From f5aec6a0e341951ecc9b18250dfc54b96fe02ce1 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 2 Aug 2023 19:47:35 +0200
Subject: [PATCH] IFP: allow running under non-root user

:relnote: Infopipe responder (ifp) can now be run under non-privileged
'sssd' user if SSSD is configured and built `--with-sssd-user=sssd` option.
As with other components, for 'monitor' activated 'ifp' service feature is
enabled by setting `user=sssd` sssd.conf option.
For dbus-socket activated 'ifp' service it's a matter of User=/Group= in
'sssd-ifp.service' (configured to 'sssd' by default).
---
 Makefile.am                                   | 24 +++++++++++++------
 src/monitor/monitor.c                         | 20 +---------------
 src/responder/ifp/ifpsrv.c                    |  2 +-
 ... => org.freedesktop.sssd.infopipe.conf.in} |  7 +++---
 .../org.freedesktop.sssd.infopipe.service.in  |  2 +-
 src/sysv/systemd/sssd-ifp.service.in          |  7 ++++--
 src/util/server.c                             |  2 +-
 7 files changed, 29 insertions(+), 35 deletions(-)
 rename src/responder/ifp/{org.freedesktop.sssd.infopipe.conf => org.freedesktop.sssd.infopipe.conf.in} (91%)

diff --git a/Makefile.am b/Makefile.am
index a3952ce78d2..c33ff226708 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -91,9 +91,8 @@ deskprofilepath = $(sss_statedir)/deskprofile
 
 if HAVE_SYSTEMD_UNIT
 ifp_dbus_exec_comment = \# If system is configured to use systemd ifp service ("SystemdService=") then "Exec=" and "User=" options are not used
-ifp_exec_cmd = $(sssdlibexecdir)/sssd_ifp --uid 0 --gid 0 --dbus-activated
+ifp_dbus_exec_cmd = $(sssdlibexecdir)/sssd_ifp --dbus-activated
 ifp_systemdservice = SystemdService=sssd-ifp.service
-ifp_restart = Restart=on-failure
 # SSSD requires a configuration file (either /etc/sssd/sssd.conf,
 # or some snippet under /etc/sssd/sssd.conf.d/) to be present.
 condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectoryNotEmpty=\|/etc/sssd/conf.d/
@@ -107,9 +106,8 @@ additional_caps = CAP_DAC_OVERRIDE
 endif
 else
 ifp_dbus_exec_comment = \# "sss_signal" is used to force SSSD monitor to trigger "sssd_ifp" reconnection to dbus
-ifp_exec_cmd = $(sssdlibexecdir)/sss_signal
+ifp_dbus_exec_cmd = $(sssdlibexecdir)/sss_signal
 ifp_systemdservice =
-ifp_restart =
 endif
 
 secdbpath = @secdbpath@
@@ -121,6 +119,12 @@ INSTALL = @INSTALL@
 
 SSSD_USER = @SSSD_USER@
 
+if SSSD_NON_ROOT_USER
+ifp_non_root_owner_policy =  <policy user="$(SSSD_USER)"> <allow own="org.freedesktop.sssd.infopipe"/> </policy>
+else
+ifp_non_root_owner_policy =
+endif
+
 
 AM_CFLAGS =
 if WANT_AUX_INFO
@@ -1744,13 +1748,14 @@ dist_dbusservice_DATA = \
 
 EXTRA_DIST += \
     src/responder/ifp/org.freedesktop.sssd.infopipe.service.in \
+    src/responder/ifp/org.freedesktop.sssd.infopipe.conf.in \
     $(NULL)
 
 ifp_edit_cmd = $(edit_cmd) \
-        -e 's|@ifp_exec_cmd[@]|$(ifp_exec_cmd)|g' \
+        -e 's|@ifp_non_root_owner_policy[@]|$(ifp_non_root_owner_policy)|g' \
+        -e 's|@ifp_dbus_exec_cmd[@]|$(ifp_dbus_exec_cmd)|g' \
         -e 's|@ifp_dbus_exec_comment[@]|$(ifp_dbus_exec_comment)|g' \
-        -e 's|@ifp_systemdservice[@]|$(ifp_systemdservice)|g' \
-        -e 's|@ifp_restart[@]|$(ifp_restart)|g'
+        -e 's|@ifp_systemdservice[@]|$(ifp_systemdservice)|g'
 
 ifp_replace_script = \
     @rm -f $@ $@.tmp; \
@@ -1762,6 +1767,10 @@ ifp_replace_script = \
 src/responder/ifp/org.freedesktop.sssd.infopipe.service: src/responder/ifp/org.freedesktop.sssd.infopipe.service.in Makefile
 	$(ifp_replace_script)
 
+src/responder/ifp/org.freedesktop.sssd.infopipe.conf: src/responder/ifp/org.freedesktop.sssd.infopipe.conf.in Makefile
+	$(ifp_replace_script)
+
+
 endif
 
 if BUILD_KCM
@@ -5592,6 +5601,7 @@ endif
 	done;
 	rm -Rf ldb_mod_test_dir
 	rm -f $(builddir)/src/responder/ifp/org.freedesktop.sssd.infopipe.service
+	rm -f $(builddir)/src/responder/ifp/org.freedesktop.sssd.infopipe.conf
 	rm -f $(builddir)/src/sysv/systemd/sssd.service
 	rm -f $(builddir)/src/sysv/systemd/sssd-autofs.socket
 	rm -f $(builddir)/src/sysv/systemd/sssd-autofs.service
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 0d8500afa12..b8834a13148 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -934,17 +934,6 @@ static int get_monitor_config(struct mt_ctx *ctx)
     return EOK;
 }
 
