URL: https://github.com/SSSD/sssd/pull/616
Author: asheplyakov
Title: #616: become_user: add supplementary groups so ad provider can access
keytab
Action: opened
PR body:
"""
For security reasons one might want to run providers as a non-privileged
user (say, _sssd). However some providers (in particular ad) might need
an access to restricted (non world-readable) files (for instance,
/etc/krb5.keytab). One of the possible ways to solve the problem is to
- add a special group (for instance, _keytab)
- set the owner:group of the file in question to root:_keytab
- set the permissions of the file in question to 640
- make the _sssd user a member of the _keytab group
For this to work become_user should assign supplementary groups, which
is what this patch does.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/616/head:pr616
git checkout pr616
From b27b33d4521e5b9b8c90b0abbbee753a8989b493 Mon Sep 17 00:00:00 2001
From: Alexey Sheplyakov <asheplya...@altlinux.org>
Date: Tue, 10 Jul 2018 15:42:31 +0000
Subject: [PATCH] become_user: add supplementary groups so ad provider can
access keytab
For security reasons one might want to run providers as a non-privileged
user (say, _sssd). However some providers (in particular ad) might need
an access to restricted (non world-readable) files (for instance,
/etc/krb5.keytab). One of the possible ways to solve the problem is to
- add a special group (for instance, _keytab)
- set the owner:group of the file in question to root:_keytab
- set the permissions of the file in question to 640
- make the _sssd user a member of the _keytab group
For this to work become_user should assign supplementary groups, which
is what this patch does.
---
src/tests/cwrap/test_become_user.c | 6 +++++-
src/util/become_user.c | 16 +++++++++++++---
2 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/src/tests/cwrap/test_become_user.c b/src/tests/cwrap/test_become_user.c
index e63cde9d7..88bffbd6b 100644
--- a/src/tests/cwrap/test_become_user.c
+++ b/src/tests/cwrap/test_become_user.c
@@ -30,9 +30,11 @@
void test_become_user(void **state)
{
struct passwd *sssd;
+ gid_t gid;
errno_t ret;
pid_t pid, wpid;
int status;
+ int group_count;
/* Must root as root, real or fake */
assert_int_equal(geteuid(), 0);
@@ -58,7 +60,9 @@ void test_become_user(void **state)
ret = become_user(sssd->pw_uid, sssd->pw_gid);
assert_int_equal(ret, EOK);
- assert_int_equal(getgroups(0, NULL), 0);
+ group_count = getgroups(1, &gid);
+ assert_int_equal(1, group_count);
+ assert_int_equal(gid, sssd->pw_gid);
exit(0);
}
diff --git a/src/util/become_user.c b/src/util/become_user.c
index c3f726d18..cc43ef588 100644
--- a/src/util/become_user.c
+++ b/src/util/become_user.c
@@ -24,11 +24,13 @@
#include "util/util.h"
#include <grp.h>
+#include <pwd.h>
errno_t become_user(uid_t uid, gid_t gid)
{
uid_t cuid;
int ret;
+ struct passwd *pwd;
DEBUG(SSSDBG_FUNC_DATA,
"Trying to become user [%"SPRIuid"][%"SPRIgid"].\n", uid, gid);
@@ -40,12 +42,20 @@ errno_t become_user(uid_t uid, gid_t gid)
return EOK;
}
- /* drop supplementary groups first */
- ret = setgroups(0, NULL);
+ /* init supplmentary groups */
+ errno = 0;
+ pwd = getpwuid(uid);
+ if (pwd == NULL || pwd->pw_name == NULL) {
+ ret = errno ?: ENOENT;
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "getpwuid failed [%d][%s].\n", ret, strerror(ret));
+ return ret;
+ }
+ ret = initgroups(pwd->pw_name, gid);
if (ret == -1) {
ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE,
- "setgroups failed [%d][%s].\n", ret, strerror(ret));
+ "initgroups failed [%d][%s].\n", ret, strerror(ret));
return ret;
}
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/QA6FGDGJT7CFYYCEIVENMNZTCQNZOWJR/
