Skip to content

Commit

Permalink
Merge branch 'SSSD:master' into references
Browse files Browse the repository at this point in the history
  • Loading branch information
ondrejv2 authored Dec 13, 2024
2 parents 21e3b85 + 5094a3d commit d27446b
Show file tree
Hide file tree
Showing 18 changed files with 215 additions and 191 deletions.
36 changes: 9 additions & 27 deletions Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -106,9 +106,9 @@ condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectory
# - check old ccache / pre-check ccache path (dac_read_search, set*id)
# - read keytab (dac_read_search)
# - store TGT for a given user (set*id)
# - 'selinux_child': currently chown, dac_override, set*id -- to be narrowed
# - 'selinux_child': use libsemanage (set*id)
# - 'sssd_pam': read keytab in gss ops (dac_read_search)
capabilities = CapabilityBoundingSet= CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID CAP_DAC_READ_SEARCH
capabilities = CapabilityBoundingSet= CAP_SETGID CAP_SETUID CAP_DAC_READ_SEARCH

if BUILD_CONF_SERVICE_USER_SUPPORT
# If non-root service user is supported, monitor might need SET-ID to switch user (deprecated 'sssd.conf::user' option)
Expand Down Expand Up @@ -726,7 +726,6 @@ dist_noinst_HEADERS = \
src/util/sss_python.h \
src/util/sss_regexp.h \
src/util/sss_krb5.h \
src/util/sss_selinux.h \
src/util/sss_sockets.h \
src/util/sss_utf8.h \
src/util/sss_ssh.h \
Expand Down Expand Up @@ -884,6 +883,7 @@ dist_noinst_HEADERS = \
src/providers/ipa/ipa_selinux.h \
src/providers/ipa/ipa_hosts.h \
src/providers/ipa/ipa_selinux_maps.h \
src/providers/ipa/ipa_selinux_helpers.h \
src/providers/ipa/ipa_auth.h \
src/providers/ipa/ipa_dyndns.h \
src/providers/ipa/ipa_subdomains.h \
Expand Down Expand Up @@ -1288,7 +1288,6 @@ libsss_util_la_SOURCES = \
src/util/atomic_io.c \
src/util/authtok.c \
src/util/authtok-utils.c \
src/util/sss_selinux.c \
src/util/domain_info_utils.c \
src/util/util_lock.c \
src/util/util_errors.c \
Expand Down Expand Up @@ -1341,25 +1340,6 @@ libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c
endif # BUILD_PASSKEY
libsss_util_la_LDFLAGS = -avoid-version

pkglib_LTLIBRARIES += libsss_semanage.la
libsss_semanage_la_CFLAGS = \
$(AM_CFLAGS) \
$(TALLOC_CFLAGS) \
$(NULL)
libsss_semanage_la_SOURCES = \
src/util/sss_semanage.c \
$(NULL)
libsss_semanage_la_LIBADD = \
$(TALLOC_LIBS) \
libsss_debug.la \
$(NULL)
if BUILD_SELINUX
libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS)
endif

libsss_semanage_la_LDFLAGS = \
-avoid-version

SSSD_INTERNAL_LTLIBS = \
libsss_util.la \
libsss_crypt.la \
Expand Down Expand Up @@ -4575,7 +4555,6 @@ libsss_ipa_la_LIBADD = \
libsss_krb5_common.la \
libipa_hbac.la \
libsss_idmap.la \
libsss_semanage.la \
$(NULL)
libsss_ipa_la_LDFLAGS = \
-avoid-version \
Expand All @@ -4596,6 +4575,7 @@ endif
if BUILD_SELINUX
libsss_ipa_la_SOURCES += \
src/providers/ipa/ipa_selinux.c \
src/providers/ipa/ipa_selinux_helpers.c \
src/providers/ipa/ipa_selinux_maps.c
endif

