Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve ability to run under non-root user; revoke unneeded capabilities; run under 'sssd' starting F41 by default. #7193

Closed
wants to merge 42 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
6c84960
MONITOR: remove useless trailing '\'
alexey-tikhonov Sep 9, 2023
c4eb784
MONITOR: remove 'opt_netlinkoff' removal notice
alexey-tikhonov Sep 9, 2023
f9a83c6
MONITOR: replace fprintf() with ERROR()
alexey-tikhonov Sep 9, 2023
7322478
MNITOR: cosmetics
alexey-tikhonov Sep 9, 2023
75e9d18
MONITOR: get rid of unsed FLAGS_GEN_CONF definition
alexey-tikhonov Sep 9, 2023
2cf8658
SPEC: make most folders group accessible
alexey-tikhonov Aug 31, 2023
cc92721
SPEC: make '%{pipepath}/private' sssd:sssd owned
alexey-tikhonov Jan 4, 2024
6b5d733
Make all SSSD processes a member of sssd supplementary group.
alexey-tikhonov Aug 31, 2023
f27c099
NSS: don't `fchown()` mem-cache files
alexey-tikhonov Jan 30, 2024
98b2b64
UTILS: add capabilities management helpers
alexey-tikhonov Sep 2, 2023
8e05216
Get rid of `--genconf` and `--genconf-section` monitor options.
alexey-tikhonov Sep 13, 2023
b077710
SSS_INI: const correctness
alexey-tikhonov Oct 12, 2023
456e862
CONFDB: split confdb_setup() into 2 steps
alexey-tikhonov Sep 14, 2023
da32bda
CONFDB: always delete old ldb-file
alexey-tikhonov Oct 16, 2023
1d453dc
MONITOR: no need to read domain list twice
alexey-tikhonov Oct 16, 2023
a94e7fe
MONITOR: remove unused mt_ctx::conf_path
alexey-tikhonov Oct 16, 2023
12c6e31
MONITOR: move keyring setup code to a function
alexey-tikhonov Oct 16, 2023
0b1fcd8
MONITOR: move nscd check code to a function
alexey-tikhonov Oct 16, 2023
fc76b70
SSS_INI: remove 'const' specifier from getter
alexey-tikhonov Oct 18, 2023
512b937
DEBUG: a couple of message changes
alexey-tikhonov Oct 21, 2023
b600246
TOOLS: remove the upgrade-cache command
alexey-tikhonov Jan 15, 2024
afda89e
SYSTEMD: remove unused CAP_KILL
alexey-tikhonov Jan 30, 2024
7e36f59
SYSTEMD: responders do not need any capabilities
alexey-tikhonov Jan 31, 2024
f9a9f79
MONITOR: startup logic was changed
alexey-tikhonov Oct 16, 2023
183d739
KRB5_/LDAP_CHILD: print capabilities at startup
alexey-tikhonov Feb 1, 2024
6d079f1
sssd.service: run under SSSD_USER by default
alexey-tikhonov Jan 31, 2024
a51898d
SPEC: make sure cache files are accessible
alexey-tikhonov Feb 2, 2024
170d6ab
SPEC: make sure config files are accesible
alexey-tikhonov Feb 3, 2024
6487d5a
SYSTEMD: KCM capabilities
alexey-tikhonov Feb 2, 2024
d59d16b
SSS_INI: only check file ownership from 'sssd'
alexey-tikhonov Feb 5, 2024
ddbdd07
SYSTEMD: remove "PIDFile="
alexey-tikhonov Feb 5, 2024
fb9bf10
CONF: store pid file in /run/sssd
alexey-tikhonov Feb 6, 2024
76172d8
UTILS: make pidfile readable by everyone
alexey-tikhonov Feb 20, 2024
1a0ca14
SPEC: replace SUID bit with more fine-grained capabilities
alexey-tikhonov Feb 6, 2024
758ed75
SYSTEMD: set "SecureBits=noroot noroot-locked"
alexey-tikhonov Feb 6, 2024
d0b529d
SPEC: make conf folder g+rx
alexey-tikhonov Feb 7, 2024
8cda9b7
TESTS: system: skip 'passkey' tests if SSSD runs under non-root
alexey-tikhonov Feb 12, 2024
f3c67be
SPEC: build Fedora >= 41 package with sssd user support
alexey-tikhonov Sep 1, 2023
f4fdedb
SSSDConfig: chown() sssd.conf to SSSD service user
alexey-tikhonov Feb 20, 2024
291a4e7
MONITOR: free 'tmp_ctx' in case of failure too
alexey-tikhonov Mar 7, 2024
3ff5b7b
MAN: 'monitor' exit codes description
alexey-tikhonov Mar 11, 2024
0981e0c
SPEC/SYSTEMD: try harder making sure logs ownership matches service user
alexey-tikhonov Mar 13, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 26 additions & 12 deletions Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -90,27 +90,34 @@ sssdkcmdatadir = $(datadir)/sssd-kcm
deskprofilepath = $(sss_statedir)/deskprofile

