URL: https://github.com/SSSD/sssd/pull/859 Author: sumit-bose Title: #859: Make sure child log files have the right permissions Action: opened
PR body: """ If SSSD runs a unprivileged user we should make sure the log files for child processes have the right permission so that the child process can write to them. Related to https://pagure.io/SSSD/sssd/issue/4056 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/859/head:pr859 git checkout pr859
From 8f77144df1f129d8a2beebf77e286c4dd26294e9 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Fri, 2 Aug 2019 13:44:18 +0200 Subject: [PATCH 1/3] pam: make sure p11_child.log has the right permissions If SSSD runs a unprivileged user we should make sure the log files for child processes have the right permission so that the child process can write to them. Related to https://pagure.io/SSSD/sssd/issue/4056 --- src/responder/pam/pamsrv.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c index 38db6fc9b0..4f5b9b6647 100644 --- a/src/responder/pam/pamsrv.c +++ b/src/responder/pam/pamsrv.c @@ -399,6 +399,15 @@ int main(int argc, const char *argv[]) } } + /* server_setup() might switch to an unprivileged user, so the permissions + * for p11_child.log have to be fixed first. */ + ret = chown_debug_file("p11_child", uid, gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot chown the p11_child debug file, " + "debugging might not work!\n"); + } + ret = server_setup("sssd[pam]", 0, uid, gid, CONFDB_PAM_CONF_ENTRY, &main_ctx); if (ret != EOK) return 2; From 95bd98ae7afc63fa6370c2a757d2f797fdc4a73b Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Mon, 5 Aug 2019 17:04:14 +0200 Subject: [PATCH 2/3] ssh: make sure p11_child.log has the right permissions If SSSD runs a unprivileged user we should make sure the log files for child processes have the right permission so that the child process can write to them. Related to https://pagure.io/SSSD/sssd/issue/4056 --- src/responder/ssh/sshsrv.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c index ef2c9d01bc..07397834c7 100644 --- a/src/responder/ssh/sshsrv.c +++ b/src/responder/ssh/sshsrv.c @@ -187,6 +187,16 @@ int main(int argc, const char *argv[]) sss_set_logger(opt_logger); + /* server_setup() might switch to an unprivileged user, so the permissions + * for p11_child.log have to be fixed first. We might call p11_child to + * validate certificates. */ + ret = chown_debug_file("p11_child", uid, gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot chown the p11_child debug file, " + "debugging might not work!\n"); + } + ret = server_setup("sssd[ssh]", 0, uid, gid, CONFDB_SSH_CONF_ENTRY, &main_ctx); if (ret != EOK) { From 2dcc20d06c219d658090e7b809dd5991894c5af1 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Mon, 5 Aug 2019 17:05:00 +0200 Subject: [PATCH 3/3] BE: make sure child log files have the right permissions If SSSD runs a unprivileged user we should make sure the log files for child processes have the right permission so that the child process can write to them. Related to https://pagure.io/SSSD/sssd/issue/4056 --- src/providers/data_provider_be.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index 6dce8286dd..ce00231ff5 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -554,6 +554,27 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx, return ret; } +static void fix_child_log_permissions(uid_t uid, gid_t gid) +{ + int ret; + const char *child_names[] = { "krb5_child", + "ldap_child", + "selinux_child", + "ad_gpo_child", + "proxy_child", + NULL }; + size_t c; + + for (c = 0; child_names[c] != NULL; c++) { + ret = chown_debug_file(child_names[c], uid, gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot chown the [%s] debug file, " + "debugging might not work!\n", child_names[c]); + } + } +} + static void dp_initialized(struct tevent_req *req) { struct tevent_signal *tes; @@ -609,6 +630,8 @@ static void dp_initialized(struct tevent_req *req) "Cannot chown the debug files, debugging might not work!\n"); } + fix_child_log_permissions(be_ctx->uid, be_ctx->gid); + ret = become_user(be_ctx->uid, be_ctx->gid); if (ret != EOK) { DEBUG(SSSDBG_FUNC_DATA,
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
