IFP: allow running under non-root user

:relnote: Infopipe responder (ifp) can now be run under non-privileged 'sssd' user if SSSD is configured and built `--with-sssd-user=sssd` option. To enable this feature: - for 'monitor' activated 'ifp' service: set `user=sssd` sssd.conf option - for dbus-socket activated 'ifp' service: edit User=/Group= in 'sssd-ifp.service' Additionally, it's also required to edit <policy user> in 'org.freedesktop.sssd.infopipe.conf' to allow 'sssd' user to own 'org.freedesktop.sssd.infopipe' name (for all types of activation).
SSSD · Aug 9, 2023 · aaba9ba · aaba9ba
1 parent fcfffb5
commit aaba9ba
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 31 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -90,9 +90,8 @@ sssdkcmdatadir = $(datadir)/sssd-kcm
 deskprofilepath = $(sss_statedir)/deskprofile
 
 if HAVE_SYSTEMD_UNIT
-ifp_exec_cmd = $(sssdlibexecdir)/sssd_ifp --uid 0 --gid 0 --dbus-activated
+ifp_dbus_exec_cmd = $(sssdlibexecdir)/sssd_ifp --dbus-activated
 ifp_systemdservice = SystemdService=sssd-ifp.service
-ifp_restart = Restart=on-failure
 # SSSD requires a configuration file (either /etc/sssd/sssd.conf,
 # or some snippet under /etc/sssd/sssd.conf.d/) to be present.
 condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectoryNotEmpty=\|/etc/sssd/conf.d/
@@ -105,9 +104,8 @@ if SSSD_NON_ROOT_USER
 additional_caps = CAP_DAC_OVERRIDE
 endif
 else
-ifp_exec_cmd = $(sssdlibexecdir)/sss_signal
+ifp_dbus_exec_cmd = $(sssdlibexecdir)/sss_signal
 ifp_systemdservice =
-ifp_restart =
 endif
 
 secdbpath = @secdbpath@
@@ -1745,9 +1743,8 @@ EXTRA_DIST += \
     $(NULL)
 
 ifp_edit_cmd = $(edit_cmd) \
-        -e 's|@ifp_exec_cmd[@]|$(ifp_exec_cmd)|g' \
-        -e 's|@ifp_systemdservice[@]|$(ifp_systemdservice)|g' \
-        -e 's|@ifp_restart[@]|$(ifp_restart)|g'
+        -e 's|@ifp_dbus_exec_cmd[@]|$(ifp_dbus_exec_cmd)|g' \
+        -e 's|@ifp_systemdservice[@]|$(ifp_systemdservice)|g'
 
 ifp_replace_script = \
     @rm -f $@ $@.tmp; \

diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
@@ -934,26 +934,13 @@ static int get_monitor_config(struct mt_ctx *ctx)
     return EOK;
 }
 
-/* This is a temporary function that returns false if the service
- * being started was only tested when running as root.
- */
-static bool svc_supported_as_nonroot(const char *svc_name)
-{
-    if (strcmp(svc_name, "ifp") == 0) {
-        return false;
-    }
-    return true;
-}
-
 static int get_service_config(struct mt_ctx *ctx, const char *name,
                               struct mt_svc **svc_cfg)
 {
     int ret;
     char *path;
     struct mt_svc *svc;
     time_t now = time(NULL);
-    uid_t uid = 0;
-    gid_t gid = 0;
 
     *svc_cfg = NULL;
 
@@ -993,11 +980,6 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
         return ret;
     }
 
-    if (svc_supported_as_nonroot(svc->name)) {
-        uid = ctx->uid;
-        gid = ctx->gid;
-    }
-
     if (!svc->command) {
         svc->command = talloc_asprintf(
             svc, "%s/sssd_%s", SSSD_LIBEXEC_PATH, svc->name
@@ -1009,7 +991,7 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
 
         svc->command = talloc_asprintf_append(svc->command,
                 " --uid %"SPRIuid" --gid %"SPRIgid,
-                uid, gid);
+                ctx->uid, ctx->gid);
         if (!svc->command) {
             talloc_free(svc);
             return ENOMEM;

diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
@@ -341,7 +341,7 @@ int main(int argc, const char *argv[])
     debug_log_file = "sssd_ifp";
     DEBUG_INIT(debug_level, opt_logger);
 
-    ret = server_setup("ifp", true, 0, 0, 0,
+    ret = server_setup("ifp", true, 0, uid, gid,
                        CONFDB_IFP_CONF_ENTRY, &main_ctx, true);
     if (ret != EOK) return 2;
 

diff --git a/src/responder/ifp/org.freedesktop.sssd.infopipe.service.in b/src/responder/ifp/org.freedesktop.sssd.infopipe.service.in
@@ -1,5 +1,5 @@
 [D-BUS Service]
 Name=org.freedesktop.sssd.infopipe
-Exec=@ifp_exec_cmd@
+Exec=@ifp_dbus_exec_cmd@
 User=root
 @ifp_systemdservice@
diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in
@@ -9,6 +9,9 @@ Environment=DEBUG_LOGGER=--logger=files
 EnvironmentFile=-@environment_file@
 Type=dbus
 BusName=org.freedesktop.sssd.infopipe
-ExecStart=@ifp_exec_cmd@ ${DEBUG_LOGGER}
+ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ifp.log
+ExecStart=@libexecdir@/sssd/sssd_ifp ${DEBUG_LOGGER} --dbus-activated
 CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID
-@ifp_restart@
+Restart=on-failure
+User=root
+Group=root
diff --git a/src/util/server.c b/src/util/server.c
@@ -524,7 +524,7 @@ int server_setup(const char *name, bool is_responder,
               sss_strerror(ret), ret);
     }
 
-    if (!is_socket_activated()) {
+    if (!is_socket_activated() && !is_dbus_activated()) {
         ret = chown_debug_file(NULL, uid, gid);
         if (ret != EOK) {
             DEBUG(SSSDBG_MINOR_FAILURE,