The same as #7042 but with "--sssd-user=sssd" and forced 'sssd.conf::user=sssd' by default for 'system' tests

contrib/sssd.spec.in

@@ -1,7 +1,7 @@
 # SSSD SPEC file for Fedora 34+ and RHEL-9+
 
 # define SSSD user
-%if 0%{?rhel}
+%if 0%{?fedora} >= 38 || 0%{?rhel}
 %global sssd_user sssd
 %else
 %global sssd_user root
@@ -203,7 +203,7 @@ Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs)
 Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap)
 Requires: libsss_idmap = %{version}-%{release}
 Requires: libsss_certmap = %{version}-%{release}
-%if 0%{?rhel}
+%if 0%{?fedora} >= 38 || 0%{?rhel}
 Requires(pre): shadow-utils
 %endif
 %{?systemd_requires}
@@ -452,7 +452,7 @@ Requires: sssd-common = %{version}-%{release}
 Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows
 the information from the SSSD to be transmitted over the system bus.
 
-%if 0%{?rhel}
+%if 0%{?fedora} >= 38 || 0%{?rhel}
 %package polkit-rules
 Summary: Rules for polkit integration for SSSD
 Group: Applications/System
@@ -568,7 +568,7 @@ autoreconf -ivf
 %if %{build_subid}
     --with-subid \
 %endif
-%if 0%{?fedora}
+%if 0%{?fedora} && 0%{?fedora} < 38
     --disable-polkit-rules-path \
 %endif
 %if %{build_passkey}
@@ -829,7 +829,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
 %endif
 
 
-%if 0%{?rhel}
+%if 0%{?fedora} >= 38 || 0%{?rhel}
 %files polkit-rules
 %{_datadir}/polkit-1/rules.d/*
 %endif
@@ -1025,7 +1025,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
 %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
 %endif
 
-%if 0%{?rhel}
+%if 0%{?fedora} >= 38 || 0%{?rhel}
 %pre common
 %if %{use_sysusers}
 %sysusers_create_compat %{SOURCE1}

src/providers/krb5/krb5_child.c

@@ -3969,6 +3969,9 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr,
     }
 
     if (kr->send_pac) {
+        /* This is to establish connection with 'sssd_pac' while process
+         * still runs under privileged user.
+         */
         ret = sss_pac_check_and_open();
         if (ret != EOK) {
             DEBUG(SSSDBG_MINOR_FAILURE, "Cannot open the PAC responder socket\n");

src/responder/autofs/autofssrv.c

@@ -107,7 +107,7 @@ autofs_process_init(TALLOC_CTX *mem_ctx,
     autofs_cmds = get_autofs_cmds();
     ret = sss_process_init(mem_ctx, ev, cdb,
                            autofs_cmds,
-                           SSS_AUTOFS_SOCKET_NAME, -1,
+                           SSS_AUTOFS_SOCKET_NAME, SCKT_RSP_UMASK,
                            CONFDB_AUTOFS_CONF_ENTRY,
                            SSS_BUS_AUTOFS, SSS_AUTOFS_SBUS_SERVICE_NAME,
                            autofs_connection_setup,

src/responder/common/responder.h

@@ -74,6 +74,7 @@ struct resp_ctx {
     struct tevent_context *ev;
     struct tevent_fd *lfde;
     int lfd;
+    mode_t lfd_umask;
     struct confdb_ctx *cdb;
     const char *sock_name;
 
@@ -174,7 +175,7 @@ int sss_process_init(TALLOC_CTX *mem_ctx,
                      struct confdb_ctx *cdb,
                      struct sss_cmd_table sss_cmds[],
                      const char *sss_pipe_name,
-                     int pipe_fd,
+                     mode_t pipe_umask,
                      const char *confdb_service_path,
                      const char *conn_name,
                      const char *svc_name,

src/responder/common/responder_common.c

@@ -769,10 +769,8 @@ static int set_unix_socket(struct resp_ctx *rctx,
     struct accept_fd_ctx *accept_ctx = NULL;
 
     if (rctx->sock_name != NULL ) {
-        /* Set the umask so that permissions are set right on the socket.
-         * It must be readable and writable by anybody on the system. */
         if (rctx->lfd == -1) {
-            ret = create_pipe_fd(rctx->sock_name, &rctx->lfd, SCKT_RSP_UMASK);
+            ret = create_pipe_fd(rctx->sock_name, &rctx->lfd, rctx->lfd_umask);
             if (ret != EOK) {
                 return ret;
             }
@@ -1054,7 +1052,7 @@ int sss_process_init(TALLOC_CTX *mem_ctx,
                      struct confdb_ctx *cdb,
                      struct sss_cmd_table sss_cmds[],
                      const char *sss_pipe_name,
-                     int pipe_fd,
+                     mode_t pipe_umask,
                      const char *confdb_service_path,
                      const char *conn_name,
                      const char *svc_name,
@@ -1075,7 +1073,8 @@ int sss_process_init(TALLOC_CTX *mem_ctx,
     rctx->cdb = cdb;
     rctx->sss_cmds = sss_cmds;
     rctx->sock_name = sss_pipe_name;
-    rctx->lfd = pipe_fd;
+    rctx->lfd = -1;
+    rctx->lfd_umask = pipe_umask;
     rctx->confdb_service_path = confdb_service_path;
     rctx->shutting_down = false;
     rctx->socket_activated = is_socket_activated();

