2023 19:47:35 +0200 Subject: [PATCH] IFP: allow running under non-root user --- Makefile.am | 8 ++++---- src/monitor/monitor.c | 20 +------------------ src/responder/ifp/ifpsrv.c | 2 +- ... => org.freedesktop.sssd.infopipe.conf.in} | 5 ++--- .../org.freedesktop.sssd.infopipe.service.in | 2 +- src/sysv/systemd/sssd-ifp.service.in | 2 +- 6 files changed, 10 insertions(+), 29 deletions(-) rename src/responder/ifp/{org.freedesktop.sssd.infopipe.conf => org.freedesktop.sssd.infopipe.conf.in} (94%) diff --git a/Makefile.am b/Makefile.am index 11c9a0df2ad..99eb65bf141 100644 --- a/Makefile.am +++ b/Makefile.am @@ -92,7 +92,6 @@ deskprofilepath = $(sss_statedir)/deskprofile if HAVE_SYSTEMD_UNIT ifp_exec_cmd = $(sssdlibexecdir)/sssd_ifp --uid 0 --gid 0 --dbus-activated ifp_systemdservice = SystemdService=sssd-ifp.service -ifp_restart = Restart=on-failure # SSSD requires a configuration file (either /etc/sssd/sssd.conf, # or some snippet under /etc/sssd/sssd.conf.d/) to be present. condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectoryNotEmpty=\|/etc/sssd/conf.d/ @@ -107,7 +106,6 @@ endif else ifp_exec_cmd = $(sssdlibexecdir)/sss_signal ifp_systemdservice = -ifp_restart = endif secdbpath = @secdbpath@ @@ -1746,8 +1744,7 @@ EXTRA_DIST += \ ifp_edit_cmd = $(edit_cmd) \ -e 's|@ifp_exec_cmd[@]|$(ifp_exec_cmd)|g' \ - -e 's|@ifp_systemdservice[@]|$(ifp_systemdservice)|g' \ - -e 's|@ifp_restart[@]|$(ifp_restart)|g' + -e 's|@ifp_systemdservice[@]|$(ifp_systemdservice)|g' ifp_replace_script = \ @rm -f $@ $@.tmp; \ @@ -1759,6 +1756,9 @@ ifp_replace_script = \ src/responder/ifp/org.freedesktop.sssd.infopipe.service: src/responder/ifp/org.freedesktop.sssd.infopipe.service.in Makefile $(ifp_replace_script) +src/responder/ifp/org.freedesktop.sssd.infopipe.conf: src/responder/ifp/org.freedesktop.sssd.infopipe.conf.in Makefile + $(replace_script) + endif if BUILD_KCM diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index 0d8500afa12..b8834a13148 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -934,17 +934,6 @@ static int get_monitor_config(struct mt_ctx *ctx) return EOK; } -/* This is a temporary function that returns false if the service - * being started was only tested when running as root. - */ -static bool svc_supported_as_nonroot(const char *svc_name) -{ - if (strcmp(svc_name, "ifp") == 0) { - return false; - } - return true; -} - static int get_service_config(struct mt_ctx *ctx, const char *name, struct mt_svc **svc_cfg) { @@ -952,8 +941,6 @@ static int get_service_config(struct mt_ctx *ctx, const char *name, char *path; struct mt_svc *svc; time_t now = time(NULL); - uid_t uid = 0; - gid_t gid = 0; *svc_cfg = NULL; @@ -993,11 +980,6 @@ static int get_service_config(struct mt_ctx *ctx, const char *name, return ret; } - if (svc_supported_as_nonroot(svc->name)) { - uid = ctx->uid; - gid = ctx->gid; - } - if (!svc->command) { svc->command = talloc_asprintf( svc, "%s/sssd_%s", SSSD_LIBEXEC_PATH, svc->name @@ -1009,7 +991,7 @@ static int get_service_config(struct mt_ctx *ctx, const char *name, svc->command = talloc_asprintf_append(svc->command, " --uid %"SPRIuid" --gid %"SPRIgid, - uid, gid); + ctx->uid, ctx->gid); if (!svc->command) { talloc_free(svc); return ENOMEM; diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c index aaf83251eac..c147cbca10a 100644 --- a/src/responder/ifp/ifpsrv.c +++ b/src/responder/ifp/ifpsrv.c @@ -341,7 +341,7 @@ int main(int argc, const char *argv[]) debug_log_file = "sssd_ifp"; DEBUG_INIT(debug_level, opt_logger); - ret = server_setup("ifp", true, 0, 0, 0, + ret = server_setup("ifp", true, 0, uid, gid, CONFDB_IFP_CONF_ENTRY, &main_ctx, true); if (ret != EOK) return 2; diff --git a/src/responder/ifp/org.freedesktop.sssd.infopipe.conf b/src/responder/ifp/org.freedesktop.sssd.infopipe.conf.in similarity index 94% rename from src/responder/ifp/org.freedesktop.sssd.infopipe.conf rename to src/responder/ifp/org.freedesktop.sssd.infopipe.conf.in index 4437fb3ba54..b5d31883a4a 100644 --- a/src/responder/ifp/org.freedesktop.sssd.infopipe.conf +++ b/src/responder/ifp/org.freedesktop.sssd.infopipe.conf.in @@ -7,8 +7,7 @@ - - + @@ -40,7 +39,7 @@ - + diff --git a/src/responder/ifp/org.freedesktop.sssd.infopipe.service.in b/src/responder/ifp/org.freedesktop.sssd.infopipe.service.in index ee77f41bd56..d22bcb7b424 100644 --- a/src/responder/ifp/org.freedesktop.sssd.infopipe.service.in +++ b/src/responder/ifp/org.freedesktop.sssd.infopipe.service.in @@ -1,5 +1,5 @@ [D-BUS Service] Name=org.freedesktop.sssd.infopipe Exec=@ifp_exec_cmd@ -User=root +User=@SSSD_USER@ @ifp_systemdservice@ diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in index 9095da35344..cc53fe41953 100644 --- a/src/sysv/systemd/sssd-ifp.service.in +++ b/src/sysv/systemd/sssd-ifp.service.in @@ -11,4 +11,4 @@ Type=dbus BusName=org.freedesktop.sssd.infopipe ExecStart=@ifp_exec_cmd@ ${DEBUG_LOGGER} CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID -@ifp_restart@ +Restart=on-failure