From 9a1ca5b607d28d2564f8e4425d15648bb34dab4a Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Wed, 15 Nov 2023 14:10:24 +0100 Subject: [PATCH 01/16] CLIENT: move all socket paths checks to a single function --- src/sss_client/common.c | 44 ++++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/src/sss_client/common.c b/src/sss_client/common.c index cc6619da249..fb76ed91a7f 100644 --- a/src/sss_client/common.c +++ b/src/sss_client/common.c @@ -979,14 +979,31 @@ int sss_pac_make_request_with_lock(enum sss_cli_command cmd, return ret; } -inline static errno_t check_socket_cred(const struct stat *stat_buf) +inline static errno_t check_socket_cred(const char *socket_name) { - if ((stat_buf->st_uid == 0) && (stat_buf->st_gid == 0)) { + struct stat stat_buf; + int statret; + + errno = 0; + statret = stat(socket_name, &stat_buf); + if (statret != 0) { + if (errno == ENOENT) { + return ESSS_NO_SOCKET; + } + return ESSS_SOCKET_STAT_ERROR; + } + + if ( !S_ISSOCK(stat_buf.st_mode) || + ((stat_buf.st_mode & ~S_IFMT) != 0666) ) { + return ESSS_BAD_SOCKET; + } + + if ((stat_buf.st_uid == 0) && (stat_buf.st_gid == 0)) { return 0; } #ifdef SSSD_NON_ROOT_USER - if ((stat_buf->st_uid == sss_sssd_uid) && (stat_buf->st_uid == sss_sssd_gid)) { + if ((stat_buf.st_uid == sss_sssd_uid) && (stat_buf.st_uid == sss_sssd_gid)) { return 0; } #endif /* SSSD_NON_ROOT_USER */ @@ -1028,11 +1045,10 @@ int sss_pam_make_request(enum sss_cli_command cmd, uint8_t **repbuf, size_t *replen, int *errnop) { - int ret, statret; + int ret; errno_t error; enum sss_status status; char *envval; - struct stat stat_buf; const char *socket_name = SSS_PAM_SOCKET_NAME; int timeout = SSS_CLI_SOCKET_TIMEOUT; @@ -1051,21 +1067,9 @@ int sss_pam_make_request(enum sss_cli_command cmd, #endif #endif /* SSSD_NON_ROOT_USER */ - errno = 0; - statret = stat(socket_name, &stat_buf); - if (statret != 0) { - if (errno == ENOENT) { - *errnop = ESSS_NO_SOCKET; - } else { - *errnop = ESSS_SOCKET_STAT_ERROR; - } - ret = PAM_SERVICE_ERR; - goto out; - } - if ( ! ((check_socket_cred(&stat_buf) == 0) && - S_ISSOCK(stat_buf.st_mode) && - (stat_buf.st_mode & ~S_IFMT) == 0666 )) { - *errnop = ESSS_BAD_SOCKET; + ret = check_socket_cred(socket_name); + if (ret != 0) { + *errnop = ret; ret = PAM_SERVICE_ERR; goto out; } From 3675a11b8dbefc941327667822fbc89896033e23 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Wed, 15 Nov 2023 14:18:21 +0100 Subject: [PATCH 02/16] CLIENT: remove check for rw-rw-rw- as it doesn't make much sense anyway. --- src/sss_client/common.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/sss_client/common.c b/src/sss_client/common.c index fb76ed91a7f..57175f683e8 100644 --- a/src/sss_client/common.c +++ b/src/sss_client/common.c @@ -993,8 +993,7 @@ inline static errno_t check_socket_cred(const char *socket_name) return ESSS_SOCKET_STAT_ERROR; } - if ( !S_ISSOCK(stat_buf.st_mode) || - ((stat_buf.st_mode & ~S_IFMT) != 0666) ) { + if (!S_ISSOCK(stat_buf.st_mode)) { return ESSS_BAD_SOCKET; } From 648b1e66a0b06d9dd8fa5115e2a697c26d67423f Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Thu, 16 Nov 2023 20:11:44 +0100 Subject: [PATCH 03/16] KRB5: a comment to explain the need for explicit `sss_pac_check_and_open()` --- src/providers/krb5/krb5_child.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 704f6508224..ad554ad01b6 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -3969,6 +3969,9 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr, } if (kr->send_pac) { + /* This is to establish connection with 'sssd_pac' while process + * still runs under privileged user. + */ ret = sss_pac_check_and_open(); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "Cannot open the PAC responder socket\n"); From b9d27a4c9d7304d60ef60babe91ae8d970b50bc0 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Thu, 16 Nov 2023 20:46:43 +0100 Subject: [PATCH 04/16] CLIENT: reduce code duplication --- src/sss_client/common.c | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/src/sss_client/common.c b/src/sss_client/common.c index 57175f683e8..042a37844b5 100644 --- a/src/sss_client/common.c +++ b/src/sss_client/common.c @@ -919,6 +919,7 @@ int sss_pac_check_and_open(void) return EOK; } +/* Non-locking version is used by single threaded 'krb5_child' */ int sss_pac_make_request(enum sss_cli_command cmd, struct sss_cli_req_data *rd, uint8_t **repbuf, size_t *replen, @@ -926,7 +927,6 @@ int sss_pac_make_request(enum sss_cli_command cmd, { enum sss_status ret; char *envval; - int timeout = SSS_CLI_SOCKET_TIMEOUT; /* avoid looping in the nss daemon */ envval = getenv("_SSS_LOOPS"); @@ -934,24 +934,10 @@ int sss_pac_make_request(enum sss_cli_command cmd, return NSS_STATUS_NOTFOUND; } - ret = sss_cli_check_socket(errnop, SSS_PAC_SOCKET_NAME, timeout); - if (ret != SSS_STATUS_SUCCESS) { - return NSS_STATUS_UNAVAIL; - } - - ret = sss_cli_make_request_nochecks(cmd, rd, timeout, repbuf, replen, - errnop); - if (ret == SSS_STATUS_UNAVAIL && *errnop == EPIPE) { - /* try reopen socket */ - ret = sss_cli_check_socket(errnop, SSS_PAC_SOCKET_NAME, timeout); - if (ret != SSS_STATUS_SUCCESS) { - return NSS_STATUS_UNAVAIL; - } + ret = sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, + repbuf, replen, errnop, + SSS_PAC_SOCKET_NAME); - /* and make request one more time */ - ret = sss_cli_make_request_nochecks(cmd, rd, timeout, repbuf, replen, - errnop); - } switch (ret) { case SSS_STATUS_TRYAGAIN: return NSS_STATUS_TRYAGAIN; From b4df367e2fa028513a5f545116f25c3b3376b43b Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Thu, 16 Nov 2023 21:14:50 +0100 Subject: [PATCH 05/16] CLIENT: add an optional check of server credentials to `sss_cli_make_request_with_checks()` This requires to make sure 'sss_sssd_*id' are initialized in `check_server_cred()` --- src/sss_client/common.c | 30 +++++++++++++++++++++++++----- src/sss_client/sss_cli.h | 5 ++++- src/sss_client/subid/sss_subid.c | 3 ++- 3 files changed, 31 insertions(+), 7 deletions(-) diff --git a/src/sss_client/common.c b/src/sss_client/common.c index 042a37844b5..fd7b87c739f 100644 --- a/src/sss_client/common.c +++ b/src/sss_client/common.c @@ -936,7 +936,7 @@ int sss_pac_make_request(enum sss_cli_command cmd, ret = sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, repbuf, replen, errnop, - SSS_PAC_SOCKET_NAME); + SSS_PAC_SOCKET_NAME, false, false); switch (ret) { case SSS_STATUS_TRYAGAIN: @@ -1017,9 +1017,13 @@ static errno_t check_server_cred(int sockfd) } #ifdef SSSD_NON_ROOT_USER +#ifdef HAVE_PTHREAD_EXT + pthread_once(&sss_sssd_ids_init, init_sssd_ids); /* once for all threads */ + if ((server_cred.uid == sss_sssd_uid) && (server_cred.gid == sss_sssd_gid)) { return 0; } +#endif #endif /* SSSD_NON_ROOT_USER */ return ESSS_SERVER_NOT_TRUSTED; @@ -1105,15 +1109,31 @@ sss_cli_make_request_with_checks(enum sss_cli_command cmd, int timeout, uint8_t **repbuf, size_t *replen, int *errnop, - const char *socket_name) + const char *socket_name, + bool check_server_creds, + bool allow_custom_errors) { enum sss_status ret = SSS_STATUS_UNAVAIL; + errno_t error; ret = sss_cli_check_socket(errnop, socket_name, timeout); if (ret != SSS_STATUS_SUCCESS) { return SSS_STATUS_UNAVAIL; } + if (check_server_creds) { + error = check_server_cred(sss_cli_sd_get()); + if (error != 0) { + sss_cli_close_socket(); + if (allow_custom_errors) { + *errnop = error; + } else { + *errnop = EFAULT; + } + return SSS_STATUS_UNAVAIL; + } + } + ret = sss_cli_make_request_nochecks(cmd, rd, timeout, repbuf, replen, errnop); if (ret == SSS_STATUS_UNAVAIL && *errnop == EPIPE) { @@ -1138,7 +1158,7 @@ int sss_sudo_make_request(enum sss_cli_command cmd, { return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, repbuf, replen, errnop, - SSS_SUDO_SOCKET_NAME); + SSS_SUDO_SOCKET_NAME, false, false); } int sss_autofs_make_request(enum sss_cli_command cmd, @@ -1150,7 +1170,7 @@ int sss_autofs_make_request(enum sss_cli_command cmd, status = sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, repbuf, replen, errnop, - SSS_AUTOFS_SOCKET_NAME); + SSS_AUTOFS_SOCKET_NAME, false, false); if (*errnop == ERR_OFFLINE) { *errnop = EHOSTDOWN; @@ -1166,7 +1186,7 @@ int sss_ssh_make_request(enum sss_cli_command cmd, { return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, repbuf, replen, errnop, - SSS_SSH_SOCKET_NAME); + SSS_SSH_SOCKET_NAME, false, false); } diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h index ed2c8b23d7d..acf5ee24fa3 100644 --- a/src/sss_client/sss_cli.h +++ b/src/sss_client/sss_cli.h @@ -30,6 +30,7 @@ #include #include #include +#include #include #include "shared/safealign.h" @@ -711,7 +712,9 @@ enum sss_status sss_cli_make_request_with_checks(enum sss_cli_command cmd, int timeout, uint8_t **repbuf, size_t *replen, int *errnop, - const char *socket_name); + const char *socket_name, + bool check_server_creds, + bool allow_custom_errors); enum nss_status sss_nss_make_request(enum sss_cli_command cmd, struct sss_cli_req_data *rd, diff --git a/src/sss_client/subid/sss_subid.c b/src/sss_client/subid/sss_subid.c index f1fbe34ee33..c3479e182b2 100644 --- a/src/sss_client/subid/sss_subid.c +++ b/src/sss_client/subid/sss_subid.c @@ -75,7 +75,8 @@ enum subid_status shadow_subid_list_owner_ranges(const char *user, ret = sss_cli_make_request_with_checks(SSS_NSS_GET_SUBID_RANGES, &rd, SSS_CLI_SOCKET_TIMEOUT, &repbuf, &replen, &errnop, - SSS_NSS_SOCKET_NAME); + SSS_NSS_SOCKET_NAME, + false, false); sss_nss_unlock(); if ( (ret != SSS_STATUS_SUCCESS) || (errnop != EOK) From 65162f518459e443a39c69131b380afe6d27bcf0 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Thu, 16 Nov 2023 21:22:43 +0100 Subject: [PATCH 06/16] CLIENT: reduce code duplication --- src/sss_client/common.c | 39 ++++++--------------------------------- 1 file changed, 6 insertions(+), 33 deletions(-) diff --git a/src/sss_client/common.c b/src/sss_client/common.c index fd7b87c739f..8e92119a158 100644 --- a/src/sss_client/common.c +++ b/src/sss_client/common.c @@ -1035,11 +1035,8 @@ int sss_pam_make_request(enum sss_cli_command cmd, int *errnop) { int ret; - errno_t error; enum sss_status status; - char *envval; - const char *socket_name = SSS_PAM_SOCKET_NAME; - int timeout = SSS_CLI_SOCKET_TIMEOUT; + const char *envval; sss_pam_lock(); @@ -1056,41 +1053,17 @@ int sss_pam_make_request(enum sss_cli_command cmd, #endif #endif /* SSSD_NON_ROOT_USER */ - ret = check_socket_cred(socket_name); + ret = check_socket_cred(SSS_PAM_SOCKET_NAME); if (ret != 0) { *errnop = ret; ret = PAM_SERVICE_ERR; goto out; } - status = sss_cli_check_socket(errnop, socket_name, timeout); - if (status != SSS_STATUS_SUCCESS) { - ret = PAM_SERVICE_ERR; - goto out; - } - - error = check_server_cred(sss_cli_sd_get()); - if (error != 0) { - sss_cli_close_socket(); - *errnop = error; - ret = PAM_SERVICE_ERR; - goto out; - } - - status = sss_cli_make_request_nochecks(cmd, rd, timeout, repbuf, replen, - errnop); - if (status == SSS_STATUS_UNAVAIL && *errnop == EPIPE) { - /* try reopen socket */ - status = sss_cli_check_socket(errnop, socket_name, timeout); - if (status != SSS_STATUS_SUCCESS) { - ret = PAM_SERVICE_ERR; - goto out; - } - - /* and make request one more time */ - status = sss_cli_make_request_nochecks(cmd, rd, timeout, repbuf, replen, - errnop); - } + status = sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, + repbuf, replen, errnop, + SSS_PAM_SOCKET_NAME, + true, true); if (status == SSS_STATUS_SUCCESS) { ret = PAM_SUCCESS; From 5e7f12bad64184ad58f86319cc26bc8067fa6046 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Thu, 16 Nov 2023 21:25:53 +0100 Subject: [PATCH 07/16] CLIENT: SUDO: force check of server credentials as a general hardening --- src/sss_client/common.c | 2 +- src/tests/intg/getsockopt_wrapper.c | 17 ++++++++++++----- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/src/sss_client/common.c b/src/sss_client/common.c index 8e92119a158..c50aa3ad17e 100644 --- a/src/sss_client/common.c +++ b/src/sss_client/common.c @@ -1131,7 +1131,7 @@ int sss_sudo_make_request(enum sss_cli_command cmd, { return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, repbuf, replen, errnop, - SSS_SUDO_SOCKET_NAME, false, false); + SSS_SUDO_SOCKET_NAME, true, false); } int sss_autofs_make_request(enum sss_cli_command cmd, diff --git a/src/tests/intg/getsockopt_wrapper.c b/src/tests/intg/getsockopt_wrapper.c index 4fd1e170721..baa608ef07c 100644 --- a/src/tests/intg/getsockopt_wrapper.c +++ b/src/tests/intg/getsockopt_wrapper.c @@ -31,7 +31,7 @@ static bool is_dbus_socket(int fd) return NULL != strstr(unix_socket->sun_path, "system_bus_socket"); } -static bool peer_is_pam(int fd) +static bool peer_path_has(int fd, const char *str) { int ret; struct sockaddr_storage addr = { 0 }; @@ -45,10 +45,10 @@ static bool peer_is_pam(int fd) unix_socket = (struct sockaddr_un *)&addr; - return NULL != strstr(unix_socket->sun_path, "pipes/pam"); + return NULL != strstr(unix_socket->sun_path, str); } -static bool peer_is_sssctl(const struct ucred *cr) +static bool peer_is(const struct ucred *cr, const char *str) { char proc_path[32]; char cmd_line[255] = { 0 }; @@ -71,7 +71,7 @@ static bool peer_is_sssctl(const struct ucred *cr) close(proc_fd); if (ret > 0) { cmd_line[ret] = 0; - if (strncmp(cmd_line, "sssctl", 6) == 0) { + if (strstr(cmd_line, str) != NULL) { return true; } } @@ -87,11 +87,15 @@ static void fake_peer_uid_gid(uid_t *uid, gid_t *gid) val = getenv("SSSD_INTG_PEER_UID"); if (val != NULL) { *uid = atoi(val); + } else { + *uid = 0; } val = getenv("SSSD_INTG_PEER_GID"); if (val != NULL) { *gid = atoi(val); + } else { + *gid = 0; } } @@ -120,7 +124,10 @@ int getsockopt(int sockfd, int level, int optname, cr = optval; if (cr->uid != 0 && is_dbus_socket(sockfd)) { cr->uid = 0; - } else if (peer_is_pam(sockfd) || peer_is_sssctl(cr)) { + } else if (peer_path_has(sockfd, "pipes/pam") || + peer_path_has(sockfd, "pipes/sudo") || + peer_is(cr, "sssctl") || + peer_is(cr, "sss_sudo_cli")) { fake_peer_uid_gid(&cr->uid, &cr->gid); } } From 61ee3c877ff099b14062fdf3d73644e0adc2f1b0 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Thu, 16 Nov 2023 21:44:17 +0100 Subject: [PATCH 08/16] CLIENT: move sudo/autofs/ssh related code out of common module --- src/sss_client/autofs/sss_autofs.c | 18 +++++++++++++ src/sss_client/common.c | 39 ----------------------------- src/sss_client/ssh/sss_ssh_client.c | 10 ++++++++ src/sss_client/sss_cli.h | 15 ----------- src/sss_client/sudo/sss_sudo.c | 10 ++++++++ 5 files changed, 38 insertions(+), 54 deletions(-) diff --git a/src/sss_client/autofs/sss_autofs.c b/src/sss_client/autofs/sss_autofs.c index ef27cf8956d..214ad621945 100644 --- a/src/sss_client/autofs/sss_autofs.c +++ b/src/sss_client/autofs/sss_autofs.c @@ -80,6 +80,24 @@ sss_getautomntent_data_clean(void) memset(&sss_getautomntent_data, 0, sizeof(struct sss_getautomntent_data)); } +static int