src/responder/ifp/ifpsrv.c

@@ -173,7 +173,7 @@ int ifp_process_init(TALLOC_CTX *mem_ctx,
     ifp_cmds = get_ifp_cmds();
     ret = sss_process_init(mem_ctx, ev, cdb,
                            ifp_cmds,
-                           NULL, -1,
+                           NULL, 0,
                            CONFDB_IFP_CONF_ENTRY,
                            SSS_BUS_IFP, SSS_IFP_SBUS_SERVICE_NAME,
                            sss_connection_setup,

src/responder/nss/nsssrv.c

@@ -529,7 +529,7 @@ int sss_nss_process_init(TALLOC_CTX *mem_ctx,
 
     ret = sss_process_init(mem_ctx, ev, cdb,
                            nss_cmds,
-                           SSS_NSS_SOCKET_NAME, -1,
+                           SSS_NSS_SOCKET_NAME, SCKT_RSP_UMASK,
                            CONFDB_NSS_CONF_ENTRY,
                            SSS_BUS_NSS, NSS_SBUS_SERVICE_NAME,
                            sss_nss_connection_setup,

src/responder/pac/pacsrv.c

@@ -62,7 +62,7 @@ int pac_process_init(TALLOC_CTX *mem_ctx,
 
     ret = sss_process_init(mem_ctx, ev, cdb,
                            pac_cmds,
-                           SSS_PAC_SOCKET_NAME, -1,
+                           SSS_PAC_SOCKET_NAME, SCKT_RSP_UMASK,
                            CONFDB_PAC_CONF_ENTRY,
                            SSS_BUS_PAC, PAC_SBUS_SERVICE_NAME,
                            sss_connection_setup,

src/responder/pam/pamsrv.c

@@ -169,8 +169,7 @@ static void pam_get_domains_callback(void *pvt)
 
 static int pam_process_init(TALLOC_CTX *mem_ctx,
                             struct tevent_context *ev,
-                            struct confdb_ctx *cdb,
-                            int pipe_fd)
+                            struct confdb_ctx *cdb)
 {
     struct resp_ctx *rctx;
     struct sss_cmd_table *pam_cmds;
@@ -183,7 +182,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
     pam_cmds = get_pam_cmds();
     ret = sss_process_init(mem_ctx, ev, cdb,
                            pam_cmds,
-                           SSS_PAM_SOCKET_NAME, pipe_fd,
+                           SSS_PAM_SOCKET_NAME, SCKT_RSP_UMASK,
                            CONFDB_PAM_CONF_ENTRY,
                            SSS_BUS_PAM, SSS_PAM_SBUS_SERVICE_NAME,
                            sss_connection_setup,
@@ -439,7 +438,6 @@ int main(int argc, const char *argv[])
     int ret;
     uid_t uid = 0;
     gid_t gid = 0;
-    int pipe_fd = -1;
 
     struct poptOption long_options[] = {
         POPT_AUTOHELP
@@ -472,18 +470,6 @@ int main(int argc, const char *argv[])
     debug_log_file = "sssd_pam";
     DEBUG_INIT(debug_level, opt_logger);
 
-    if (!is_socket_activated()) {
-        /* Create pipe file descriptor here before privileges are dropped
-         * in server_setup() */
-        ret = create_pipe_fd(SSS_PAM_SOCKET_NAME, &pipe_fd, SCKT_RSP_UMASK);
-        if (ret != EOK) {
-            DEBUG(SSSDBG_FATAL_FAILURE,
-                  "create_pipe_fd failed [%d]: %s.\n",
-                  ret, sss_strerror(ret));
-            return 2;
-        }
-    }
-
     /* server_setup() might switch to an unprivileged user, so the permissions
      * for p11_child.log have to be fixed first. */
     ret = chown_debug_file("p11_child", uid, gid);
@@ -506,8 +492,7 @@ int main(int argc, const char *argv[])
 
     ret = pam_process_init(main_ctx,
                            main_ctx->event_ctx,
-                           main_ctx->confdb_ctx,
-                           pipe_fd);
+                           main_ctx->confdb_ctx);
     if (ret != EOK) return 3;
 