Expand Down Expand Up @@ -4745,12 +4725,13 @@ ldap_child_LDADD = \
if BUILD_SELINUX
selinux_child_SOURCES = \
src/providers/ipa/selinux_child.c \
src/util/sss_semanage.c \
src/providers/ipa/selinux_child_semanage.c \
src/util/sss_chain_id.c \
src/util/atomic_io.c \
src/util/util.c \
src/util/util_ext.c \
src/util/util_errors.c
src/util/util_errors.c \
src/util/capabilities.c \
$(NULL)
selinux_child_CFLAGS = \
$(AM_CFLAGS) \
Expand All @@ -4761,6 +4742,7 @@ selinux_child_LDADD = \
$(TALLOC_LIBS) \
$(POPT_LIBS) \
$(DHASH_LIBS) \
$(CAP_LIBS) \
$(SEMANAGE_LIBS) \
$(SELINUX_LIBS) \
$(NULL)
Expand Down Expand Up @@ -5563,7 +5545,7 @@ if SSSD_USER
if BUILD_SELINUX
-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/selinux_child
chmod 750 $(DESTDIR)$(sssdlibexecdir)/selinux_child
-$(SETCAP) cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep $(DESTDIR)$(sssdlibexecdir)/selinux_child
-$(SETCAP) cap_setuid,cap_setgid=p $(DESTDIR)$(sssdlibexecdir)/selinux_child
endif
endif

Expand Down
3 changes: 1 addition & 2 deletions contrib/sssd.spec.in
Original file line number Diff line number Diff line change
Expand Up @@ -829,7 +829,6 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
%{_libdir}/%{name}/libsss_krb5_common.so
%{_libdir}/%{name}/libsss_ldap_common.so
%{_libdir}/%{name}/libsss_util.so
%{_libdir}/%{name}/libsss_semanage.so
%{_libdir}/%{name}/libifp_iface.so
%{_libdir}/%{name}/libifp_iface_sync.so
%{_libdir}/%{name}/libsss_iface.so
Expand Down Expand Up @@ -933,7 +932,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
%license COPYING
%attr(770,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
%{_libdir}/%{name}/libsss_ipa.so
%attr(0750,root,%{sssd_user}) %caps(cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep) %{_libexecdir}/%{servicename}/selinux_child
%attr(0750,root,%{sssd_user}) %caps(cap_setuid,cap_setgid=p) %{_libexecdir}/%{servicename}/selinux_child
%{_mandir}/man5/sssd-ipa.5*

%files ad -f sssd_ad.lang
Expand Down
1 change: 0 additions & 1 deletion src/db/sysdb_selinux.c
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

#include "util/sss_selinux.h"
#include "db/sysdb_selinux.h"
#include "db/sysdb_private.h"

Expand Down
2 changes: 1 addition & 1 deletion src/providers/ipa/ipa_selinux.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,12 @@

#include "db/sysdb_selinux.h"
#include "util/child_common.h"
#include "util/sss_selinux.h"
#include "util/sss_chain_id.h"
#include "providers/ldap/sdap_async.h"
#include "providers/ipa/ipa_common.h"
#include "providers/ipa/ipa_config.h"
#include "providers/ipa/ipa_selinux.h"
#include "providers/ipa/ipa_selinux_helpers.h"
#include "providers/ipa/ipa_hosts.h"
#include "providers/ipa/ipa_hbac_rules.h"
#include "providers/ipa/ipa_hbac_private.h"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

#include "util/sss_selinux.h"
#include "ipa_selinux_helpers.h"
#include "util/sss_utf8.h"
#include "db/sysdb_selinux.h"

Expand Down
File renamed without changes.
86 changes: 54 additions & 32 deletions src/providers/ipa/selinux_child.c
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,10 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

#include "config.h"

#include <sys/types.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <popt.h>
#include <sys/prctl.h>
Expand All @@ -34,6 +35,20 @@
#include "util/sss_chain_id.h"
#include "providers/backend.h"

/* from selinux_child_semanage.c */
/* Please note that libsemange relies on files and directories created with
* certain permissions. Therefore the caller should make sure the umask is
* not too restricted (especially when called from the daemon code).
*/
int sss_set_seuser(const char *login_name, const char *seuser_name,
const char *mlsrange);
int sss_del_seuser(const char *login_name);
int sss_get_seuser(const char *linuxuser,
char **selinuxuser,
char **level);
int sss_seuser_exists(const char *linuxuser);


struct input_buffer {
const char *seuser;
const char *mls_range;
Expand Down Expand Up @@ -222,6 +237,8 @@ int main(int argc, const char *argv[])
const char *username;
const char *opt_logger = NULL;
long chain_id;
uid_t ruid, euid, suid;
gid_t rgid, egid, sgid;

struct poptOption long_options[] = {
POPT_AUTOHELP
Expand Down Expand Up @@ -277,10 +294,7 @@ int main(int argc, const char *argv[])
DEBUG_INIT(debug_level, opt_logger);
sss_set_debug_backtrace_enable((backtrace == 0) ? false : true);

