SSSD: Chown the log files

We need to chown the log files before dropping root to make sure they are usable by the SSSD user. Unfortunately, we can't just rely on passing the fd opened by root, because we need to be also able to rotate the log files. Reviewed-by: Pavel Reichl <[email protected]>
SSSD · Oct 20, 2014 · 4546e28 · 4546e28
1 parent ac40d2f
commit 4546e28
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 0 deletions.
diff --git a/src/util/debug.c b/src/util/debug.c
@@ -297,6 +297,39 @@ void ldb_debug_messages(void *context, enum ldb_debug_level level,
     free(message);
 }
 
+/* In cases SSSD used to run as the root user, but runs as the SSSD user now,
+ * we need to chown the log files
+ */
+int chown_debug_file(const char *filename,
+                     uid_t uid, gid_t gid)
+{
+    char *logpath;
+    const char *log_file;
+    errno_t ret;
+
+    if (filename == NULL) {
+        log_file = debug_log_file;
+    } else {
+        log_file = filename;
+    }
+
+    ret = asprintf(&logpath, "%s/%s.log", LOG_PATH, log_file);
+    if (ret == -1) {
+        return ENOMEM;
+    }
+
+    ret = chown(logpath, uid, gid);
+    free(logpath);
+    if (ret != 0) {
+        ret = errno;
+        DEBUG(SSSDBG_FATAL_FAILURE, "chown failed for [%s]: [%d]\n",
+              log_file, ret);
+        return ret;
+    }
+
+    return EOK;
+}
+
 int open_debug_file_ex(const char *filename, FILE **filep, bool want_cloexec)
 {
     FILE *f = NULL;

diff --git a/src/util/server.c b/src/util/server.c
@@ -427,6 +427,12 @@ int server_setup(const char *name, int flags,
     struct tevent_signal *tes;
     struct logrotate_ctx *lctx;
 
+    ret = chown_debug_file(NULL, uid, gid);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Cannot chown the debug files, debugging might not work!\n");
+    }
+
     ret = become_user(uid, gid);
     if (ret != EOK) {
         DEBUG(SSSDBG_FUNC_DATA,

diff --git a/src/util/util.h b/src/util/util.h
@@ -218,6 +218,7 @@ errno_t set_debug_file_from_fd(const int fd);
 /* From debug.c */
 void ldb_debug_messages(void *context, enum ldb_debug_level level,
                         const char *fmt, va_list ap);
+int chown_debug_file(const char *filename, uid_t uid, gid_t gid);
 int open_debug_file_ex(const char *filename, FILE **filep, bool want_cloexec);
 int open_debug_file(void);
 int rotate_debug_files(void);