URL: https://github.com/SSSD/sssd/pull/616 Author: asheplyakov Title: #616: become_user: add supplementary groups so ad provider can access keytab Action: opened
PR body: """ For security reasons one might want to run providers as a non-privileged user (say, _sssd). However some providers (in particular ad) might need an access to restricted (non world-readable) files (for instance, /etc/krb5.keytab). One of the possible ways to solve the problem is to - add a special group (for instance, _keytab) - set the owner:group of the file in question to root:_keytab - set the permissions of the file in question to 640 - make the _sssd user a member of the _keytab group For this to work become_user should assign supplementary groups, which is what this patch does. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/616/head:pr616 git checkout pr616
From b27b33d4521e5b9b8c90b0abbbee753a8989b493 Mon Sep 17 00:00:00 2001 From: Alexey Sheplyakov <asheplya...@altlinux.org> Date: Tue, 10 Jul 2018 15:42:31 +0000 Subject: [PATCH] become_user: add supplementary groups so ad provider can access keytab For security reasons one might want to run providers as a non-privileged user (say, _sssd). However some providers (in particular ad) might need an access to restricted (non world-readable) files (for instance, /etc/krb5.keytab). One of the possible ways to solve the problem is to - add a special group (for instance, _keytab) - set the owner:group of the file in question to root:_keytab - set the permissions of the file in question to 640 - make the _sssd user a member of the _keytab group For this to work become_user should assign supplementary groups, which is what this patch does. --- src/tests/cwrap/test_become_user.c | 6 +++++- src/util/become_user.c | 16 +++++++++++++--- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/src/tests/cwrap/test_become_user.c b/src/tests/cwrap/test_become_user.c index e63cde9d7..88bffbd6b 100644 --- a/src/tests/cwrap/test_become_user.c +++ b/src/tests/cwrap/test_become_user.c @@ -30,9 +30,11 @@ void test_become_user(void **state) { struct passwd *sssd; + gid_t gid; errno_t ret; pid_t pid, wpid; int status; + int group_count; /* Must root as root, real or fake */ assert_int_equal(geteuid(), 0); @@ -58,7 +60,9 @@ void test_become_user(void **state) ret = become_user(sssd->pw_uid, sssd->pw_gid); assert_int_equal(ret, EOK); - assert_int_equal(getgroups(0, NULL), 0); + group_count = getgroups(1, &gid); + assert_int_equal(1, group_count); + assert_int_equal(gid, sssd->pw_gid); exit(0); } diff --git a/src/util/become_user.c b/src/util/become_user.c index c3f726d18..cc43ef588 100644 --- a/src/util/become_user.c +++ b/src/util/become_user.c @@ -24,11 +24,13 @@ #include "util/util.h" #include <grp.h> +#include <pwd.h> errno_t become_user(uid_t uid, gid_t gid) { uid_t cuid; int ret; + struct passwd *pwd; DEBUG(SSSDBG_FUNC_DATA, "Trying to become user [%"SPRIuid"][%"SPRIgid"].\n", uid, gid); @@ -40,12 +42,20 @@ errno_t become_user(uid_t uid, gid_t gid) return EOK; } - /* drop supplementary groups first */ - ret = setgroups(0, NULL); + /* init supplmentary groups */ + errno = 0; + pwd = getpwuid(uid); + if (pwd == NULL || pwd->pw_name == NULL) { + ret = errno ?: ENOENT; + DEBUG(SSSDBG_CRIT_FAILURE, + "getpwuid failed [%d][%s].\n", ret, strerror(ret)); + return ret; + } + ret = initgroups(pwd->pw_name, gid); if (ret == -1) { ret = errno; DEBUG(SSSDBG_CRIT_FAILURE, - "setgroups failed [%d][%s].\n", ret, strerror(ret)); + "initgroups failed [%d][%s].\n", ret, strerror(ret)); return ret; }
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/QA6FGDGJT7CFYYCEIVENMNZTCQNZOWJR/