sss_autofs_make_request(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop) +{ + enum sss_status status; + + status = sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, + repbuf, replen, errnop, + SSS_AUTOFS_SOCKET_NAME, false, false); + + if (*errnop == ERR_OFFLINE) { + *errnop = EHOSTDOWN; + } + + return status; +} + errno_t _sss_setautomntent(const char *mapname, void **context) { diff --git a/src/sss_client/common.c b/src/sss_client/common.c index c50aa3ad17e..66a62690b34 100644 --- a/src/sss_client/common.c +++ b/src/sss_client/common.c @@ -1124,45 +1124,6 @@ sss_cli_make_request_with_checks(enum sss_cli_command cmd, return ret; } -int sss_sudo_make_request(enum sss_cli_command cmd, - struct sss_cli_req_data *rd, - uint8_t **repbuf, size_t *replen, - int *errnop) -{ - return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, - repbuf, replen, errnop, - SSS_SUDO_SOCKET_NAME, true, false); -} - -int sss_autofs_make_request(enum sss_cli_command cmd, - struct sss_cli_req_data *rd, - uint8_t **repbuf, size_t *replen, - int *errnop) -{ - enum sss_status status; - - status = sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, - repbuf, replen, errnop, - SSS_AUTOFS_SOCKET_NAME, false, false); - - if (*errnop == ERR_OFFLINE) { - *errnop = EHOSTDOWN; - } - - return status; -} - -int sss_ssh_make_request(enum sss_cli_command cmd, - struct sss_cli_req_data *rd, - uint8_t **repbuf, size_t *replen, - int *errnop) -{ - return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, - repbuf, replen, errnop, - SSS_SSH_SOCKET_NAME, false, false); -} - - const char *ssscli_err2string(int err) { const char *m; diff --git a/src/sss_client/ssh/sss_ssh_client.c b/src/sss_client/ssh/sss_ssh_client.c index a198039ec4e..02e0ac76207 100644 --- a/src/sss_client/ssh/sss_ssh_client.c +++ b/src/sss_client/ssh/sss_ssh_client.c @@ -70,6 +70,16 @@ int set_locale(void) return EOK; } +static int sss_ssh_make_request(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop) +{ + return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, + repbuf, replen, errnop, + SSS_SSH_SOCKET_NAME, false, false); +} + /* SSH public key request: * * header: diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h index acf5ee24fa3..ee45e1d576c 100644 --- a/src/sss_client/sss_cli.h +++ b/src/sss_client/sss_cli.h @@ -750,21 +750,6 @@ int sss_pac_make_request_with_lock(enum sss_cli_command cmd, uint8_t **repbuf, size_t *replen, int *errnop); -int sss_sudo_make_request(enum sss_cli_command cmd, - struct sss_cli_req_data *rd, - uint8_t **repbuf, size_t *replen, - int *errnop); - -int sss_autofs_make_request(enum sss_cli_command cmd, - struct sss_cli_req_data *rd, - uint8_t **repbuf, size_t *replen, - int *errnop); - -int sss_ssh_make_request(enum sss_cli_command cmd, - struct sss_cli_req_data *rd, - uint8_t **repbuf, size_t *replen, - int *errnop); - #if 0 /* GETSPNAM Request: diff --git a/src/sss_client/sudo/sss_sudo.c b/src/sss_client/sudo/sss_sudo.c index 6c86b8fa3d0..8d6f717fd16 100644 --- a/src/sss_client/sudo/sss_sudo.c +++ b/src/sss_client/sudo/sss_sudo.c @@ -30,6 +30,16 @@ #include "sss_client/sudo/sss_sudo.h" #include "sss_client/sudo/sss_sudo_private.h" +static int sss_sudo_make_request(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop) +{ + return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, + repbuf, replen, errnop, + SSS_SUDO_SOCKET_NAME, true, false); +} + static int sss_sudo_create_query(uid_t uid, const char *username, uint8_t **_query, From 9c038c4fd133017381f5d029365d6df7659757d7 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Sun, 19 Nov 2023 20:19:31 +0100 Subject: [PATCH 09/16] SUDO: refuse to serve clients running under non-root --- src/responder/sudo/sudosrv_cmd.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/responder/sudo/sudosrv_cmd.c b/src/responder/sudo/sudosrv_cmd.c index 63b548fe8d5..4b95c2a6d57 100644 --- a/src/responder/sudo/sudosrv_cmd.c +++ b/src/responder/sudo/sudosrv_cmd.c @@ -18,11 +18,14 @@ along with this program. If not, see . */ +#include "config.h" + #include #include #include #include "util/util.h" +#include "util/util_creds.h" #include "responder/common/responder.h" #include "responder/common/responder_packet.h" #include "responder/sudo/sudosrv_private.h" @@ -199,6 +202,15 @@ static int sudosrv_cmd(enum sss_sudo_type type, struct cli_ctx *cli_ctx) pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); protocol = pctx->cli_protocol_version->version; + /* the only intended client - suid binary 'sudo' */ + if (cli_ctx->priv != 1) { + DEBUG(SSSDBG_IMPORTANT_INFO, "Refusing to serve unprivileged client " + "'%s' running under uid = %"SPRIuid"\n", + cli_ctx->cmd_line, client_euid(cli_ctx->creds)); + ret = EFAULT; + goto done; + } + /* if protocol is invalid return */ switch (protocol) { case 0: From 9e244f3593dfcdf4182d95f36a9afec6fc617197 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Sun, 19 Nov 2023 20:41:59 +0100 Subject: [PATCH 10/16] SUDO: make 'sssd_sudo' socket