-/* This is a temporary function that returns false if the service
- * being started was only tested when running as root.
- */
-static bool svc_supported_as_nonroot(const char *svc_name)
-{
-    if (strcmp(svc_name, "ifp") == 0) {
-        return false;
-    }
-    return true;
-}
-
 static int get_service_config(struct mt_ctx *ctx, const char *name,
                               struct mt_svc **svc_cfg)
 {
@@ -952,8 +941,6 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
     char *path;
     struct mt_svc *svc;
     time_t now = time(NULL);
-    uid_t uid = 0;
-    gid_t gid = 0;
 
     *svc_cfg = NULL;
 
@@ -993,11 +980,6 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
         return ret;
     }
 
-    if (svc_supported_as_nonroot(svc->name)) {
-        uid = ctx->uid;
-        gid = ctx->gid;
-    }
-
     if (!svc->command) {
         svc->command = talloc_asprintf(
             svc, "%s/sssd_%s", SSSD_LIBEXEC_PATH, svc->name
@@ -1009,7 +991,7 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
 
         svc->command = talloc_asprintf_append(svc->command,
                 " --uid %"SPRIuid" --gid %"SPRIgid,
-                uid, gid);
+                ctx->uid, ctx->gid);
         if (!svc->command) {
             talloc_free(svc);
             return ENOMEM;
diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
index aaf83251eac..c147cbca10a 100644
--- a/src/responder/ifp/ifpsrv.c
+++ b/src/responder/ifp/ifpsrv.c
@@ -341,7 +341,7 @@ int main(int argc, const char *argv[])
     debug_log_file = "sssd_ifp";
     DEBUG_INIT(debug_level, opt_logger);
 
-    ret = server_setup("ifp", true, 0, 0, 0,
+    ret = server_setup("ifp", true, 0, uid, gid,
                        CONFDB_IFP_CONF_ENTRY, &main_ctx, true);
     if (ret != EOK) return 2;
 
diff --git a/src/responder/ifp/org.freedesktop.sssd.infopipe.conf b/src/responder/ifp/org.freedesktop.sssd.infopipe.conf.in
similarity index 91%
rename from src/responder/ifp/org.freedesktop.sssd.infopipe.conf
rename to src/responder/ifp/org.freedesktop.sssd.infopipe.conf.in
index 4437fb3ba54..759c8d512a3 100644
--- a/src/responder/ifp/org.freedesktop.sssd.infopipe.conf
+++ b/src/responder/ifp/org.freedesktop.sssd.infopipe.conf.in
@@ -7,10 +7,9 @@
   <!-- This configuration file specifies the required security policies
        for the SSSD InfoPipe to work. -->
 
-  <!-- Only root can own (provide) the SSSD service -->
-  <policy user="root">
-    <allow own="org.freedesktop.sssd.infopipe"/>
-  </policy>
+  <!-- Define who can own (provide) the SSSD IFP service -->
+  <policy user="root"> <allow own="org.freedesktop.sssd.infopipe"/> </policy>
+  @ifp_non_root_owner_policy@
 
   <!-- Allow all methods on the interface -->
   <!-- Right now, this will be handled by a limited ACL
diff --git a/src/responder/ifp/org.freedesktop.sssd.infopipe.service.in b/src/responder/ifp/org.freedesktop.sssd.infopipe.service.in
index ca06cb185c2..69ccd4442ec 100644
--- a/src/responder/ifp/org.freedesktop.sssd.infopipe.service.in
+++ b/src/responder/ifp/org.freedesktop.sssd.infopipe.service.in
@@ -1,6 +1,6 @@
 [D-BUS Service]
 Name=org.freedesktop.sssd.infopipe
 @ifp_dbus_exec_comment@
-Exec=@ifp_exec_cmd@
+Exec=@ifp_dbus_exec_cmd@
 User=root
 @ifp_systemdservice@
diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in
index 9095da35344..11d60683439 100644
--- a/src/sysv/systemd/sssd-ifp.service.in
+++ b/src/sysv/systemd/sssd-ifp.service.in
@@ -9,6 +9,9 @@ Environment=DEBUG_LOGGER=--logger=files
 EnvironmentFile=-@environment_file@
 Type=dbus
 BusName=org.freedesktop.sssd.infopipe
-ExecStart=@ifp_exec_cmd@ ${DEBUG_LOGGER}
+ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ifp.log
+ExecStart=@libexecdir@/sssd/sssd_ifp ${DEBUG_LOGGER} --dbus-activated
 CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID
-@ifp_restart@
+Restart=on-failure
+User=@SSSD_USER@
+Group=@SSSD_USER@
diff --git a/src/util/server.c b/src/util/server.c
index 76a558fb512..e090aec4ed5 100644
--- a/src/util/server.c
+++ b/src/util/server.c
@@ -524,7 +524,7 @@ int server_setup(const char *name, bool is_responder,
               sss_strerror(ret), ret);
     }
 
-    if (!is_socket_activated()) {
+    if (!is_socket_activated() && !is_dbus_activated()) {
         ret = chown_debug_file(NULL, uid, gid);
         if (ret != EOK) {
             DEBUG(SSSDBG_MINOR_FAILURE,