From 7b02332295c8af0cddbe45ce16bce253a619169c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Thu, 21 Sep 2023 14:14:25 +0200
Subject: [PATCH] KCM: Handle its own configuration

KCM now uses the /var/lib/sss/db/config_kcm.ldb database to store its
configuration. config.ldb is no longer used by KCM.

The configuration text file remains the same.

Resolves: https://github.com/SSSD/sssd/issues/6926
---
 Makefile.am                          |  3 +-
 src/confdb/confdb.h                  |  1 +
 src/monitor/monitor.c                |  5 --
 src/responder/kcm/kcm.c              | 96 +++++++++++++++++++++++++++-
 src/sysv/systemd/sssd-kcm.service.in |  1 -
 src/util/util.h                      |  6 ++
 6 files changed, 103 insertions(+), 9 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 4bac10d86d4..dd5e5a7ffae 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -626,7 +626,6 @@ SSSD_TOOLS_OBJ = \
     src/tools/tools_util.c \
     src/tools/common/sss_tools.c \
     src/tools/common/sss_process.c \
-    src/confdb/confdb_setup.c \
     src/util/nscd.c \
     $(NULL)
 
@@ -1235,6 +1234,7 @@ libsss_iface_sync_la_LDFLAGS = \
 pkglib_LTLIBRARIES += libsss_util.la
 libsss_util_la_SOURCES = \
     src/confdb/confdb.c \
+    src/confdb/confdb_setup.c \
     src/db/sysdb.c \
     src/db/sysdb_ops.c \
     src/db/sysdb_search.c \
@@ -1513,7 +1513,6 @@ endif
 sssd_SOURCES = \
     src/monitor/monitor.c \
     src/monitor/monitor_netlink.c \
-    src/confdb/confdb_setup.c \
     src/util/nscd.c \
     $(NULL)
 sssd_LDADD = \
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 9b11de59b85..0ade5f88ed6 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -40,6 +40,7 @@
 
 #define CONFDB_DEFAULT_CFG_FILE_VER 2
 #define CONFDB_FILE "config.ldb"
+#define CONFDB_KCM_FILE "config_kcm.ldb"
 #define SSSD_CONFIG_FILE_NAME "sssd.conf"
 #define SSSD_CONFIG_FILE SSSD_CONF_DIR"/"SSSD_CONFIG_FILE_NAME
 #define CONFDB_DEFAULT_CONFIG_DIR_NAME "conf.d"
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 8c2b42676bb..c45af18e1f9 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -72,11 +72,6 @@
  */
 #define KRB5_RCACHE_DIR_DISABLE "__LIBKRB5_DEFAULTS__"
 
-/* Warning messages */
-#define CONF_FILE_PERM_ERROR_MSG "Cannot read config file %s. Please check "\
-                                 "that the file is accessible only by the "\
-                                 "owner and owned by root.root.\n"
-
 int cmdline_debug_level;
 int cmdline_debug_timestamps;
 int cmdline_debug_microseconds;
diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c
index 12ab5ce3e56..899c852961a 100644
--- a/src/responder/kcm/kcm.c
+++ b/src/responder/kcm/kcm.c
@@ -23,6 +23,7 @@
 
 #include <popt.h>
 
+#include "confdb/confdb_setup.h"
 #include "responder/kcm/kcmsrv_ccache.h"
 #include "responder/kcm/kcmsrv_pvt.h"
 #include "responder/kcm/kcm_renew.h"
@@ -311,21 +312,77 @@ static int kcm_process_init(TALLOC_CTX *mem_ctx,
     return ret;
 }
 
+static errno_t load_configuration(const char *config_file,
+                                  const char *config_dir,
+                                  const char *only_section)
+{
+    errno_t ret;
+    TALLOC_CTX *tmp_ctx;
+    uid_t sssd_uid;
+    gid_t sssd_gid;
+    struct confdb_ctx *cdb;
+    char *cdb_file;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate the initial context\n");
+        return ENOMEM;
+    }
+
+    cdb_file = talloc_asprintf(tmp_ctx, "%s/%s", DB_PATH, CONFDB_KCM_FILE);
+    if (cdb_file == NULL) {
+        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate memory for the filename\n");
+        ret = ENOMEM;
+        goto done;
+    }
+
+    ret = confdb_setup(tmp_ctx, cdb_file, config_file, config_dir, only_section,
+                       &cdb);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to setup ConfDB [%d]: %s\n",
+             ret, sss_strerror(ret));
+        goto done;
+    }
+
+    /* Allow configuration database to be accessible
+     * when SSSD runs as nonroot */
+    sss_sssd_user_uid_and_gid(&sssd_uid, &sssd_gid);
+    ret = chown(cdb_file, sssd_uid, sssd_gid);
+    if (ret != 0) {
+        ret = errno;
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "chown failed for [%s]: [%d][%s].\n",
+              cdb_file, ret, sss_strerror(ret));
+        goto done;
+    }
+
+    ret = EOK;
+
+done:
+    talloc_free(tmp_ctx);
+    return ret;
+}
+
 int main(int argc, const char *argv[])
 {
+    TALLOC_CTX *tmp_ctx;
     int opt;
     poptContext pc;
     char *opt_logger = NULL;
+    char *opt_config_file = NULL;
+    const char *config_file = NULL;
     struct main_context *main_ctx;
     int ret;
     uid_t uid = 0;
     gid_t gid = 0;
+    int flags = 0;
 