if HAVE_SYSTEMD_UNIT

ifp_dbus_exec_comment = \# If system is configured to use systemd ifp service ("SystemdService=") then "Exec=" and "User=" options are not used
ifp_dbus_exec_cmd = $(sssdlibexecdir)/sssd_ifp --socket-activated
ifp_systemdservice = SystemdService=sssd-ifp.service
# SSSD requires a configuration file (either /etc/sssd/sssd.conf,
# or some snippet under /etc/sssd/sssd.conf.d/) to be present.
condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectoryNotEmpty=\|/etc/sssd/conf.d/
# If sssd is configured with --with-sssd-user=<user> where <user>!='root'
# but is actually run under the root we need CAP_DAC_OVERRIDE to access
# files owned by <user>:<user>
# If sssd is really run under non-root account that doesn't have this cap
# originally then it's addition to CapabilityBoundingSet doesn't matter.

if SSSD_NON_ROOT_USER
additional_caps = CAP_DAC_OVERRIDE
# If non-root service user is supported, monitor might need SET-ID to switch user (deprecated 'sssd.conf::user' option)
# but this is non default configuration, so 'AmbientCapabilities=' are commented out.
# Bounding set needs to list capabilities required by ldap/krb5/selinux_childs, otherwise they can't gain it.
capabilities = CapabilityBoundingSet= CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID\n\# Uncomment if support of deprecated "sssd.conf::user" option is required:\n\#AmbientCapabilities= CAP_SETGID CAP_SETUID
nss_service_user_group = User=$(SSSD_USER)\nGroup=$(SSSD_USER)
nss_socket_user_group = SocketUser=$(SSSD_USER)\nSocketGroup=$(SSSD_USER)
endif
supplementary_groups = \# If service configured to be run under "root", uncomment "SupplementaryGroups"\n\#SupplementaryGroups=$(SSSD_USER)
else
# If non-root service user isn't supported, monitor/sssd_be/responders don't need any effective capabilities
# but bounding set needs to list capabilities required by ldap/krb5/selinux_childs, otherwise they can't gain it.
capabilities = CapabilityBoundingSet= CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID
supplementary_groups = \# Note: SSSD package was built without support of running as non-privileged user
endif # SSSD_NON_ROOT_USER

else
ifp_dbus_exec_comment = \# "sss_signal" is used to force SSSD monitor to trigger "sssd_ifp" reconnection to dbus
ifp_dbus_exec_cmd = $(sssdlibexecdir)/sss_signal
ifp_systemdservice =
endif
endif # HAVE_SYSTEMD_UNIT

secdbpath = @secdbpath@

Expand Down Expand Up @@ -1287,6 +1294,7 @@ libsss_util_la_SOURCES = \
src/util/well_known_sids.c \
src/util/string_utils.c \
src/util/become_user.c \
src/util/capabilities.c \
src/util/util_watchdog.c \
src/util/sss_ptr_hash.c \
src/util/files.c \
Expand All @@ -1303,6 +1311,7 @@ libsss_util_la_CFLAGS = \
libsss_util_la_LIBADD = \
$(LIBADD_TIMER) \
$(SSSD_LIBS) \
$(CAP_LIBS) \
$(SYSTEMD_LOGIN_LIBS) \
$(UNICODE_LIBS) \
$(PCRE_LIBS) \
Expand Down Expand Up @@ -1512,6 +1521,7 @@ endif
####################
sssd_SOURCES = \
src/monitor/monitor.c \
src/monitor/monitor_bootstrap.c \
src/monitor/monitor_netlink.c \
src/confdb/confdb_setup.c \
src/util/nscd.c \
Expand Down Expand Up @@ -4075,6 +4085,7 @@ intgcheck-prepare:
$(abs_top_srcdir)/configure \
--prefix="$$prefix" \
--with-ldb-lib-dir="$$prefix"/lib/ldb \
--with-pid-path="$$prefix"/run/sssd \
--enable-intgcheck-reqs \
--without-semanage \
--with-files-provider \
Expand Down Expand Up @@ -4695,6 +4706,7 @@ krb5_child_SOURCES = \
src/util/authtok.c \
src/util/authtok-utils.c \
src/util/util.c \
src/util/capabilities.c \
src/util/util_ext.c \
src/util/signal.c \
src/util/sss_chain_id.c \
Expand Down Expand Up @@ -4723,6 +4735,7 @@ krb5_child_LDADD = \
$(CLIENT_LIBS) \
$(SYSTEMD_LOGIN_LIBS) \
$(JANSSON_LIBS) \
$(CAP_LIBS) \
$(NULL)

