Skip to content

Commit

Permalink
INI: stop using 'libini_config' for access check
Browse files Browse the repository at this point in the history
  • Loading branch information
alexey-tikhonov committed Oct 23, 2024
1 parent 8e8fbb5 commit 5028e38
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 86 deletions.
77 changes: 3 additions & 74 deletions src/util/sss_ini.c
Original file line number Diff line number Diff line change
Expand Up @@ -146,58 +146,6 @@ static int sss_ini_config_file_from_mem(struct sss_ini *self,
&self->file);
}

/* Check configuration file permissions */

static bool is_running_sssd(void)
{
static char exe[1024];
int ret;
const char *s = NULL;

ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1);
if ((ret > 0) && (ret < 1024)) {
exe[ret] = 0;
s = strstr(exe, debug_prg_name);
if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) {
return true;
}
}

return false;
}

static int sss_ini_access_check(struct sss_ini *self)
{
int ret;
uint32_t flags = INI_ACCESS_CHECK_MODE;

if (!self->main_config_exists) {
return EOK;
}

if (is_running_sssd()) {
flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
}

ret = ini_config_access_check(self->file,
flags,
geteuid(),
getegid(),
S_IRUSR, /* r**------ */
ALLPERMS & ~(S_IWUSR|S_IXUSR));

return ret;
}



/* Get file_exists */

bool sss_ini_exists(struct sss_ini *self)
{
return self->main_config_exists;
}

/* Print ini_config errors */

static void sss_ini_config_print_errors(char **error_list)
Expand Down Expand Up @@ -265,29 +213,18 @@ static int sss_ini_add_snippets(struct sss_ini *self,
uint32_t i = 0;
char *msg = NULL;
struct ini_cfgobj *modified_sssd_config = NULL;
struct access_check snip_check;

if (self == NULL || self->sssd_config == NULL || config_dir == NULL) {
return EINVAL;
}

sss_ini_free_ra_messages(self);

snip_check.flags = INI_ACCESS_CHECK_MODE;

if (is_running_sssd()) {
snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
}
snip_check.uid = geteuid();
snip_check.gid = getegid();
snip_check.mode = S_IRUSR; /* r**------ */
snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR);

ret = ini_config_augment(self->sssd_config,
config_dir,
patterns,
sections,
&snip_check,
NULL,
INI_STOP_ON_ANY,
INI_MV1S_OVERWRITE,
INI_PARSE_NOWRAP,
Expand Down Expand Up @@ -870,15 +807,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
return ERR_INI_OPEN_FAILED;
}

if (sss_ini_exists(self)) {
ret = sss_ini_access_check(self);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Permission check on config file %s failed: %d\n",
config_file, ret);
return ERR_INI_INVALID_PERMISSION;
}
} else {
if (!self->main_config_exists) {
DEBUG(SSSDBG_CONF_SETTINGS,
"File %s does not exist.\n", config_file);
}
Expand All @@ -899,7 +828,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
return ERR_INI_ADD_SNIPPETS_FAILED;
}

if (!sss_ini_exists(self) &&
if ((!self->main_config_exists) &&
(ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) {
return ERR_INI_EMPTY_CONFIG;
}
Expand Down
12 changes: 0 additions & 12 deletions src/util/sss_ini.h
Original file line number Diff line number Diff line change
Expand Up @@ -80,18 +80,6 @@ int sss_ini_open(struct sss_ini *self,
const char *config_file,
const char *fallback_cfg);

/**
* @brief Check whether sss_ini_open() reported that ini file is
* not present
*
* @param[in] self pointer to sss_ini structure
*
* @return
* - true we are using ini file
* - false file was not found
*/
bool sss_ini_exists(struct sss_ini *self);

/**
* @brief Get pointer to list of snippet parsing errors
*/
Expand Down

0 comments on commit 5028e38

Please sign in to comment.