SSSD · alexey-tikhonov · Apr 22, 2024
diff --git a/configure.ac b/configure.ac
@@ -181,6 +181,7 @@ WITH_SUDO_LIB_PATH
 WITH_AUTOFS
 WITH_FILES_PROVIDER
 WITH_EXTENDED_ENUMERATION_SUPPORT
+WITH_CONF_SERVICE_USER_SUPPORT
 WITH_SUBID
 WITH_SUBID_LIB_PATH
 WITH_PASSKEY

diff --git a/contrib/ci/configure.sh b/contrib/ci/configure.sh
@@ -46,6 +46,14 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
     )
 fi
 
+if [[ "$DISTRO_BRANCH" == -redhat-centos-9*- ||
+      "$DISTRO_BRANCH" == -redhat-redhatenterprise*-9.*- ]]; then
+    CONFIGURE_ARG_LIST+=(
+        "--with-libsifp"
+        "--with-conf-service-user-support"
+    )
+fi
+
 if [[ "$DISTRO_BRANCH" == -redhat-fedora-* ||
       "$DISTRO_BRANCH" == -redhat-centos-9*- ||
       "$DISTRO_BRANCH" == -redhat-centos-10*- ||

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
@@ -596,6 +596,7 @@ autoreconf -ivf
     --with-test-dir=/dev/shm \
 %if 0%{?rhel} == 9
     --with-libsifp \
+    --with-conf-service-user-support \
 %endif
 %if %{build_subid}
     --with-subid \

diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
@@ -839,6 +839,25 @@ AC_DEFUN([WITH_SSSD_USER],
     fi
   ])
 
+AC_DEFUN([WITH_CONF_SERVICE_USER_SUPPORT],
+  [ AC_ARG_WITH([conf-service-user-support],
+                [AC_HELP_STRING([--with-conf-service-user-support],
+                                [Whether to build support for sssd.conf::user option [no].
+                                 Requires "--with-sssd-user=..." to be used.
+                                 Please take a note that this feature is deprecated and
+                                 might be removed in further releases.]
+                               )
+                ],
+                [with_conf_service_user_support=$withval],
+                with_conf_service_user_support=no
+               )
+
+    if test x"$with_conf_service_user_support" = xyes; then
+        AC_DEFINE(BUILD_CONF_SERVICE_USER_SUPPORT, 1, [Whether to build support for sssd.conf::user option])
+    fi
+    AM_CONDITIONAL([BUILD_CONF_SERVICE_USER_SUPPORT], [test x"$with_conf_service_user_support" = xyes])
+  ])
+
   AC_DEFUN([WITH_AD_GPO_DEFAULT],
     [ AC_ARG_WITH([ad-gpo-default],
                   [AS_HELP_STRING([--with-ad-gpo-default=[enforcing|permissive]],

diff --git a/src/man/Makefile.am b/src/man/Makefile.am
@@ -65,12 +65,15 @@ ENUM_CONDS = ;without_ext_enumeration
 endif
 if SSSD_NON_ROOT_USER
 SSSD_NON_ROOT_USER_CONDS = ;with_non_root_user_support
+if BUILD_CONF_SERVICE_USER_SUPPORT
+SSSD_CONF_SERVICE_USER_CONDS = ;with_conf_service_user_support
+endif
 else
 SSSD_NON_ROOT_USER_CONDS = ;without_non_root_user_support
 endif
 
 
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(SSH_KNOWN_HOSTS_PROXY_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(SSH_KNOWN_HOSTS_PROXY_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(SSSD_CONF_SERVICE_USER_CONDS)$(ENUM_CONDS)
 
 
 #Special Rules:

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
@@ -399,7 +399,7 @@
                             </para>
                         </listitem>
                     </varlistentry>
-                    <varlistentry condition="with_non_root_user_support">
+                    <varlistentry condition="with_conf_service_user_support">
                         <term>user (string)</term>
                         <listitem>
                             <para>

diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
@@ -120,9 +120,11 @@ struct mt_ctx {
     struct sbus_server *sbus_server;
     struct sbus_connection *sbus_conn;
 
-    /* For running unprivileged services */
+#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
+    /* User to switch to in run time */
     uid_t uid;
     gid_t gid;
+#endif
 };
 
 static int start_service(struct mt_svc *mt_svc);
@@ -811,6 +813,7 @@ static char *check_services(char **services)
     return NULL;
 }
 
+#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
 static int get_service_user(struct sss_ini *config, struct mt_ctx *ctx)
 {
     errno_t ret = EOK;
@@ -861,10 +864,11 @@ static int get_service_user(struct sss_ini *config, struct mt_ctx *ctx)
     }
 
     free(user_str);
-#endif
+#endif /* SSSD_NON_ROOT_USER */
 
     return ret;
 }
+#endif /* BUILD_CONF_SERVICE_USER_SUPPORT */
 
 static void get_debug_level(struct sss_ini *config)
 {
@@ -1953,7 +1957,12 @@ static void check_nscd(void)
     }
 }
 
+#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
 int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid);
+#else
+int bootstrap_monitor_process(void);
+#endif
+
 void setup_keyring(void);
 
 int main(int argc, const char *argv[])
@@ -2109,13 +2118,17 @@ int main(int argc, const char *argv[])
         goto out;
     }
 
+#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
     ret = get_service_user(config, monitor);
     if (ret != EOK) {
         ret = 4; /* Error message already logged */
         goto out;
     }
 
     ret = bootstrap_monitor_process(monitor->uid, monitor->gid);
+#else
+    ret = bootstrap_monitor_process();
+#endif
     if (ret != 0) {
         ERROR("Failed to boostrap SSSD 'monitor' process: %s", sss_strerror(ret));
         sss_log(SSS_LOG_ALERT, "Failed to boostrap SSSD 'monitor' process.");

diff --git a/src/monitor/monitor_bootstrap.c b/src/monitor/monitor_bootstrap.c
@@ -77,13 +77,18 @@ static int check_supplementary_group(gid_t gid)
 }
 #endif /* SSSD_NON_ROOT_USER */
 
+#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
 int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid)
+#else
+int bootstrap_monitor_process(void)
+#endif
 {
 #ifdef SSSD_NON_ROOT_USER
     int ret;
     gid_t sssd_gid = 0;
 
     if (geteuid() == 0) {
+#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
         if (target_uid != 0) {
             /* Started under root but non-root 'sssd.conf::user' configured -
              * deprecated method.
@@ -95,7 +100,9 @@ int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid)
                 sss_log(SSS_LOG_ALERT, "Failed to change uid:gid");
                 return 1;
             }
-        } else {
+        } else
+#endif /* BUILD_CONF_SERVICE_USER_SUPPORT */
+        {
             /* In case SSSD is built with non-root user support, but
              * runs under 'root', a number of files are still sssd:sssd owned.
              * Make sure all processes are added to 'sssd' supplementary