MONITOR: disable 'user' config option in case --with-sssd-user=root

In case SSSD was configured and built --with-sssd-user=root, no other value of 'user' config option (besides default 'root') is supported. Having it documented in the man page in this case only brings confusion. Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Pavel Březina <[email protected]>
SSSD · May 3, 2023 · 9bf55bf · 9bf55bf
1 parent d0a6bf6
commit 9bf55bf
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 4 deletions.
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
@@ -804,7 +804,7 @@ AC_DEFUN([WITH_NFS_LIB_PATH],
 AC_DEFUN([WITH_SSSD_USER],
   [ AC_ARG_WITH([sssd-user],
                 [AS_HELP_STRING([--with-sssd-user=<user>],
-                                [User for running SSSD (root)]
+                                [Additional user, besides root, supported for running SSSD (not set)]
                                )
                 ]
                )
@@ -816,9 +816,12 @@ AC_DEFUN([WITH_SSSD_USER],
     fi
 
     AC_SUBST(SSSD_USER)
-    AC_DEFINE_UNQUOTED(SSSD_USER, "$SSSD_USER", ["The default user to run SSSD as"])
+    AC_DEFINE_UNQUOTED(SSSD_USER, "$SSSD_USER", ["Supported non-root user to run SSSD as"])
     AM_CONDITIONAL([SSSD_USER], [test x"$with_sssd_user" != x])
     AM_CONDITIONAL([SSSD_NON_ROOT_USER], [test x"$SSSD_USER" != xroot])
+    if test x"$SSSD_USER" != xroot; then
+        AC_DEFINE(SSSD_NON_ROOT_USER, 1, [whether support of non root user configured])
+    fi
   ])
 
   AC_DEFUN([WITH_AD_GPO_DEFAULT],

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
@@ -74,7 +74,9 @@
 #define CONFDB_MONITOR_KRB5_RCACHEDIR "krb5_rcache_dir"
 #define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix"
 #define CONFDB_MONITOR_OVERRIDE_SPACE "override_space"
+#ifdef SSSD_NON_ROOT_USER
 #define CONFDB_MONITOR_USER_RUNAS "user"
+#endif
 #define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification"
 #define CONFDB_MONITOR_DISABLE_NETLINK "disable_netlink"
 #define CONFDB_MONITOR_ENABLE_FILES_DOM "enable_files_domain"

diff --git a/src/man/Makefile.am b/src/man/Makefile.am
@@ -55,9 +55,12 @@ FILES_PROVIDER_CONDS = ;with_files_provider
 else
 FILES_PROVIDER_CONDS = ;without_files_provider
 endif
+if SSSD_NON_ROOT_USER
+SSSD_NON_ROOT_USER_CONDS = ;with_non_root_user_support
+endif
 
 
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)
 
 
 #Special Rules:

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
@@ -402,7 +402,7 @@
                             </para>
                         </listitem>
                     </varlistentry>
-                    <varlistentry>
+                    <varlistentry condition="with_non_root_user_support">
                         <term>user (string)</term>
                         <listitem>
                             <para>

diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
@@ -825,6 +825,7 @@ static char *check_services(char **services)
 
 static int get_service_user(struct mt_ctx *ctx)
 {
+#ifdef SSSD_NON_ROOT_USER
     errno_t ret;
     char *user_str;
 
@@ -842,6 +843,10 @@ static int get_service_user(struct mt_ctx *ctx)
         DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n");
         return ret;
     }
+#else
+    ctx->uid = 0;
+    ctx->gid = 0;
+#endif
 
     return EOK;
 }