From 9bf55bf9ada9efeb2903823877f71b0f363a5a7c Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Tue, 21 Mar 2023 20:17:07 +0100 Subject: [PATCH] MONITOR: disable 'user' config option in case --with-sssd-user=root MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In case SSSD was configured and built --with-sssd-user=root, no other value of 'user' config option (besides default 'root') is supported. Having it documented in the man page in this case only brings confusion. Reviewed-by: Iker Pedrosa Reviewed-by: Pavel Březina --- src/conf_macros.m4 | 7 +++++-- src/confdb/confdb.h | 2 ++ src/man/Makefile.am | 5 ++++- src/man/sssd.conf.5.xml | 2 +- src/monitor/monitor.c | 5 +++++ 5 files changed, 17 insertions(+), 4 deletions(-) diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 index e821df4d9c9..cb97eeb78ae 100644 --- a/src/conf_macros.m4 +++ b/src/conf_macros.m4 @@ -804,7 +804,7 @@ AC_DEFUN([WITH_NFS_LIB_PATH], AC_DEFUN([WITH_SSSD_USER], [ AC_ARG_WITH([sssd-user], [AS_HELP_STRING([--with-sssd-user=], - [User for running SSSD (root)] + [Additional user, besides root, supported for running SSSD (not set)] ) ] ) @@ -816,9 +816,12 @@ AC_DEFUN([WITH_SSSD_USER], fi AC_SUBST(SSSD_USER) - AC_DEFINE_UNQUOTED(SSSD_USER, "$SSSD_USER", ["The default user to run SSSD as"]) + AC_DEFINE_UNQUOTED(SSSD_USER, "$SSSD_USER", ["Supported non-root user to run SSSD as"]) AM_CONDITIONAL([SSSD_USER], [test x"$with_sssd_user" != x]) AM_CONDITIONAL([SSSD_NON_ROOT_USER], [test x"$SSSD_USER" != xroot]) + if test x"$SSSD_USER" != xroot; then + AC_DEFINE(SSSD_NON_ROOT_USER, 1, [whether support of non root user configured]) + fi ]) AC_DEFUN([WITH_AD_GPO_DEFAULT], diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index ffb5c13477d..9c69e8921ff 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -74,7 +74,9 @@ #define CONFDB_MONITOR_KRB5_RCACHEDIR "krb5_rcache_dir" #define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix" #define CONFDB_MONITOR_OVERRIDE_SPACE "override_space" +#ifdef SSSD_NON_ROOT_USER #define CONFDB_MONITOR_USER_RUNAS "user" +#endif #define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification" #define CONFDB_MONITOR_DISABLE_NETLINK "disable_netlink" #define CONFDB_MONITOR_ENABLE_FILES_DOM "enable_files_domain" diff --git a/src/man/Makefile.am b/src/man/Makefile.am index 1131f6b2e74..0d15e1339fc 100644 --- a/src/man/Makefile.am +++ b/src/man/Makefile.am @@ -55,9 +55,12 @@ FILES_PROVIDER_CONDS = ;with_files_provider else FILES_PROVIDER_CONDS = ;without_files_provider endif +if SSSD_NON_ROOT_USER +SSSD_NON_ROOT_USER_CONDS = ;with_non_root_user_support +endif -CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS) +CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS) #Special Rules: diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 302597b841d..448e867ea65 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -402,7 +402,7 @@ - + user (string) diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index c7d737d222d..80a4c0939d6 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -825,6 +825,7 @@ static char *check_services(char **services) static int get_service_user(struct mt_ctx *ctx) { +#ifdef SSSD_NON_ROOT_USER errno_t ret; char *user_str; @@ -842,6 +843,10 @@ static int get_service_user(struct mt_ctx *ctx) DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n"); return ret; } +#else + ctx->uid = 0; + ctx->gid = 0; +#endif return EOK; }