diff --git a/Makefile.am b/Makefile.am index eb5d05cac51..aaf4f0773f6 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1792,6 +1792,7 @@ sssd_kcm_SOURCES = \ src/util/sss_sockets.c \ src/util/sss_krb5.c \ src/util/sss_iobuf.c \ + src/confdb/confdb_setup.c \ $(SSSD_RESPONDER_OBJ) \ $(NULL) sssd_kcm_CFLAGS = \ diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 9b11de59b85..0ade5f88ed6 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -40,6 +40,7 @@ #define CONFDB_DEFAULT_CFG_FILE_VER 2 #define CONFDB_FILE "config.ldb" +#define CONFDB_KCM_FILE "config_kcm.ldb" #define SSSD_CONFIG_FILE_NAME "sssd.conf" #define SSSD_CONFIG_FILE SSSD_CONF_DIR"/"SSSD_CONFIG_FILE_NAME #define CONFDB_DEFAULT_CONFIG_DIR_NAME "conf.d" diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c index 12ab5ce3e56..505125dec62 100644 --- a/src/responder/kcm/kcm.c +++ b/src/responder/kcm/kcm.c @@ -23,6 +23,7 @@ #include +#include "confdb/confdb_setup.h" #include "responder/kcm/kcmsrv_ccache.h" #include "responder/kcm/kcmsrv_pvt.h" #include "responder/kcm/kcm_renew.h" @@ -38,6 +39,11 @@ #define SSS_KCM_SOCKET_NAME DEFAULT_KCM_SOCKET_PATH #endif +#define CONF_FILE_PERM_ERROR_MSG "Cannot read config file %s. Please check "\ + "that the file is accessible only by the "\ + "owner and owned by root.root.\n" + + static int kcm_responder_ctx_destructor(void *ptr) { struct resp_ctx *rctx = talloc_get_type(ptr, struct resp_ctx); @@ -311,21 +317,63 @@ static int kcm_process_init(TALLOC_CTX *mem_ctx, return ret; } +static errno_t load_configuration(const char *config_file, + const char *config_dir, + const char *only_section) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + struct confdb_ctx *cdb; + char *cdb_file; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate the initial context\n"); + return ENOMEM; + } + + cdb_file = talloc_asprintf(tmp_ctx, "%s/%s", DB_PATH, CONFDB_KCM_FILE); + if (cdb_file == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate memory for the filename\n"); + ret = ENOMEM; + goto done; + } + + ret = confdb_setup(tmp_ctx, cdb_file, config_file, config_dir, only_section, + &cdb); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to setup ConfDB [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + int main(int argc, const char *argv[]) { + TALLOC_CTX *tmp_ctx; int opt; poptContext pc; char *opt_logger = NULL; + char *opt_config_file = NULL; + const char *config_file = NULL; struct main_context *main_ctx; int ret; uid_t uid = 0; gid_t gid = 0; + int flags = 0; struct poptOption long_options[] = { POPT_AUTOHELP SSSD_MAIN_OPTS SSSD_LOGGER_OPTS SSSD_SERVER_OPTS(uid, gid) + SSSD_CONFIG_OPTS(opt_config_file) POPT_TABLEEND }; @@ -347,14 +395,49 @@ int main(int argc, const char *argv[]) poptFreeContext(pc); + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return 3; + } + /* set up things like debug, signals, daemonization, etc. */ debug_log_file = "sssd_kcm"; DEBUG_INIT(debug_level, opt_logger); - ret = server_setup("kcm", true, 0, uid, gid, CONFDB_FILE, + if (opt_config_file == NULL) { + config_file = SSSD_CONFIG_FILE; + } else { + config_file = opt_config_file; + } + + /* Parse config file, fail if cannot be done */ + ret = load_configuration(config_file, CONFDB_DEFAULT_CONFIG_DIR, "kcm"); + if (ret != EOK) { + switch (ret) { + case EPERM: + case EACCES: + DEBUG(SSSDBG_FATAL_FAILURE, + CONF_FILE_PERM_ERROR_MSG, config_file); + sss_log(SSS_LOG_CRIT, CONF_FILE_PERM_ERROR_MSG, config_file); + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, + "KCM couldn't load the configuration database [%d]: %s\n", + ret, sss_strerror(ret)); + sss_log(SSS_LOG_CRIT, + "KCM couldn't load the configuration database [%d]: %s\n", + ret, sss_strerror(ret)); + break; + } + return 4; + } + + ret = server_setup("kcm", true, flags, uid, gid, CONFDB_KCM_FILE, CONFDB_KCM_CONF_ENTRY, &main_ctx, true); if (ret != EOK) return 2; + DEBUG(SSSDBG_TRACE_FUNC, "CONFIG: %s\n", config_file); + ret = die_if_parent_died(); if (ret != EOK) { /* This is not fatal, don't return */ @@ -370,5 +453,7 @@ int main(int argc, const char *argv[]) /* loop on main */ server_loop(main_ctx); + free(opt_config_file); + return 0; } diff --git a/src/sysv/gentoo/sssd-kcm.in b/src/sysv/gentoo/sssd-kcm.in index c9242bf9fb9..2268bc692d4 100644 --- a/src/sysv/gentoo/sssd-kcm.in +++ b/src/sysv/gentoo/sssd-kcm.in @@ -8,11 +8,6 @@ command_background="true" command_args="--uid=0 --gid=0 --logger=files ${SSSD_KCM_OPTIONS}" pidfile="@pidpath@/sssd_kcm.pid" -start_pre() -{ - "@sbindir@/sssd" --genconf-section=kcm || return $? -} - depend() { need localmount clock diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in index a8af4eadcff..853d19f7b9d 100644 --- a/src/sysv/systemd/sssd-kcm.service.in +++ b/src/sysv/systemd/sssd-kcm.service.in @@ -9,7 +9,6 @@ Also=sssd-kcm.socket [Service] Environment=DEBUG_LOGGER=--logger=files -ExecStartPre=-@sbindir@/sssd --genconf-section=kcm ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER} # Currently SSSD KCM server ('sssd_kcm') always runs under 'root' # ('User=' and 'Group=' defaults to 'root' for system services) diff --git a/src/tests/intg/test_kcm.py b/src/tests/intg/test_kcm.py index 370e2a9174c..0d2638f211f 100644 --- a/src/tests/intg/test_kcm.py +++ b/src/tests/intg/test_kcm.py @@ -79,9 +79,6 @@ def create_conf_fixture(request, contents): def create_sssd_kcm_fixture(sock_path, krb5_conf_path, request): - if subprocess.call(['sssd', "--genconf"]) != 0: - raise Exception("failed to regenerate confdb") - resp_path = os.path.join(config.LIBEXEC_PATH, "sssd", "sssd_kcm") if not os.access(resp_path, os.X_OK): # It would be cleaner to use pytest.mark.skipif on the package level