diff --git a/configure.ac b/configure.ac index ed7a12d6afc..94fb1a93ca7 100644 --- a/configure.ac +++ b/configure.ac @@ -181,6 +181,7 @@ WITH_SUDO_LIB_PATH WITH_AUTOFS WITH_FILES_PROVIDER WITH_EXTENDED_ENUMERATION_SUPPORT +WITH_CONF_SERVICE_USER_SUPPORT WITH_SUBID WITH_SUBID_LIB_PATH WITH_PASSKEY diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 0296d9f0910..5f286b07eb4 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -596,6 +596,7 @@ autoreconf -ivf --with-test-dir=/dev/shm \ %if 0%{?rhel} == 9 --with-libsifp \ + --with-conf-service-user-support \ %endif %if %{build_subid} --with-subid \ diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 index a8f76dfe453..031dbe038ed 100644 --- a/src/conf_macros.m4 +++ b/src/conf_macros.m4 @@ -839,6 +839,25 @@ AC_DEFUN([WITH_SSSD_USER], fi ]) +AC_DEFUN([WITH_CONF_SERVICE_USER_SUPPORT], + [ AC_ARG_WITH([conf-service-user-support], + [AC_HELP_STRING([--with-conf-service-user-support], + [Whether to build support for sssd.conf::user option [no]. + Requires "--with-sssd-user=..." to be used. + Please take a note that this feature is deprecated and + might be removed in further releases.] + ) + ], + [with_conf_service_user_support=$withval], + with_conf_service_user_support=no + ) + + if test x"$with_conf_service_user_support" = xyes; then + AC_DEFINE(BUILD_CONF_SERVICE_USER_SUPPORT, 1, [Whether to build support for sssd.conf::user option]) + fi + AM_CONDITIONAL([BUILD_CONF_SERVICE_USER_SUPPORT], [test x"$with_conf_service_user_support" = xyes]) + ]) + AC_DEFUN([WITH_AD_GPO_DEFAULT], [ AC_ARG_WITH([ad-gpo-default], [AS_HELP_STRING([--with-ad-gpo-default=[enforcing|permissive]], diff --git a/src/man/Makefile.am b/src/man/Makefile.am index 6e61aed68f0..13a1d286641 100644 --- a/src/man/Makefile.am +++ b/src/man/Makefile.am @@ -65,12 +65,15 @@ ENUM_CONDS = ;without_ext_enumeration endif if SSSD_NON_ROOT_USER SSSD_NON_ROOT_USER_CONDS = ;with_non_root_user_support +if BUILD_CONF_SERVICE_USER_SUPPORT +SSSD_CONF_SERVICE_USER_CONDS = ;with_conf_service_user_support +endif else SSSD_NON_ROOT_USER_CONDS = ;without_non_root_user_support endif -CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(SSH_KNOWN_HOSTS_PROXY_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS) +CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(SSH_KNOWN_HOSTS_PROXY_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(SSSD_CONF_SERVICE_USER_CONDS)$(ENUM_CONDS) #Special Rules: diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 5bec05bdd24..b97038d740b 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -399,7 +399,7 @@ - + user (string) diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index 78c3d0ae00f..376b21932f7 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -120,9 +120,11 @@ struct mt_ctx { struct sbus_server *sbus_server; struct sbus_connection *sbus_conn; - /* For running unprivileged services */ +#ifdef BUILD_CONF_SERVICE_USER_SUPPORT + /* User to switch to in run time */ uid_t uid; gid_t gid; +#endif }; static int start_service(struct mt_svc *mt_svc); @@ -811,6 +813,7 @@ static char *check_services(char **services) return NULL; } +#ifdef BUILD_CONF_SERVICE_USER_SUPPORT static int get_service_user(struct sss_ini *config, struct mt_ctx *ctx) { errno_t ret = EOK; @@ -861,10 +864,11 @@ static int get_service_user(struct sss_ini *config, struct mt_ctx *ctx) } free(user_str); -#endif +#endif /* SSSD_NON_ROOT_USER */ return ret; } +#endif /* BUILD_CONF_SERVICE_USER_SUPPORT */ static void get_debug_level(struct sss_ini *config) { @@ -1953,7 +1957,12 @@ static void check_nscd(void) } } +#ifdef BUILD_CONF_SERVICE_USER_SUPPORT int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid); +#else +int bootstrap_monitor_process(void); +#endif + void setup_keyring(void); int main(int argc, const char *argv[]) @@ -2109,6 +2118,7 @@ int main(int argc, const char *argv[]) goto out; } +#ifdef BUILD_CONF_SERVICE_USER_SUPPORT ret = get_service_user(config, monitor); if (ret != EOK) { ret = 4; /* Error message already logged */ @@ -2116,6 +2126,9 @@ int main(int argc, const char *argv[]) } ret = bootstrap_monitor_process(monitor->uid, monitor->gid); +#else + ret = bootstrap_monitor_process(); +#endif if (ret != 0) { ERROR("Failed to boostrap SSSD 'monitor' process: %s", sss_strerror(ret)); sss_log(SSS_LOG_ALERT, "Failed to boostrap SSSD 'monitor' process."); diff --git a/src/monitor/monitor_bootstrap.c b/src/monitor/monitor_bootstrap.c index 6bbee881e9c..e8b6d63c676 100644 --- a/src/monitor/monitor_bootstrap.c +++ b/src/monitor/monitor_bootstrap.c @@ -77,13 +77,18 @@ static int check_supplementary_group(gid_t gid) } #endif /* SSSD_NON_ROOT_USER */ +#ifdef BUILD_CONF_SERVICE_USER_SUPPORT int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid) +#else +int bootstrap_monitor_process(void) +#endif { #ifdef SSSD_NON_ROOT_USER int ret; gid_t sssd_gid = 0; if (geteuid() == 0) { +#ifdef BUILD_CONF_SERVICE_USER_SUPPORT if (target_uid != 0) { /* Started under root but non-root 'sssd.conf::user' configured - * deprecated method. @@ -95,7 +100,9 @@ int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid) sss_log(SSS_LOG_ALERT, "Failed to change uid:gid"); return 1; } - } else { + } else +#endif + { /* In case SSSD is built with non-root user support, but * runs under 'root', a number of files are still sssd:sssd owned. * Make sure all processes are added to 'sssd' supplementary