sssd:sssd owned The only intended client of 'sssd_sudo' is 'sudo' that is suid binary and thus still can access socket. But if for whatever reason it's undesirable to make 'sudo' use its CAP_DAC_OVERRIDE capability then socket mode can be changed to rw-rw-rw -- previous patch will restrict access to the socket for root only. The reason for this change is to avoid the need for CAP_CHOWN for SSSD itself. --- src/responder/autofs/autofssrv.c | 2 +- src/responder/common/responder.h | 2 ++ src/responder/common/responder_common.c | 6 ++--- src/responder/ifp/ifpsrv.c | 2 +- src/responder/nss/nsssrv.c | 2 +- src/responder/pac/pacsrv.c | 2 +- src/responder/pam/pamsrv.c | 2 +- src/responder/ssh/sshsrv.c | 2 +- src/responder/sudo/sudosrv.c | 29 +++---------------------- src/sysv/systemd/sssd-sudo.socket.in | 1 + 10 files changed, 15 insertions(+), 35 deletions(-) diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c index 140d3032149..3900bb0ebb4 100644 --- a/src/responder/autofs/autofssrv.c +++ b/src/responder/autofs/autofssrv.c @@ -107,7 +107,7 @@ autofs_process_init(TALLOC_CTX *mem_ctx, autofs_cmds = get_autofs_cmds(); ret = sss_process_init(mem_ctx, ev, cdb, autofs_cmds, - SSS_AUTOFS_SOCKET_NAME, -1, + SSS_AUTOFS_SOCKET_NAME, -1, SCKT_RSP_UMASK, CONFDB_AUTOFS_CONF_ENTRY, SSS_BUS_AUTOFS, SSS_AUTOFS_SBUS_SERVICE_NAME, autofs_connection_setup, diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h index eb987bc9680..64d526925ac 100644 --- a/src/responder/common/responder.h +++ b/src/responder/common/responder.h @@ -74,6 +74,7 @@ struct resp_ctx { struct tevent_context *ev; struct tevent_fd *lfde; int lfd; + mode_t lfd_umask; struct confdb_ctx *cdb; const char *sock_name; @@ -175,6 +176,7 @@ int sss_process_init(TALLOC_CTX *mem_ctx, struct sss_cmd_table sss_cmds[], const char *sss_pipe_name, int pipe_fd, + mode_t pipe_umask, const char *confdb_service_path, const char *conn_name, const char *svc_name, diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c index 9e4ee05a7d7..216c6eb3906 100644 --- a/src/responder/common/responder_common.c +++ b/src/responder/common/responder_common.c @@ -769,10 +769,8 @@ static int set_unix_socket(struct resp_ctx *rctx, struct accept_fd_ctx *accept_ctx = NULL; if (rctx->sock_name != NULL ) { - /* Set the umask so that permissions are set right on the socket. - * It must be readable and writable by anybody on the system. */ if (rctx->lfd == -1) { - ret = create_pipe_fd(rctx->sock_name, &rctx->lfd, SCKT_RSP_UMASK); + ret = create_pipe_fd(rctx->sock_name, &rctx->lfd, rctx->lfd_umask); if (ret != EOK) { return ret; } @@ -1055,6 +1053,7 @@ int sss_process_init(TALLOC_CTX *mem_ctx, struct sss_cmd_table sss_cmds[], const char *sss_pipe_name, int pipe_fd, + mode_t pipe_umask, const char *confdb_service_path, const char *conn_name, const char *svc_name, @@ -1076,6 +1075,7 @@ int sss_process_init(TALLOC_CTX *mem_ctx, rctx->sss_cmds = sss_cmds; rctx->sock_name = sss_pipe_name; rctx->lfd = pipe_fd; + rctx->lfd_umask = pipe_umask; rctx->confdb_service_path = confdb_service_path; rctx->shutting_down = false; rctx->socket_activated = is_socket_activated(); diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c index d3d0fd8f818..6892fef232d 100644 --- a/src/responder/ifp/ifpsrv.c +++ b/src/responder/ifp/ifpsrv.c @@ -173,7 +173,7 @@ int ifp_process_init(TALLOC_CTX *mem_ctx, ifp_cmds = get_ifp_cmds(); ret = sss_process_init(mem_ctx, ev, cdb, ifp_cmds, - NULL, -1, + NULL, -1, 0, CONFDB_IFP_CONF_ENTRY, SSS_BUS_IFP, SSS_IFP_SBUS_SERVICE_NAME, sss_connection_setup, diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index 3eccbf46beb..6d1b0c24394 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -529,7 +529,7 @@ int sss_nss_process_init(TALLOC_CTX *mem_ctx, ret = sss_process_init(mem_ctx, ev, cdb, nss_cmds, - SSS_NSS_SOCKET_NAME, -1, + SSS_NSS_SOCKET_NAME, -1, SCKT_RSP_UMASK, CONFDB_NSS_CONF_ENTRY, SSS_BUS_NSS, NSS_SBUS_SERVICE_NAME, sss_nss_connection_setup, diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c index deefb701911..803634d8cee 100644 --- a/src/responder/pac/pacsrv.c +++ b/src/responder/pac/pacsrv.c @@ -62,7 +62,7 @@ int pac_process_init(TALLOC_CTX *mem_ctx, ret = sss_process_init(mem_ctx, ev, cdb, pac_cmds, - SSS_PAC_SOCKET_NAME, -1, + SSS_PAC_SOCKET_NAME, -1, SCKT_RSP_UMASK, CONFDB_PAC_CONF_ENTRY, SSS_BUS_PAC, PAC_SBUS_SERVICE_NAME, sss_connection_setup, diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c index 3fa29007677..572d53335f4 100644 --- a/src/responder/pam/pamsrv.c +++ b/src/responder/pam/pamsrv.c @@ -183,7 +183,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, pam_cmds = get_pam_cmds(); ret = sss_process_init(mem_ctx, ev, cdb, pam_cmds, - SSS_PAM_SOCKET_NAME, pipe_fd, + SSS_PAM_SOCKET_NAME, pipe_fd, SCKT_RSP_UMASK, CONFDB_PAM_CONF_ENTRY, SSS_BUS_PAM, SSS_PAM_SBUS_SERVICE_NAME, sss_connection_setup, diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c index 7649a21347b..1134265c0ae 100644 --- a/src/responder/ssh/sshsrv.c +++ b/src/responder/ssh/sshsrv.c @@ -40,7 +40,7 @@ int ssh_process_init(TALLOC_CTX *mem_ctx, ssh_cmds = get_ssh_cmds(); ret = sss_process_init(mem_ctx, ev, cdb, ssh_cmds, - SSS_SSH_SOCKET_NAME, -1, + SSS_SSH_SOCKET_NAME, -1, SCKT_RSP_UMASK, CONFDB_SSH_CONF_ENTRY, SSS_BUS_SSH, SSS_SSH_SBUS_SERVICE_NAME, sss_connection_setup, diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c index 881089c4de9..d6c3e934997 100644 --- a/src/responder/sudo/sudosrv.c +++ b/src/responder/sudo/sudosrv.c @@ -30,8 +30,7 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev, - struct confdb_ctx *cdb, - int pipe_fd) + struct confdb_ctx *cdb) { struct resp_ctx *rctx; struct sss_cmd_table *sudo_cmds; @@ -41,7 +40,7 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, sudo_cmds = get_sudo_cmds(); ret = sss_process_init(mem_ctx, ev, cdb, sudo_cmds, - SSS_SUDO_SOCKET_NAME, pipe_fd, /* custom permissions on socket */ + SSS_SUDO_SOCKET_NAME, -1, SSS_DFL_UMASK, CONFDB_SUDO_CONF_ENTRY, SSS_BUS_SUDO, SSS_SUDO_SBUS_SERVICE_NAME, sss_connection_setup, @@ -139,7 +138,6 @@ int main(int argc, const char *argv[]) char *opt_logger = NULL; struct main_context *main_ctx; int ret; - int pipe_fd = -1; uid_t uid = 0; gid_t gid = 0; @@ -174,27 +172,6 @@ int main(int argc, const char *argv[]) debug_log_file = "sssd_sudo"; DEBUG_INIT(debug_level, opt_logger); - if (!is_socket_activated()) { - /* Create pipe file descriptors here with right ownerschip */ - ret = create_pipe_fd(SSS_SUDO_SOCKET_NAME, &pipe_fd, SSS_DFL_UMASK); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, - "create_pipe_fd failed [%d]: %s.\n", - ret, sss_strerror(ret)); - return 4; - } - - ret = chown(SSS_SUDO_SOCKET_NAME, uid, 0); - if (ret != 0) { - ret = errno; - close(pipe_fd); - DEBUG(SSSDBG_FATAL_FAILURE, - "create_pipe_fd failed [%d]: %s.\n", - ret, sss_strerror(ret)); - return 5; - } - } - ret = server_setup("sudo", true, 0, uid, gid, CONFDB_FILE, CONFDB_SUDO_CONF_ENTRY, &main_ctx, true); if (ret != EOK) { @@ -210,7 +187,7 @@ int main(int argc, const char *argv[]) ret = sudo_process_init(main_ctx, main_ctx->event_ctx, - main_ctx->confdb_ctx, pipe_fd); + main_ctx->confdb_ctx); if (ret != EOK) { return 3; } diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in index e94a2f6151e..b0191a261e6 100644 --- a/src/sysv/systemd/sssd-sudo.socket.in +++ b/src/sysv/systemd/sssd-sudo.socket.in @@ -10,6 +10,7 @@ Conflicts=shutdown.target ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo ListenStream=@pipepath@/sudo SocketUser=@SSSD_USER@ +SocketGroup=@SSSD_USER@ SocketMode=0660 [Install] From 67a04fd51f15ba5d3bfc47c9a9565bc0a5ddd86b Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Sun, 19 Nov 2023 21:44:49 +0100 Subject: [PATCH 11/16] PAM: no need in root:root owned socket since 1451c6e034d20cd1d8947d53bd2da3aa75527ba8 --- src/responder/pam/pamsrv.c | 21 +++------------------ src/sysv/systemd/sssd-pam.socket.in | 4 ++-- 2 files changed, 5 insertions(+), 20 deletions(-) diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c index 572d53335f4..6f56fa6c093 100644 --- a/src/responder/pam/pamsrv.c +++ b/src/responder/pam/pamsrv.c @@ -169,8 +169,7 @@ static void pam_get_domains_callback(void *pvt) static int pam_process_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev, - struct confdb_ctx *cdb, - int pipe_fd) + struct confdb_ctx *cdb) { struct resp_ctx *rctx; struct sss_cmd_table *pam_cmds; @@ -183,7 +182,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, pam_cmds = get_pam_cmds(); ret = sss_process_init(mem_ctx, ev, cdb, pam_cmds, - SSS_PAM_SOCKET_NAME, pipe_fd, SCKT_RSP_UMASK, + SSS_PAM_SOCKET_NAME, -1, SCKT_RSP_UMASK, CONFDB_PAM_CONF_ENTRY, SSS_BUS_PAM, SSS_PAM_SBUS_SERVICE_NAME, sss_connection_setup, @@ -439,7 +438,6 @@ int main(int argc, const char *argv[]) int ret; uid_t uid = 0; gid_t gid = 0; - int pipe_fd = -1; struct poptOption long_options[] = { POPT_AUTOHELP @@ -472,18 +470,6 @@ int main(int argc, const char *argv[]) debug_log_file = "sssd_pam"; DEBUG_INIT(debug_level, opt_logger); - if (!is_socket_activated()) { - /* Create pipe file descriptor here before privileges are dropped - * in server_setup() */ - ret = create_pipe_fd(SSS_PAM_SOCKET_NAME, &pipe_fd, SCKT_RSP_UMASK); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, - "create_pipe_fd failed [%d]: %s.\n", - ret, sss_strerror(ret)); - return 2; - } - } - /* server_setup() might switch to an unprivileged user, so the permissions * for p11_child.log have to be fixed first. */ ret = chown_debug_file("p11_child", uid, gid); @@ -506,8 +492,7 @@ int main(int argc, const char *argv[]) ret = pam_process_init(main_ctx, main_ctx->event_ctx, - main_ctx->confdb_ctx, - pipe_fd); + main_ctx->confdb_ctx); if (ret != EOK) return 3; /* loop on main */ diff --git a/src/sysv/systemd/sssd-pam.socket.in b/src/sysv/systemd/sssd-pam.socket.in index b0a8a09546a..e4916cac4ef 100644 --- a/src/sysv/systemd/sssd-pam.socket.in +++ b/src/sysv/systemd/sssd-pam.