ldap_child_SOURCES = \
Expand All @@ -4736,6 +4749,7 @@ ldap_child_SOURCES = \
src/util/authtok-utils.c \
src/util/util.c \
src/util/util_ext.c \
src/util/capabilities.c \
src/util/signal.c \
src/util/become_user.c \
src/util/util_errors.c \
Expand All @@ -4748,6 +4762,7 @@ ldap_child_LDADD = \
libsss_debug.la \
$(TALLOC_LIBS) \
$(POPT_LIBS) \
$(CAP_LIBS) \
$(DHASH_LIBS) \
$(KRB5_LIBS)

Expand Down Expand Up @@ -5280,16 +5295,16 @@ edit_cmd = $(SED) \
-e 's|@environment_file[@]|$(environment_file)|g' \
-e 's|@localstatedir[@]|$(localstatedir)|g' \
-e 's|@runstatedir[@]|$(runstatedir)|g' \
-e 's|@pidpath[@]|$(pidpath)|g' \
-e 's|@logpath[@]|$(logpath)|g' \
-e 's|@libexecdir[@]|$(libexecdir)|g' \
-e 's|@pipepath[@]|$(pipepath)|g' \
-e 's|@prefix[@]|$(prefix)|g' \
-e 's|@SSSD_USER[@]|$(SSSD_USER)|g' \
-e 's|@condconfigexists[@]|$(condconfigexists)|g' \
-e 's|@additional_caps[@]|$(additional_caps)|g' \
-e 's|@capabilities[@]|$(capabilities)|g' \
-e 's|@nss_service_user_group[@]|$(nss_service_user_group)|g' \
-e 's|@nss_socket_user_group[@]|$(nss_socket_user_group)|g'
-e 's|@nss_socket_user_group[@]|$(nss_socket_user_group)|g' \
-e 's|@supplementary_groups[@]|$(supplementary_groups)|g'

replace_script = \
@rm -f $@ [email protected]; \
Expand Down Expand Up @@ -5696,7 +5711,6 @@ dist_noinst_DATA += \
src/tests/multihost/conftest.py \
src/tests/multihost/basic/mhc.yaml \
src/tests/multihost/basic/test_basic.py \
src/tests/multihost/basic/test_config.py \
src/tests/multihost/basic/test_files.py \
src/tests/multihost/basic/test_ifp.py \
src/tests/multihost/basic/test_kcm.py \
Expand Down
7 changes: 7 additions & 0 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -513,6 +513,13 @@ AS_IF([test x$have_check = x], [
AC_CHECK_HEADERS([check.h],,AC_MSG_ERROR([Could not find CHECK headers]))
])

PKG_CHECK_MODULES([CAP], [libcap], [have_libcap=1], [have_libcap=])
AS_IF([test x$have_libcap = x], [
AC_MSG_ERROR([libcap is missing])
], [
AC_CHECK_HEADERS([sys/capability.h],,AC_MSG_ERROR([Could not find sys/capability.h headers]))
])

AC_PATH_PROG([DOXYGEN], [doxygen], [false])
AM_CONDITIONAL([HAVE_DOXYGEN], [test x$DOXYGEN != xfalse ])

Expand Down
2 changes: 2 additions & 0 deletions contrib/ci/deps.sh
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
krb5-server
krb5-workstation
libunistring-devel
libcap-devel
)

if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-8.*- ||
Expand Down Expand Up @@ -180,6 +181,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
libp11-kit-dev
bc
libunistring-dev
libcap-dev
)

