BUILD: make support of 'sssd.conf::user' option configurable

:relnote:TODO

configure.ac

@@ -181,6 +181,7 @@ WITH_SUDO_LIB_PATH
 WITH_AUTOFS
 WITH_FILES_PROVIDER
 WITH_EXTENDED_ENUMERATION_SUPPORT
+WITH_CONF_SERVICE_USER_SUPPORT
 WITH_SUBID
 WITH_SUBID_LIB_PATH
 WITH_PASSKEY

contrib/sssd.spec.in

@@ -596,6 +596,7 @@ autoreconf -ivf
     --with-test-dir=/dev/shm \
 %if 0%{?rhel} == 9
     --with-libsifp \
+    --with-conf-service-user-support \
 %endif
 %if %{build_subid}
     --with-subid \

src/conf_macros.m4

@@ -839,6 +839,25 @@ AC_DEFUN([WITH_SSSD_USER],
     fi
   ])
 
+AC_DEFUN([WITH_CONF_SERVICE_USER_SUPPORT],
+  [ AC_ARG_WITH([conf-service-user-support],
+                [AC_HELP_STRING([--with-conf-service-user-support],
+                                [Whether to build support for sssd.conf::user option [no].
+                                 Requires "--with-sssd-user=..." to be used.
+                                 Please take a note that this feature is deprecated and
+                                 might be removed in further releases.]
+                               )
+                ],
+                [with_conf_service_user_support=$withval],
+                with_conf_service_user_support=no
+               )
+
+    if test x"$with_conf_service_user_support" = xyes; then
+        AC_DEFINE(BUILD_CONF_SERVICE_USER_SUPPORT, 1, [Whether to build support for sssd.conf::user option])
+    fi
+    AM_CONDITIONAL([BUILD_CONF_SERVICE_USER_SUPPORT], [test x"$with_conf_service_user_support" = xyes])
+  ])
+
   AC_DEFUN([WITH_AD_GPO_DEFAULT],
     [ AC_ARG_WITH([ad-gpo-default],
                   [AS_HELP_STRING([--with-ad-gpo-default=[enforcing|permissive]],

src/man/Makefile.am

@@ -65,12 +65,15 @@ ENUM_CONDS = ;without_ext_enumeration
 endif
 if SSSD_NON_ROOT_USER
 SSSD_NON_ROOT_USER_CONDS = ;with_non_root_user_support
+if BUILD_CONF_SERVICE_USER_SUPPORT
+SSSD_CONF_SERVICE_USER_CONDS = ;with_conf_service_user_support
+endif
 else
 SSSD_NON_ROOT_USER_CONDS = ;without_non_root_user_support
 endif
 
 
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(SSH_KNOWN_HOSTS_PROXY_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(SSH_KNOWN_HOSTS_PROXY_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(SSSD_CONF_SERVICE_USER_CONDS)$(ENUM_CONDS)
 
 
 #Special Rules:

src/man/sssd.conf.5.xml

@@ -399,7 +399,7 @@
                             </para>
                         </listitem>
                     </varlistentry>
-                    <varlistentry condition="with_non_root_user_support">
+                    <varlistentry condition="with_conf_service_user_support">
                         <term>user (string)</term>
                         <listitem>
                             <para>

src/monitor/monitor.c

@@ -120,9 +120,11 @@ struct mt_ctx {
     struct sbus_server *sbus_server;
     struct sbus_connection *sbus_conn;
 
-    /* For running unprivileged services */
+#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
+    /* User to switch to in run time */
     uid_t uid;
     gid_t gid;
+#endif
 };
 
 static int start_service(struct mt_svc *mt_svc);
@@ -811,6 +813,7 @@ static char *check_services(char **services)
     return NULL;
 }
 
+#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
 static int get_service_user(struct sss_ini *config, struct mt_ctx *ctx)
 {
     errno_t ret = EOK;
@@ -861,10 +864,11 @@ static int get_service_user(struct sss_ini *config, struct mt_ctx *ctx)
     }
 
     free(user_str);
-#endif
+#endif /* SSSD_NON_ROOT_USER */
 
     return ret;
 }
+#endif /* BUILD_CONF_SERVICE_USER_SUPPORT */
 
 static void get_debug_level(struct sss_ini *config)
 {
@@ -1953,7 +1957,12 @@ static void check_nscd(void)
     }
 }
 
+#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
 int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid);
+#else
+int bootstrap_monitor_process(void);
+#endif
+
 void setup_keyring(void);
 
 int main(int argc, const char *argv[])
@@ -2109,13 +2118,17 @@ int main(int argc, const char *argv[])
         goto out;
     }
 
+#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
     ret = get_service_user(config, monitor);
     if (ret != EOK) {
         ret = 4; /* Error message already logged */
         goto out;
     }
 
     ret = bootstrap_monitor_process(monitor->uid, monitor->gid);
+#else
+    ret = bootstrap_monitor_process();
+#endif
     if (ret != 0) {
         ERROR("Failed to boostrap SSSD 'monitor' process: %s", sss_strerror(ret));
         sss_log(SSS_LOG_ALERT, "Failed to boostrap SSSD 'monitor' process.");

src/monitor/monitor_bootstrap.c

@@ -77,13 +77,18 @@ static int check_supplementary_group(gid_t gid)
 }
 #endif /* SSSD_NON_ROOT_USER */
 
+#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
 int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid)
+#else
+int bootstrap_monitor_process(void)
+#endif
 {
 #ifdef SSSD_NON_ROOT_USER
     int ret;
     gid_t sssd_gid = 0;
 
     if (geteuid() == 0) {
+#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
         if (target_uid != 0) {
             /* Started under root but non-root 'sssd.conf::user' configured -
              * deprecated method.
@@ -95,7 +100,9 @@ int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid)
                 sss_log(SSS_LOG_ALERT, "Failed to change uid:gid");
                 return 1;
             }
-        } else {
+        } else
+#endif
+        {
             /* In case SSSD is built with non-root user support, but
              * runs under 'root', a number of files are still sssd:sssd owned.
              * Make sure all processes are added to 'sssd' supplementary