From 4bd27ef5704eeb52abf458c2b610308551e3d3fb Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Mon, 22 Apr 2024 19:08:03 +0200 Subject: [PATCH] BUILD: make support of 'sssd.conf::user' option configurable :relnote:Support of 'sssd.conf::user' option was made build time configurable ('--with-conf-service-user-support') and disabled by default. Take a note that this ./configure option only makes sense if used together with '--with-sssd-user=...' Support of this option is deprecated and might be removed in future releases. Recommended way to configure SSSD service user is to simply start main SSSD process under required user (made available at build time using '--with-sssd-user=...') --- configure.ac | 1 + contrib/ci/configure.sh | 8 ++++++++ contrib/sssd.spec.in | 1 + src/conf_macros.m4 | 19 +++++++++++++++++++ src/man/Makefile.am | 5 ++++- src/man/sssd.conf.5.xml | 2 +- src/monitor/monitor.c | 17 +++++++++++++++-- src/monitor/monitor_bootstrap.c | 9 ++++++++- 8 files changed, 57 insertions(+), 5 deletions(-) diff --git a/configure.ac b/configure.ac index ed7a12d6afc..94fb1a93ca7 100644 --- a/configure.ac +++ b/configure.ac @@ -181,6 +181,7 @@ WITH_SUDO_LIB_PATH WITH_AUTOFS WITH_FILES_PROVIDER WITH_EXTENDED_ENUMERATION_SUPPORT +WITH_CONF_SERVICE_USER_SUPPORT WITH_SUBID WITH_SUBID_LIB_PATH WITH_PASSKEY diff --git a/contrib/ci/configure.sh b/contrib/ci/configure.sh index 9c56ec29ad7..e7cc3af23ab 100644 --- a/contrib/ci/configure.sh +++ b/contrib/ci/configure.sh @@ -46,6 +46,14 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then ) fi +if [[ "$DISTRO_BRANCH" == -redhat-centos-9*- || + "$DISTRO_BRANCH" == -redhat-redhatenterprise*-9.*- ]]; then + CONFIGURE_ARG_LIST+=( + "--with-libsifp" + "--with-conf-service-user-support" + ) +fi + if [[ "$DISTRO_BRANCH" == -redhat-fedora-* || "$DISTRO_BRANCH" == -redhat-centos-9*- || "$DISTRO_BRANCH" == -redhat-centos-10*- || diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 0296d9f0910..5f286b07eb4 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -596,6 +596,7 @@ autoreconf -ivf --with-test-dir=/dev/shm \ %if 0%{?rhel} == 9 --with-libsifp \ + --with-conf-service-user-support \ %endif %if %{build_subid} --with-subid \ diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 index a8f76dfe453..031dbe038ed 100644 --- a/src/conf_macros.m4 +++ b/src/conf_macros.m4 @@ -839,6 +839,25 @@ AC_DEFUN([WITH_SSSD_USER], fi ]) +AC_DEFUN([WITH_CONF_SERVICE_USER_SUPPORT], + [ AC_ARG_WITH([conf-service-user-support], + [AC_HELP_STRING([--with-conf-service-user-support], + [Whether to build support for sssd.conf::user option [no]. + Requires "--with-sssd-user=..." to be used. + Please take a note that this feature is deprecated and + might be removed in further releases.] + ) + ], + [with_conf_service_user_support=$withval], + with_conf_service_user_support=no + ) + + if test x"$with_conf_service_user_support" = xyes; then + AC_DEFINE(BUILD_CONF_SERVICE_USER_SUPPORT, 1, [Whether to build support for sssd.conf::user option]) + fi + AM_CONDITIONAL([BUILD_CONF_SERVICE_USER_SUPPORT], [test x"$with_conf_service_user_support" = xyes]) + ]) + AC_DEFUN([WITH_AD_GPO_DEFAULT], [ AC_ARG_WITH([ad-gpo-default], [AS_HELP_STRING([--with-ad-gpo-default=[enforcing|permissive]], diff --git a/src/man/Makefile.am b/src/man/Makefile.am index 6e61aed68f0..13a1d286641 100644 --- a/src/man/Makefile.am +++ b/src/man/Makefile.am @@ -65,12 +65,15 @@ ENUM_CONDS = ;without_ext_enumeration endif if SSSD_NON_ROOT_USER SSSD_NON_ROOT_USER_CONDS = ;with_non_root_user_support +if BUILD_CONF_SERVICE_USER_SUPPORT +SSSD_CONF_SERVICE_USER_CONDS = ;with_conf_service_user_support +endif else SSSD_NON_ROOT_USER_CONDS = ;without_non_root_user_support endif -CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(SSH_KNOWN_HOSTS_PROXY_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS) +CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(SSH_KNOWN_HOSTS_PROXY_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(SSSD_CONF_SERVICE_USER_CONDS)$(ENUM_CONDS) #Special Rules: diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 1dac78c9909..37ec42056c4 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -399,7 +399,7 @@ - + user (string) diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index 78c3d0ae00f..376b21932f7 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -120,9 +120,11 @@ struct mt_ctx { struct sbus_server *sbus_server; struct sbus_connection *sbus_conn; - /* For running unprivileged services */ +#ifdef BUILD_CONF_SERVICE_USER_SUPPORT + /* User to switch to in run time */ uid_t uid; gid_t gid; +#endif }; static int start_service(struct mt_svc *mt_svc); @@ -811,6 +813,7 @@ static char *check_services(char **services) return NULL; } +#ifdef BUILD_CONF_SERVICE_USER_SUPPORT static int get_service_user(struct sss_ini *config, struct mt_ctx *ctx) { errno_t ret = EOK; @@ -861,10 +864,11 @@ static int get_service_user(struct sss_ini *config, struct mt_ctx *ctx) } free(user_str); -#endif +#endif /* SSSD_NON_ROOT_USER */ return ret; } +#endif /* BUILD_CONF_SERVICE_USER_SUPPORT */ static void get_debug_level(struct sss_ini *config) { @@ -1953,7 +1957,12 @@ static void check_nscd(void) } } +#ifdef BUILD_CONF_SERVICE_USER_SUPPORT int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid); +#else +int bootstrap_monitor_process(void); +#endif + void setup_keyring(void); int main(int argc, const char *argv[]) @@ -2109,6 +2118,7 @@ int main(int argc, const char *argv[]) goto out; } +#ifdef BUILD_CONF_SERVICE_USER_SUPPORT ret = get_service_user(config, monitor); if (ret != EOK) { ret = 4; /* Error message already logged */ @@ -2116,6 +2126,9 @@ int main(int argc, const char *argv[]) } ret = bootstrap_monitor_process(monitor->uid, monitor->gid); +#else + ret = bootstrap_monitor_process(); +#endif if (ret != 0) { ERROR("Failed to boostrap SSSD 'monitor' process: %s", sss_strerror(ret)); sss_log(SSS_LOG_ALERT, "Failed to boostrap SSSD 'monitor' process."); diff --git a/src/monitor/monitor_bootstrap.c b/src/monitor/monitor_bootstrap.c index 6bbee881e9c..d4c1846abeb 100644 --- a/src/monitor/monitor_bootstrap.c +++ b/src/monitor/monitor_bootstrap.c @@ -77,13 +77,18 @@ static int check_supplementary_group(gid_t gid) } #endif /* SSSD_NON_ROOT_USER */ +#ifdef BUILD_CONF_SERVICE_USER_SUPPORT int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid) +#else +int bootstrap_monitor_process(void) +#endif { #ifdef SSSD_NON_ROOT_USER int ret; gid_t sssd_gid = 0; if (geteuid() == 0) { +#ifdef BUILD_CONF_SERVICE_USER_SUPPORT if (target_uid != 0) { /* Started under root but non-root 'sssd.conf::user' configured - * deprecated method. @@ -95,7 +100,9 @@ int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid) sss_log(SSS_LOG_ALERT, "Failed to change uid:gid"); return 1; } - } else { + } else +#endif /* BUILD_CONF_SERVICE_USER_SUPPORT */ + { /* In case SSSD is built with non-root user support, but * runs under 'root', a number of files are still sssd:sssd owned. * Make sure all processes are added to 'sssd' supplementary