     struct poptOption long_options[] = {
         POPT_AUTOHELP
         SSSD_MAIN_OPTS
         SSSD_LOGGER_OPTS
         SSSD_SERVER_OPTS(uid, gid)
+        SSSD_CONFIG_OPTS(opt_config_file)
         POPT_TABLEEND
     };
 
@@ -347,14 +404,49 @@ int main(int argc, const char *argv[])
 
     poptFreeContext(pc);
 
+    tmp_ctx = talloc_new(NULL);
+    if (!tmp_ctx) {
+        return 3;
+    }
+
     /* set up things like debug, signals, daemonization, etc. */
     debug_log_file = "sssd_kcm";
     DEBUG_INIT(debug_level, opt_logger);
 
-    ret = server_setup("kcm", true, 0, uid, gid, CONFDB_FILE,
+     if (opt_config_file == NULL) {
+        config_file = SSSD_CONFIG_FILE;
+    } else {
+        config_file = opt_config_file;
+    }
+
+   /* Parse config file, fail if cannot be done */
+    ret = load_configuration(config_file, CONFDB_DEFAULT_CONFIG_DIR, "kcm");
+    if (ret != EOK) {
+        switch (ret) {
+        case EPERM:
+        case EACCES:
+            DEBUG(SSSDBG_FATAL_FAILURE,
+                  CONF_FILE_PERM_ERROR_MSG, config_file);
+            sss_log(SSS_LOG_CRIT, CONF_FILE_PERM_ERROR_MSG, config_file);
+            break;
+        default:
+            DEBUG(SSSDBG_FATAL_FAILURE,
+                 "KCM couldn't load the configuration database [%d]: %s\n",
+                 ret, sss_strerror(ret));
+            sss_log(SSS_LOG_CRIT,
+                   "KCM couldn't load the configuration database [%d]: %s\n",
+                    ret, sss_strerror(ret));
+            break;
+        }
+        return 4;
+    }
+
+    ret = server_setup("kcm", true, flags, uid, gid, CONFDB_KCM_FILE,
                        CONFDB_KCM_CONF_ENTRY, &main_ctx, true);
     if (ret != EOK) return 2;
 
+    DEBUG(SSSDBG_TRACE_FUNC, "CONFIG: %s\n", config_file);
+
     ret = die_if_parent_died();
     if (ret != EOK) {
         /* This is not fatal, don't return */
@@ -370,5 +462,7 @@ int main(int argc, const char *argv[])
     /* loop on main */
     server_loop(main_ctx);
 
+    free(opt_config_file);
+
     return 0;
 }
diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
index a8af4eadcff..853d19f7b9d 100644
--- a/src/sysv/systemd/sssd-kcm.service.in
+++ b/src/sysv/systemd/sssd-kcm.service.in
@@ -9,7 +9,6 @@ Also=sssd-kcm.socket
 
 [Service]
 Environment=DEBUG_LOGGER=--logger=files
-ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
 ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
 # Currently SSSD KCM server ('sssd_kcm') always runs under 'root'
 # ('User=' and 'Group=' defaults to 'root' for system services)
diff --git a/src/util/util.h b/src/util/util.h
index 2b49b684ef2..50e0fade4a8 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -886,4 +886,10 @@ static inline struct timeval sss_tevent_timeval_current_ofs_time_t(time_t secs)
     uint32_t secs32 = (secs > UINT_MAX ? UINT_MAX : secs);
     return tevent_timeval_current_ofs(secs32, 0);
 }
+
+#define CONF_FILE_PERM_ERROR_MSG "Cannot read config file %s. Please check "\
+                                 "that the file is accessible only by the "\
+                                 "owner and owned by root.root.\n"
+
+
 #endif /* __SSSD_UTIL_H__ */