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pam ListenStream=@pipepath@/pam -SocketUser=root -SocketGroup=root +SocketUser=@SSSD_USER@ +SocketGroup=@SSSD_USER@ [Install] WantedBy=sssd.service From 4c13b990eb8449e89d293b10d42a41e30e999241 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Sun, 19 Nov 2023 21:52:16 +0100 Subject: [PATCH 12/16] RESPONDER: remove support for custom pipe_fd from `sss_process_init()` as it's not used anymore --- src/responder/autofs/autofssrv.c | 2 +- src/responder/common/responder.h | 1 - src/responder/common/responder_common.c | 3 +-- src/responder/ifp/ifpsrv.c | 2 +- src/responder/nss/nsssrv.c | 2 +- src/responder/pac/pacsrv.c | 2 +- src/responder/pam/pamsrv.c | 2 +- src/responder/ssh/sshsrv.c | 2 +- src/responder/sudo/sudosrv.c | 2 +- 9 files changed, 8 insertions(+), 10 deletions(-) diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c index 3900bb0ebb4..5f0778be914 100644 --- a/src/responder/autofs/autofssrv.c +++ b/src/responder/autofs/autofssrv.c @@ -107,7 +107,7 @@ autofs_process_init(TALLOC_CTX *mem_ctx, autofs_cmds = get_autofs_cmds(); ret = sss_process_init(mem_ctx, ev, cdb, autofs_cmds, - SSS_AUTOFS_SOCKET_NAME, -1, SCKT_RSP_UMASK, + SSS_AUTOFS_SOCKET_NAME, SCKT_RSP_UMASK, CONFDB_AUTOFS_CONF_ENTRY, SSS_BUS_AUTOFS, SSS_AUTOFS_SBUS_SERVICE_NAME, autofs_connection_setup, diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h index 64d526925ac..ad61ae61fc9 100644 --- a/src/responder/common/responder.h +++ b/src/responder/common/responder.h @@ -175,7 +175,6 @@ int sss_process_init(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb, struct sss_cmd_table sss_cmds[], const char *sss_pipe_name, - int pipe_fd, mode_t pipe_umask, const char *confdb_service_path, const char *conn_name, diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c index 216c6eb3906..77449363059 100644 --- a/src/responder/common/responder_common.c +++ b/src/responder/common/responder_common.c @@ -1052,7 +1052,6 @@ int sss_process_init(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb, struct sss_cmd_table sss_cmds[], const char *sss_pipe_name, - int pipe_fd, mode_t pipe_umask, const char *confdb_service_path, const char *conn_name, @@ -1074,7 +1073,7 @@ int sss_process_init(TALLOC_CTX *mem_ctx, rctx->cdb = cdb; rctx->sss_cmds = sss_cmds; rctx->sock_name = sss_pipe_name; - rctx->lfd = pipe_fd; + rctx->lfd = -1; rctx->lfd_umask = pipe_umask; rctx->confdb_service_path = confdb_service_path; rctx->shutting_down = false; diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c index 6892fef232d..d4f7f59c6aa 100644 --- a/src/responder/ifp/ifpsrv.c +++ b/src/responder/ifp/ifpsrv.c @@ -173,7 +173,7 @@ int ifp_process_init(TALLOC_CTX *mem_ctx, ifp_cmds = get_ifp_cmds(); ret = sss_process_init(mem_ctx, ev, cdb, ifp_cmds, - NULL, -1, 0, + NULL, 0, CONFDB_IFP_CONF_ENTRY, SSS_BUS_IFP, SSS_IFP_SBUS_SERVICE_NAME, sss_connection_setup, diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index 6d1b0c24394..6bb4867adbb 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -529,7 +529,7 @@ int sss_nss_process_init(TALLOC_CTX *mem_ctx, ret = sss_process_init(mem_ctx, ev, cdb, nss_cmds, - SSS_NSS_SOCKET_NAME, -1, SCKT_RSP_UMASK, + SSS_NSS_SOCKET_NAME, SCKT_RSP_UMASK, CONFDB_NSS_CONF_ENTRY, SSS_BUS_NSS, NSS_SBUS_SERVICE_NAME, sss_nss_connection_setup, diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c index 803634d8cee..690c7b6c967 100644 --- a/src/responder/pac/pacsrv.c +++ b/src/responder/pac/pacsrv.c @@ -62,7 +62,7 @@ int pac_process_init(TALLOC_CTX *mem_ctx, ret = sss_process_init(mem_ctx, ev, cdb, pac_cmds, - SSS_PAC_SOCKET_NAME, -1, SCKT_RSP_UMASK, + SSS_PAC_SOCKET_NAME, SCKT_RSP_UMASK, CONFDB_PAC_CONF_ENTRY, SSS_BUS_PAC, PAC_SBUS_SERVICE_NAME, sss_connection_setup, diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c index 6f56fa6c093..aad7f93d22e 100644 --- a/src/responder/pam/pamsrv.c +++ b/src/responder/pam/pamsrv.c @@ -182,7 +182,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, pam_cmds = get_pam_cmds(); ret = sss_process_init(mem_ctx, ev, cdb, pam_cmds, - SSS_PAM_SOCKET_NAME, -1, SCKT_RSP_UMASK, + SSS_PAM_SOCKET_NAME, SCKT_RSP_UMASK, CONFDB_PAM_CONF_ENTRY, SSS_BUS_PAM, SSS_PAM_SBUS_SERVICE_NAME, sss_connection_setup, diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c index 1134265c0ae..ce6c2b74ca3 100644 --- a/src/responder/ssh/sshsrv.c +++ b/src/responder/ssh/sshsrv.c @@ -40,7 +40,7 @@ int ssh_process_init(TALLOC_CTX *mem_ctx, ssh_cmds = get_ssh_cmds(); ret = sss_process_init(mem_ctx, ev, cdb, ssh_cmds, - SSS_SSH_SOCKET_NAME, -1, SCKT_RSP_UMASK, + SSS_SSH_SOCKET_NAME, SCKT_RSP_UMASK, CONFDB_SSH_CONF_ENTRY, SSS_BUS_SSH, SSS_SSH_SBUS_SERVICE_NAME, sss_connection_setup, diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c index d6c3e934997..c04fdaecd49 100644 --- a/src/responder/sudo/sudosrv.c +++ b/src/responder/sudo/sudosrv.c @@ -40,7 +40,7 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, sudo_cmds = get_sudo_cmds(); ret = sss_process_init(mem_ctx, ev, cdb, sudo_cmds, - SSS_SUDO_SOCKET_NAME, -1, SSS_DFL_UMASK, + SSS_SUDO_SOCKET_NAME, SSS_DFL_UMASK, CONFDB_SUDO_CONF_ENTRY, SSS_BUS_SUDO, SSS_SUDO_SBUS_SERVICE_NAME, sss_connection_setup, From 37311f9841d259dcbc241fa215678d06e6dc723b Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Mon, 20 Nov 2023 12:27:24 +0100 Subject: [PATCH 13/16] SUDO: don't overwrite major error code with minor one The latter can be zero (example: socket closed during `sss_cli_recv_rep()`) --- src/sss_client/sudo/sss_sudo.c | 4 +++- src/sss_client/sudo_testcli/sudo_testcli.c | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/sss_client/sudo/sss_sudo.c b/src/sss_client/sudo/sss_sudo.c index 8d6f717fd16..10a02fe73be 100644 --- a/src/sss_client/sudo/sss_sudo.c +++ b/src/sss_client/sudo/sss_sudo.c @@ -82,7 +82,9 @@ static int sss_sudo_send_recv_generic(enum sss_cli_command command, ret = sss_sudo_make_request(command, &request, &reply_buf, &reply_len, &errnop); if (ret != SSS_STATUS_SUCCESS) { - ret = errnop; + if (_error != NULL) { + *_error = (uint32_t)errnop; + } goto done; } diff --git a/src/sss_client/sudo_testcli/sudo_testcli.c b/src/sss_client/sudo_testcli/sudo_testcli.c index 271c03be2fe..1ddb5e0f3e7 100644 --- a/src/sss_client/sudo_testcli/sudo_testcli.c +++ b/src/sss_client/sudo_testcli/sudo_testcli.c @@ -70,8 +70,8 @@ int main(int argc, char **argv) ret = sss_sudo_send_recv_defaults(uid, username, &error, &domainname, &result); if (ret != EOK) { - fprintf(stderr, "sss_sudo_send_recv_defaults() failed: %s\n", - strerror(ret)); + fprintf(stderr, "sss_sudo_send_recv_defaults() failed: %d, %u [%s]\n", + ret, error, strerror(error)); goto fail; } From 8bd52778b53605c36db3182955721fb7ca09f2c1 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Tue, 28 Nov 2023 19:09:51 +0100 Subject: [PATCH 14/16] CLIENT: fixed a mistype in `check_socket_cred()` --- src/sss_client/common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sss_client/common.c b/src/sss_client/common.c index 66a62690b34..0921f262f0c 100644 --- a/src/sss_client/common.c +++ b/src/sss_client/common.c @@ -988,7 +988,7 @@ inline static errno_t check_socket_cred(const char *socket_name) } #ifdef SSSD_NON_ROOT_USER - if ((stat_buf.st_uid == sss_sssd_uid) && (stat_buf.st_uid == sss_sssd_gid)) { + if ((stat_buf.st_uid == sss_sssd_uid) && (stat_buf.st_gid == sss_sssd_gid)) { return 0; } #endif /* SSSD_NON_ROOT_USER */ From 36b10f92758b95755569fadd17f851ccc09225d7 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Fri, 1 Sep 2023 19:39:40 +0200 Subject: [PATCH 15/16] SPEC: build Fedora >= 38 package with sssd user support --- contrib/sssd.spec.in | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index f04469f2475..f69b2ecd63c 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -1,7 +1,7 @@ # SSSD SPEC file for Fedora 34+ and RHEL-9+ # define SSSD user -%if 0%{?rhel} +%if 0%{?fedora} >= 38 || 0%{?rhel} %global sssd_user sssd %else %global sssd_user root @@ -203,7 +203,7 @@ Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs) Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap) Requires: libsss_idmap = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} -%if 0%{?rhel} +%if 0%{?fedora} >= 38 || 0%{?rhel} Requires(pre): shadow-utils %endif %{?systemd_requires} @@ -452,7 +452,7 @@ Requires: sssd-common = %{version}-%{release} Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows the information from the SSSD to be transmitted over the system bus. -%if 0%{?rhel} +%if 0%{?fedora} >= 38 || 0%{?rhel} %package polkit-rules Summary: Rules for polkit integration for SSSD Group: Applications/System @@ -568,7 +568,7 @@ autoreconf -ivf %if %{build_subid} --with-subid \ %endif -%if 0%{?fedora} +%if 0%{?fedora} && 0%{?fedora} < 38 --disable-polkit-rules-path \ %endif %if %{build_passkey} @@ -829,7 +829,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf %endif -%if 0%{?rhel} +%if 0%{?fedora} >= 38 || 0%{?rhel} %files polkit-rules %{_datadir}/polkit-1/rules.d/* %endif @@ -1025,7 +1025,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey %endif -%if 0%{?rhel} +%if 0%{?fedora} >= 38 || 0%{?rhel} %pre common %if %{use_sysusers} %sysusers_create_compat %{SOURCE1} From 8fe7e5a3ca99011585b409586116c3a4a85ff85c Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Mon, 27 Nov 2023 18:43:37 +0100 Subject: [PATCH 16/16] Run system tests with 'user = sssd' as a default --- src/tests/system/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tests/system/requirements.txt b/src/tests/system/requirements.txt index 5210bc23cb1..0358b2f85d4 100644 --- a/src/tests/system/requirements.txt +++ b/src/tests/system/requirements.txt @@ -4,4 +4,4 @@ git+https://github.com/next-actions/pytest-mh git+https://github.com/next-actions/pytest-ticket git+https://github.com/next-actions/pytest-tier git+https://github.com/next-actions/pytest-output -git+https://github.com/SSSD/sssd-test-framework +git+https://github.com/alexey-tikhonov/sssd-test-framework@force-sssd-user