     /* loop on main */

src/responder/ssh/sshsrv.c

@@ -40,7 +40,7 @@ int ssh_process_init(TALLOC_CTX *mem_ctx,
     ssh_cmds = get_ssh_cmds();
     ret = sss_process_init(mem_ctx, ev, cdb,
                            ssh_cmds,
-                           SSS_SSH_SOCKET_NAME, -1,
+                           SSS_SSH_SOCKET_NAME, SCKT_RSP_UMASK,
                            CONFDB_SSH_CONF_ENTRY,
                            SSS_BUS_SSH, SSS_SSH_SBUS_SERVICE_NAME,
                            sss_connection_setup,

src/responder/sudo/sudosrv.c

@@ -30,8 +30,7 @@
 
 int sudo_process_init(TALLOC_CTX *mem_ctx,
                       struct tevent_context *ev,
-                      struct confdb_ctx *cdb,
-                      int pipe_fd)
+                      struct confdb_ctx *cdb)
 {
     struct resp_ctx *rctx;
     struct sss_cmd_table *sudo_cmds;
@@ -41,7 +40,7 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
     sudo_cmds = get_sudo_cmds();
     ret = sss_process_init(mem_ctx, ev, cdb,
                            sudo_cmds,
-                           SSS_SUDO_SOCKET_NAME, pipe_fd,   /* custom permissions on socket */
+                           SSS_SUDO_SOCKET_NAME, SSS_DFL_UMASK,
                            CONFDB_SUDO_CONF_ENTRY,
                            SSS_BUS_SUDO, SSS_SUDO_SBUS_SERVICE_NAME,
                            sss_connection_setup,
@@ -139,7 +138,6 @@ int main(int argc, const char *argv[])
     char *opt_logger = NULL;
     struct main_context *main_ctx;
     int ret;
-    int pipe_fd = -1;
     uid_t uid = 0;
     gid_t gid = 0;
 
@@ -174,27 +172,6 @@ int main(int argc, const char *argv[])
     debug_log_file = "sssd_sudo";
     DEBUG_INIT(debug_level, opt_logger);
 
-    if (!is_socket_activated()) {
-        /* Create pipe file descriptors here with right ownerschip */
-        ret = create_pipe_fd(SSS_SUDO_SOCKET_NAME, &pipe_fd, SSS_DFL_UMASK);
-        if (ret != EOK) {
-            DEBUG(SSSDBG_FATAL_FAILURE,
-                  "create_pipe_fd failed [%d]: %s.\n",
-                  ret, sss_strerror(ret));
-            return 4;
-        }
-
-        ret = chown(SSS_SUDO_SOCKET_NAME, uid, 0);
-        if (ret != 0) {
-            ret = errno;
-            close(pipe_fd);
-            DEBUG(SSSDBG_FATAL_FAILURE,
-                  "create_pipe_fd failed [%d]: %s.\n",
-                  ret, sss_strerror(ret));
-            return 5;
-        }
-    }
-
     ret = server_setup("sudo", true, 0, uid, gid, CONFDB_FILE,
                        CONFDB_SUDO_CONF_ENTRY, &main_ctx, true);
     if (ret != EOK) {
@@ -210,7 +187,7 @@ int main(int argc, const char *argv[])
 
     ret = sudo_process_init(main_ctx,
                             main_ctx->event_ctx,
-                            main_ctx->confdb_ctx, pipe_fd);
+                            main_ctx->confdb_ctx);
     if (ret != EOK) {
         return 3;
     }

src/responder/sudo/sudosrv_cmd.c

@@ -18,11 +18,14 @@
     along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
+#include "config.h"
+
 #include <stdint.h>
 #include <errno.h>
 #include <talloc.h>
 
 #include "util/util.h"
+#include "util/util_creds.h"
 #include "responder/common/responder.h"
 #include "responder/common/responder_packet.h"
 #include "responder/sudo/sudosrv_private.h"
@@ -199,6 +202,15 @@ static int sudosrv_cmd(enum sss_sudo_type type, struct cli_ctx *cli_ctx)
     pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol);
     protocol = pctx->cli_protocol_version->version;
 
+    /* the only intended client - suid binary 'sudo' */
+    if (cli_ctx->priv != 1) {
+        DEBUG(SSSDBG_IMPORTANT_INFO, "Refusing to serve unprivileged client "
+              "'%s' running under uid = %"SPRIuid"\n",
+              cli_ctx->cmd_line, client_euid(cli_ctx->creds));
+        ret = EFAULT;
+        goto done;
+    }
+
     /* if protocol is invalid return */
     switch (protocol) {
     case 0:

src/sss_client/autofs/sss_autofs.c

@@ -80,6 +80,24 @@ sss_getautomntent_data_clean(void)
     memset(&sss_getautomntent_data, 0, sizeof(struct sss_getautomntent_data));
 }
 
+static int sss_autofs_make_request(enum sss_cli_command cmd,
+                            struct sss_cli_req_data *rd,
+                            uint8_t **repbuf, size_t *replen,
+                            int *errnop)
+{
+    enum sss_status status;
+
+    status = sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT,
+                                              repbuf, replen, errnop,
+                                              SSS_AUTOFS_SOCKET_NAME, false, false);
+
+    if (*errnop == ERR_OFFLINE) {
+        *errnop = EHOSTDOWN;
+    }
+
+    return status;
+}
+
 errno_t
 _sss_setautomntent(const char *mapname, void **context)
 {