DEPS_INTGCHECK_SATISFIED=true
Expand Down
1 change: 1 addition & 0 deletions contrib/fedora/bashrc_sssd
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ fedconfig()
--with-test-dir=/dev/shm \
--cache-file=/tmp/fedconfig.cache \
--with-passkey \
--with-sssd-user=sssd \
${SSSD_NO_MANPAGES-} \
"$@"
}
Expand Down
66 changes: 37 additions & 29 deletions contrib/sssd.spec.in
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
# SSSD SPEC file for Fedora 34+ and RHEL-9+

# define SSSD user
%if 0%{?rhel}
%if 0%{?fedora} >= 41 || 0%{?rhel}
sumit-bose marked this conversation as resolved.
Show resolved Hide resolved
%global use_sssd_user 1
%global sssd_user sssd
%else
%global use_sssd_user 0
%global sssd_user root
%endif

Expand All @@ -14,12 +16,8 @@
%global use_sysusers 0
%endif

# Set setuid bit on child helpers if we support non-root user.
%if "%{sssd_user}" == "root"
%global child_attrs 0750
%else
%global child_attrs 4750
%endif
# Capabilities of privileged child helpers (required even if SSSD runs under root)
%global child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep

%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
%global build_subid 1
Expand Down Expand Up @@ -112,6 +110,7 @@ BuildRequires: gettext-devel
# required for p11_child smartcard tests
BuildRequires: gnutls-utils
BuildRequires: jansson-devel
BuildRequires: libcap-devel
BuildRequires: libcurl-devel
BuildRequires: libjose-devel
BuildRequires: keyutils-libs-devel
Expand Down Expand Up @@ -201,8 +200,9 @@ Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs)
Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap)
Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
Requires(post): coreutils
Requires(postun): coreutils
%if 0%{?rhel}
%if %{use_sssd_user}
Requires(pre): shadow-utils
%endif
%{?systemd_requires}
Expand Down Expand Up @@ -451,7 +451,7 @@ Requires: sssd-common = %{version}-%{release}
Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows
the information from the SSSD to be transmitted over the system bus.

%if 0%{?rhel}
%if %{use_sssd_user}
%package polkit-rules
Summary: Rules for polkit integration for SSSD
Group: Applications/System
Expand Down Expand Up @@ -561,7 +561,6 @@ autoreconf -ivf
--with-initscript=systemd \
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
--with-mcache-path=%{mcpath} \
--with-pid-path=%{_rundir} \
--with-pipe-path=%{pipepath} \
--with-pubconf-path=%{pubconfpath} \
--with-sssd-user=%{sssd_user} \
Expand All @@ -570,7 +569,7 @@ autoreconf -ivf
%if %{build_subid}
--with-subid \
%endif
%if 0%{?fedora}
%if ! %{use_sssd_user}
--disable-polkit-rules-path \
%endif
%if %{build_passkey}
Expand Down Expand Up @@ -784,26 +783,27 @@ install -D -p -m 0644 contrib/sssd.sysusers %{buildroot}%{_sysusersdir}/sssd.con
%{_sbindir}/sss_cache
%{_libexecdir}/%{servicename}/sss_signal

%dir %{sssdstatedir}
%attr(775,%{sssd_user},%{sssd_user}) %dir %{sssdstatedir}
%dir %{_localstatedir}/cache/krb5rcache
%attr(700,%{sssd_user},%{sssd_user}) %dir %{dbpath}
%attr(770,%{sssd_user},%{sssd_user}) %dir %{dbpath}
%attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath}
%attr(700,root,root) %dir %{secdbpath}
%attr(751,%{sssd_user},%{sssd_user}) %dir %{deskprofilepath}
%attr(755,%{sssd_user},%{sssd_user}) %dir %{pipepath}
%attr(750,%{sssd_user},root) %dir %{pipepath}/private
%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
%attr(750,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
%attr(750,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/pki
%attr(771,%{sssd_user},%{sssd_user}) %dir %{deskprofilepath}
%attr(775,%{sssd_user},%{sssd_user}) %dir %{pipepath}
%attr(770,%{sssd_user},%{sssd_user}) %dir %{pipepath}/private
%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
%attr(770,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
%attr(770,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/pki
%ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%dir %{_sysconfdir}/logrotate.d
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
%dir %{_sysconfdir}/rwtab.d
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
%dir %{_datadir}/sssd
%attr(775,%{sssd_user},%{sssd_user}) %dir %{_rundir}/sssd
%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
%dir %{_libdir}/%{name}/conf
%{_libdir}/%{name}/conf/sssd.conf
Expand Down Expand Up @@ -833,7 +833,7 @@ install -D -p -m 0644 contrib/sssd.sysusers %{buildroot}%{_sysusersdir}/sssd.con
%endif


