Rework config access checks.

src/tests/cmocka/test_config_check.c

@@ -35,7 +35,6 @@ struct sss_ini {
     struct ref_array *ra_error_list;
     struct ini_cfgobj *sssd_config;
     struct value_obj *obj;
-    const struct stat *cstat;
     struct ini_cfgfile *file;
     bool main_config_exists;
 };

src/util/sss_ini.c

@@ -43,7 +43,6 @@
     struct ref_array *ra_error_list;
     struct ini_cfgobj *sssd_config;
     struct value_obj *obj;
-    const struct stat *cstat;
     struct ini_cfgfile *file;
     bool main_config_exists;
 };
@@ -147,81 +146,6 @@
                                    &self->file);
 }
 
-/* Check configuration file permissions */
-
-static bool is_running_sssd(void)
-{
-    static char exe[1024];
-    int ret;
-    const char *s = NULL;
-
-    ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1);
-    if ((ret > 0) && (ret < 1024)) {
-        exe[ret] = 0;
-        s = strstr(exe, debug_prg_name);
-        if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) {
-            return true;
-        }
-    }
-
-    return false;
-}
-
-static int sss_ini_access_check(struct sss_ini *self)
-{
-    int ret;
-    uint32_t flags = INI_ACCESS_CHECK_MODE;
-
-    if (!self->main_config_exists) {
-        return EOK;
-    }
-
-    if (is_running_sssd()) {
-        flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
-    }
-
-    ret = ini_config_access_check(self->file,
-                                  flags,
-                                  geteuid(),
-                                  getegid(),
-                                  S_IRUSR, /* r**------ */
-                                  ALLPERMS & ~(S_IWUSR|S_IXUSR));
-
-    return ret;
-}
-
-
-
-/* Get cstat */
-
-int sss_ini_get_stat(struct sss_ini *self)
-{
-    self->cstat = ini_config_get_stat(self->file);
-
-    if (!self->cstat) return EIO;
-
-    return EOK;
-}
-
-
-
-/* Get mtime */
-
-int sss_ini_get_mtime(struct sss_ini *self,
-                      size_t timestr_len,
-                      char *timestr)
-{
-    return snprintf(timestr, timestr_len, "%llu",
-                    (long long unsigned)self->cstat->st_mtime);
-}
-
-/* Get file_exists */
-
-bool sss_ini_exists(struct sss_ini *self)
-{
-    return self->main_config_exists;
-}
-
 /* Print ini_config errors */
 
 static void sss_ini_config_print_errors(char **error_list)
@@ -289,29 +213,18 @@
     uint32_t i = 0;
     char *msg = NULL;
     struct ini_cfgobj *modified_sssd_config = NULL;
-    struct access_check snip_check;
 
     if (self == NULL || self->sssd_config == NULL || config_dir == NULL) {
         return EINVAL;
     }
 
     sss_ini_free_ra_messages(self);
 
-    snip_check.flags = INI_ACCESS_CHECK_MODE;
-
-    if (is_running_sssd()) {
-        snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
-    }
-    snip_check.uid = geteuid();
-    snip_check.gid = getegid();
-    snip_check.mode = S_IRUSR; /* r**------ */
-    snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR);
-
     ret = ini_config_augment(self->sssd_config,
                              config_dir,
                              patterns,
                              sections,
-                             &snip_check,
+                             NULL,
                              INI_STOP_ON_ANY,
                              INI_MV1S_OVERWRITE,
                              INI_PARSE_NOWRAP,
@@ -868,6 +781,32 @@
     return ret;
 }
 
+static int access_check_file(const char *filename)
+{
+    /* TODO */
+
+    return EOK;
+}
+
+static int access_check_ini(const struct sss_ini *self)
+{
+    int ret;
+
+    /* const struct ref_array *ra_success; */
+
+    if (self->main_config_exists) {
+        const char *filename = ini_config_get_filename(self->file);
+        ret = access_check_file(filename);
+        if (ret != EOK) {
+            return ret;
+        }
+    }
+
+    /* TODO: check snippet files */
+
+    return EOK;
+}
+
 int sss_ini_read_sssd_conf(struct sss_ini *self,
                            const char *config_file,
                            const char *config_dir)
@@ -894,15 +833,7 @@
         return ERR_INI_OPEN_FAILED;
     }
 
-    if (sss_ini_exists(self)) {
-        ret = sss_ini_access_check(self);
-        if (ret != EOK) {
-            DEBUG(SSSDBG_CRIT_FAILURE,
-                  "Permission check on config file %s failed: %d\n",
-                  config_file, ret);
-            return ERR_INI_INVALID_PERMISSION;
-        }
-    } else {
+    if (!self->main_config_exists) {
         DEBUG(SSSDBG_CONF_SETTINGS,
               "File %s does not exist.\n", config_file);
     }
@@ -923,10 +854,12 @@
         return ERR_INI_ADD_SNIPPETS_FAILED;
     }
 
-    if (!sss_ini_exists(self) &&
+    if ((!self->main_config_exists) &&
         (ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) {
         return ERR_INI_EMPTY_CONFIG;
     }
 
+    ret = access_check_ini(self);
+
     return ret;
 }

src/util/sss_ini.h

@@ -80,30 +80,6 @@ int sss_ini_open(struct sss_ini *self,
                  const char *config_file,
                  const char *fallback_cfg);
 
-/**
- * @brief Check whether sss_ini_open() reported that ini file is
- *        not present
- *
- * @param[in] self  pointer to sss_ini structure
- *
- * @return
- *   - true   we are using ini file
- *   - false  file was not found
- */
-bool sss_ini_exists(struct sss_ini *self);
-
-/**
- * @brief get Cstat structure of the ini file
- */
-int sss_ini_get_stat(struct sss_ini *self);
-
-/**
- * @brief Get mtime of the ini file
- */
-int sss_ini_get_mtime(struct sss_ini *self,
-                      size_t timestr_len,
-                      char *timestr);
-
 /**
  * @brief Get pointer to list of snippet parsing errors
  */