Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #5536 #7285

Closed
wants to merge 2 commits into from
Closed

Fixes #5536 #7285

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
74be564
LDAP_CHILD: replace `become_user()` with `sss_drop_all_caps()`
alexey-tikhonov Apr 10, 2024
7bfe4f5
KRB5_CHILD: keep 'set-user-ID' in `k5c_become_user()`
alexey-tikhonov Apr 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/monitor/monitor_bootstrap.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ int bootstrap_monitor_process(void)
*/
sss_log(SSS_LOG_WARNING, "'sssd.conf::"CONFDB_MONITOR_USER_RUNAS"' "
"option is deprecated. Run under '"SSSD_USER"' initially instead.");
ret = become_user(target_uid, target_gid); /* drops all caps */
ret = become_user(target_uid, target_gid, false); /* drops all caps */
if (ret != 0) {
sss_log(SSS_LOG_ALERT, "Failed to change uid:gid");
return 1;
Expand Down
2 changes: 1 addition & 1 deletion src/providers/krb5/krb5_child.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ static errno_t k5c_become_user(uid_t uid, gid_t gid, bool is_posix)
"Will not drop privileges for a non-POSIX user\n");
return EOK;
}
return become_user(uid, gid);
return become_user(uid, gid, true);
}

static krb5_error_code set_lifetime_options(struct cli_opts *cli_opts,
Expand Down
16 changes: 1 addition & 15 deletions src/providers/ldap/ldap_child.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,6 @@ struct input_buffer {
char *keytab_name;
krb5_deltat lifetime;
krb5_context context;
uid_t uid;
gid_t gid;
};

static inline const char *command_to_str(enum ldap_child_command cmd)
Expand Down Expand Up @@ -133,14 +131,6 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
ibuf->lifetime = (krb5_deltat)value;
DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %u\n", ibuf->lifetime);

/* UID and GID to run as */
SAFEALIGN_COPY_UINT32_CHECK(&value, buf + p, size, &p);
ibuf->uid = (uid_t)value;
SAFEALIGN_COPY_UINT32_CHECK(&value, buf + p, size, &p);
ibuf->gid = (gid_t)value;
DEBUG(SSSDBG_FUNC_DATA,
"Will run as [%"SPRIuid"][%"SPRIgid"].\n", ibuf->uid, ibuf->gid);

return EOK;
}

Expand Down Expand Up @@ -956,11 +946,7 @@ static errno_t handle_get_tgt(TALLOC_CTX *mem_ctx,

DEBUG(SSSDBG_TRACE_INTERNAL, "Kerberos context initialized\n");

kerr = become_user(ibuf->uid, ibuf->gid);
if (kerr != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "become_user() failed.\n");
return kerr;
}
sss_drop_all_caps();

DEBUG(SSSDBG_TRACE_INTERNAL,
"Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid());
Expand Down
6 changes: 0 additions & 6 deletions src/providers/ldap/sdap_child_helpers.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -211,12 +211,6 @@ static errno_t create_child_req_send_buffer(TALLOC_CTX *mem_ctx,
/* lifetime */
SAFEALIGN_SET_UINT32(&buf->data[rp], lifetime, &rp);

/* UID and GID to drop privileges to, if needed. The ldap_child process runs as
* setuid if the back end runs unprivileged as it needs to access the keytab
*/
SAFEALIGN_SET_UINT32(&buf->data[rp], geteuid(), &rp);
SAFEALIGN_SET_UINT32(&buf->data[rp], getegid(), &rp);

*io_buf = buf;
return EOK;
}
Expand Down
4 changes: 2 additions & 2 deletions src/tests/cwrap/test_become_user.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ void test_become_user(void **state)
pid = fork();
if (pid == 0) {
/* Change the UID in a child */
ret = become_user(sssd->pw_uid, sssd->pw_gid);
ret = become_user(sssd->pw_uid, sssd->pw_gid, false);
assert_int_equal(ret, EOK);

/* Make sure we have the requested UID and GID now and there
Expand All @@ -55,7 +55,7 @@ void test_become_user(void **state)
assert_int_equal(getgid(), sssd->pw_gid);

/* Another become_user is a no-op */
ret = become_user(sssd->pw_uid, sssd->pw_gid);
ret = become_user(sssd->pw_uid, sssd->pw_gid, false);
assert_int_equal(ret, EOK);

assert_int_equal(getgroups(0, NULL), 0);
Expand Down
19 changes: 11 additions & 8 deletions src/util/become_user.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,10 @@
#include "util/util.h"
#include <grp.h>

errno_t become_user(uid_t uid, gid_t gid)
errno_t become_user(uid_t uid, gid_t gid, bool keep_set_uid)
{
uid_t cuid;
int ret;
int ret = EOK;

DEBUG(SSSDBG_FUNC_DATA,
"Trying to become user [%"SPRIuid"][%"SPRIgid"].\n", uid, gid);
Expand All @@ -37,7 +37,7 @@ errno_t become_user(uid_t uid, gid_t gid)
cuid = geteuid();
if (uid == cuid) {
DEBUG(SSSDBG_FUNC_DATA, "Already user [%"SPRIuid"].\n", uid);
return EOK;
goto done;
}

/* drop supplementary groups first */
Expand All @@ -46,7 +46,7 @@ errno_t become_user(uid_t uid, gid_t gid)
ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE,
"setgroups failed [%d][%s].\n", ret, strerror(ret));
return ret;
goto done;
}

/* change GID so that root cannot be regained (changes saved GID too) */
Expand All @@ -55,20 +55,23 @@ errno_t become_user(uid_t uid, gid_t gid)
ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE,
"setresgid failed [%d][%s].\n", ret, strerror(ret));
return ret;
goto done;
}

/* change UID so that root cannot be regained (changes saved UID too) */
/* this call also takes care of dropping CAP_SETUID, so this is a PNR */
ret = setresuid(uid, uid, uid);
ret = setresuid(uid, uid, (keep_set_uid ? -1 : uid));
if (ret == -1) {
ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE,
"setresuid failed [%d][%s].\n", ret, strerror(ret));
return ret;
goto done;
}

return EOK;
done:
sss_drop_all_caps();

return ret;
}

struct sss_creds {
Expand Down
2 changes: 1 addition & 1 deletion src/util/util.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -744,7 +744,7 @@ errno_t mod_defaults_list(TALLOC_CTX *mem_ctx, const char **defaults_list,
char **mod_list, char ***_list);

/* from become_user.c */
errno_t become_user(uid_t uid, gid_t gid);
errno_t become_user(uid_t uid, gid_t gid, bool keep_set_uid);
struct sss_creds;
errno_t switch_creds(TALLOC_CTX *mem_ctx,
uid_t uid, gid_t gid,
Expand Down
Loading