DEBUG(SSSDBG_TRACE_FUNC, "selinux_child started.\n");
DEBUG(SSSDBG_TRACE_INTERNAL,
"Running with effective IDs: [%"SPRIuid"][%"SPRIgid"].\n",
geteuid(), getegid());
sss_log_process_caps("Starting");

/* The functions semanage_genhomedircon and getseuserbyname use gepwnam_r
* and they might fail to return values if they are not in memory cache.
Expand All @@ -298,31 +312,6 @@ int main(int argc, const char *argv[])
"fail.\n");
}

/* libsemanage calls access(2) which works with real IDs, not effective.
* We need to switch also the real ID to 0.
*/
if (getuid() != 0) {
ret = setuid(0);
if (ret == -1) {
ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE,
"setuid failed: %d, selinux_child might not work!\n", ret);
}
}

if (getgid() != 0) {
ret = setgid(0);
if (ret == -1) {
ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE,
"setgid failed: %d, selinux_child might not work!\n", ret);
}
}

DEBUG(SSSDBG_TRACE_INTERNAL,
"Running with real IDs [%"SPRIuid"][%"SPRIgid"].\n",
getuid(), getgid());

main_ctx = talloc_new(NULL);
if (main_ctx == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n");
Expand Down Expand Up @@ -362,8 +351,6 @@ int main(int argc, const char *argv[])
goto fail;
}

DEBUG(SSSDBG_TRACE_FUNC, "performing selinux operations\n");

/* When using domain_resolution_order the username will always be
* fully-qualified, what has been causing some SELinux issues as mappings
* for user 'admin' are not applied for '[email protected]'.
Expand All @@ -382,6 +369,32 @@ int main(int argc, const char *argv[])
username = passwd->pw_name;
}

/* libsemanage calls access(2) which works with real IDs, not effective.
* We need to switch also the real ID to 0.
*/
if (getuid() != 0) {
sss_set_cap_effective(CAP_SETUID, true);
ret = setresuid(0, 0, -1);
if (ret == -1) {
ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE,
"setuid() failed: %d, selinux_child might not work!\n", ret);
}
}
if (getgid() != 0) {
sss_set_cap_effective(CAP_SETGID, true);
setgroups(0, NULL);
ret = setresgid(0, 0, -1);
if (ret == -1) {
ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE,
"setgid() failed: %d, selinux_child might not work!\n", ret);
}
}
sss_drop_all_caps();

sss_log_process_caps("Performing selinux operations");

needs_update = seuser_needs_update(username, ibuf->seuser,
ibuf->mls_range);
if (needs_update == true) {
Expand All @@ -392,6 +405,15 @@ int main(int argc, const char *argv[])
}
}

if (getresuid(&ruid, &euid, &suid) == 0) {
setresuid(suid, suid, suid);
}
if (getresgid(&rgid, &egid, &sgid) == 0) {
setresgid(sgid, sgid, sgid);
}

sss_log_process_caps("Sending response");

ret = prepare_response(main_ctx, ret, &resp);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to prepare response buffer.\n");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
#include "config.h"
#include "util/util.h"

#if defined(HAVE_SELINUX)
#include <stdio.h>
#include <semanage/semanage.h>
#include <selinux/selinux.h>
Expand Down Expand Up @@ -456,22 +455,3 @@ int sss_del_seuser(const char *login_name)
sss_semanage_close(handle);
return ret;
}
#else /* HAVE_SELINUX */
int sss_set_seuser(const char *login_name, const char *seuser_name,
const char *mls)
{
return EOK;
}

int sss_del_seuser(const char *login_name)
{
return EOK;
}

int sss_get_seuser(const char *linuxuser,
char **selinuxuser,
char **level)
{
return EOK;
}
#endif /* HAVE_SELINUX */
Loading

0 comments on commit d27446b

Please sign in to comment.