%if 0%{?rhel}
%if %{use_sssd_user}
%files polkit-rules
%{_datadir}/polkit-1/rules.d/*
%endif
Expand All @@ -846,9 +846,9 @@ install -D -p -m 0644 contrib/sssd.sysusers %{buildroot}%{_sysusersdir}/sssd.con

%files krb5-common
%license COPYING
%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/ldap_child
%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/krb5_child
%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/ldap_child
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/krb5_child

%files krb5 -f sssd_krb5.lang
%license COPYING
Expand All @@ -864,9 +864,9 @@ install -D -p -m 0644 contrib/sssd.sysusers %{buildroot}%{_sysusersdir}/sssd.con

%files ipa -f sssd_ipa.lang
%license COPYING
%attr(700,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
%attr(770,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
%{_libdir}/%{name}/libsss_ipa.so
%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/selinux_child
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/selinux_child
%{_mandir}/man5/sssd-ipa.5*

%files ad -f sssd_ad.lang
Expand Down Expand Up @@ -1032,7 +1032,7 @@ install -D -p -m 0644 contrib/sssd.sysusers %{buildroot}%{_sysusersdir}/sssd.con
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
%endif

%if 0%{?rhel}
%if %{use_sssd_user}
%pre common
%if %{use_sysusers}
%sysusers_create_compat contrib/sssd.sysusers
sumit-bose marked this conversation as resolved.
Show resolved Hide resolved
Expand All @@ -1050,6 +1050,14 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
%systemd_post sssd-pam.socket
%systemd_post sssd-ssh.socket
%systemd_post sssd-sudo.socket
%__rm -f %{mcpath}/passwd
%__rm -f %{mcpath}/group
%__rm -f %{mcpath}/initgroups
%__rm -f %{mcpath}/sid
%__chown %{sssd_user}:%{sssd_user} %{dbpath}/*
%__chown %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf
%__chown -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d
sumit-bose marked this conversation as resolved.
Show resolved Hide resolved
%__chown %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log

%preun common
%systemd_preun sssd.service
Expand Down
6 changes: 3 additions & 3 deletions src/conf_macros.m4
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,12 @@ AC_DEFUN([WITH_PLUGIN_PATH],
AC_DEFUN([WITH_PID_PATH],
[ AC_ARG_WITH([pid-path],
[AC_HELP_STRING([--with-pid-path=PATH],
[Where to store pid files for the SSSD [/var/run]]
[Where to store pid files for the SSSD [/run/sssd/]]
)
]
)
config_pidpath="\"VARDIR\"/run"
pidpath="${localstatedir}/run"
config_pidpath="/run/sssd"
pidpath="/run/sssd"
if test x"$with_pid_path" != x; then
config_pidpath=$with_pid_path
pidpath=$with_pid_path
Expand Down
14 changes: 1 addition & 13 deletions src/confdb/confdb.c
Original file line number Diff line number Diff line change
Expand Up @@ -649,8 +649,6 @@ int confdb_init(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb;
pbrezina marked this conversation as resolved.
Show resolved Hide resolved
int ret = EOK;
mode_t old_umask;
uid_t sssd_uid;
gid_t sssd_gid;

cdb = talloc_zero(mem_ctx, struct confdb_ctx);
if (!cdb)
Expand Down Expand Up @@ -683,19 +681,9 @@ int confdb_init(TALLOC_CTX *mem_ctx,
}

old_umask = umask(SSS_DFL_UMASK);
/* file may exists and could be owned by root from previous version */
sss_sssd_user_uid_and_gid(&sssd_uid, &sssd_gid);
ret = chown(confdb_location, sssd_uid, sssd_gid);
if (ret != EOK && errno != ENOENT) {
DEBUG(SSSDBG_MINOR_FAILURE, "Unable to chown config database [%s]: %s\n",
confdb_location, sss_strerror(errno));
}
sss_set_sssd_user_eid();

ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL);

sss_restore_sssd_user_eid();
umask(old_umask);

if (ret != LDB_SUCCESS) {
DEBUG(SSSDBG_FATAL_FAILURE, "Unable to open config database [%s]\n",
confdb_location);
Expand Down
Loading
Loading