Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The sssd socket should be picked based on the effective user id instead of real user id #7235

Closed
XTerry2021 opened this issue Mar 6, 2024 · 1 comment

Comments

@XTerry2021
Copy link

Some services use root user on start up but change effective user to less privileged user. So the check to use private socket should use the effective user id api.

https://github.com/sgallagher/sssd/blob/5509ced1f4082c9864f669ee19d727f15f57ecff/src/sss_client/common.c#L870

/* only root shall use the privileged pipe */
if (getuid() == 0 && getgid() == 0) { //<==== The wrong apis to use
socket_name = SSS_PAM_PRIV_SOCKET_NAME;
statret = stat(socket_name, &stat_buf);
if (statret != 0) {
ret = PAM_SERVICE_ERR;
goto out;
}
if ( ! (stat_buf.st_uid == 0 &&
stat_buf.st_gid == 0 &&
S_ISSOCK(stat_buf.st_mode) &&
(stat_buf.st_mode & ~S_IFMT) == 0600 )) {
*errnop = ESSS_BAD_PRIV_SOCKET;
ret = PAM_SERVICE_ERR;
goto out;
}
} else {
socket_name = SSS_PAM_SOCKET_NAME;
statret = stat(socket_name, &stat_buf);
if (statret != 0) {

@alexey-tikhonov
Copy link
Member

This code was heavily reworked.
See #7042 , #7005
And #7193 that is in review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants