From 81569c75f127bffc5ac454b6b47b940fc8ba4784 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Tue, 30 Jan 2024 21:13:42 +0100 Subject: [PATCH] NSS: don't `fchown()` mem-cache files Since ec77ec4e8b2f7ce80848f8840d7b9fa8403e297a mem-cache files aren't tracked as a part of a package anymore so there is no need to keep SSSD_USER ownership of those files. --- src/responder/nss/nsssrv.c | 14 +++------- src/responder/nss/nsssrv_mmap_cache.c | 39 ++------------------------- src/responder/nss/nsssrv_mmap_cache.h | 2 -- 3 files changed, 5 insertions(+), 50 deletions(-) diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index 0bc53191233..4d91f89f867 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -92,7 +92,7 @@ sss_nss_clear_memcache(TALLOC_CTX *mem_ctx, } DEBUG(SSSDBG_TRACE_FUNC, "Clearing memory caches.\n"); - ret = sss_mmap_cache_reinit(nctx, -1, -1, + ret = sss_mmap_cache_reinit(nctx, -1, /* keep current size */ (time_t) memcache_timeout, &nctx->pwd_mc_ctx); @@ -102,7 +102,7 @@ sss_nss_clear_memcache(TALLOC_CTX *mem_ctx, goto done; } - ret = sss_mmap_cache_reinit(nctx, -1, -1, + ret = sss_mmap_cache_reinit(nctx, -1, /* keep current size */ (time_t) memcache_timeout, &nctx->grp_mc_ctx); @@ -112,7 +112,7 @@ sss_nss_clear_memcache(TALLOC_CTX *mem_ctx, goto done; } - ret = sss_mmap_cache_reinit(nctx, -1, -1, + ret = sss_mmap_cache_reinit(nctx, -1, /* keep current size */ (time_t)memcache_timeout, &nctx->initgr_mc_ctx); @@ -287,10 +287,6 @@ static int setup_memcaches(struct sss_nss_ctx *nctx) int mc_size_group; int mc_size_initgroups; int mc_size_sid; - uid_t uid; - gid_t gid; - - sss_sssd_user_uid_and_gid(&uid, &gid); /* Remove the CLEAR_MC_FLAG file if exists. */ ret = unlink(SSS_NSS_MCACHE_DIR"/"CLEAR_MC_FLAG); @@ -365,7 +361,6 @@ static int setup_memcaches(struct sss_nss_ctx *nctx) /* Initialize the fast in-memory caches if they were not disabled */ ret = sss_mmap_cache_init(nctx, "passwd", - uid, gid, SSS_MC_PASSWD, mc_size_passwd * SSS_MC_CACHE_SLOTS_PER_MB, (time_t)memcache_timeout, @@ -377,7 +372,6 @@ static int setup_memcaches(struct sss_nss_ctx *nctx) } ret = sss_mmap_cache_init(nctx, "group", - uid, gid, SSS_MC_GROUP, mc_size_group * SSS_MC_CACHE_SLOTS_PER_MB, (time_t)memcache_timeout, @@ -389,7 +383,6 @@ static int setup_memcaches(struct sss_nss_ctx *nctx) } ret = sss_mmap_cache_init(nctx, "initgroups", - uid, gid, SSS_MC_INITGROUPS, mc_size_initgroups * SSS_MC_CACHE_SLOTS_PER_MB, (time_t)memcache_timeout, @@ -401,7 +394,6 @@ static int setup_memcaches(struct sss_nss_ctx *nctx) } ret = sss_mmap_cache_init(nctx, "sid", - uid, gid, SSS_MC_SID, mc_size_sid * SSS_MC_CACHE_SLOTS_PER_MB, (time_t)memcache_timeout, diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c index 7d4f23c05e4..d1ba9302605 100644 --- a/src/responder/nss/nsssrv_mmap_cache.c +++ b/src/responder/nss/nsssrv_mmap_cache.c @@ -52,9 +52,6 @@ struct sss_mc_ctx { char *file; /* mmap cache file name */ int fd; /* file descriptor */ - uid_t uid; /* User ID of owner */ - gid_t gid; /* Group ID of owner */ - uint32_t seed; /* pseudo-random seed to avoid collision attacks */ time_t valid_time_slot; /* maximum time the entry is valid in seconds */ @@ -650,9 +647,7 @@ static errno_t sss_mc_get_record(struct sss_mc_ctx **_mcc, if (ret == EFAULT) { DEBUG(SSSDBG_CRIT_FAILURE, "Fatal internal mmap cache error, invalidating cache!\n"); - (void)sss_mmap_cache_reinit(talloc_parent(mcc), - -1, -1, -1, -1, - _mcc); + (void)sss_mmap_cache_reinit(talloc_parent(mcc), -1, -1, _mcc); } return ret; } @@ -773,7 +768,7 @@ static errno_t sss_mmap_cache_validate_or_reinit(struct sss_mc_ctx **_mcc) done: if (reinit) { - return sss_mmap_cache_reinit(talloc_parent(mcc), -1, -1, -1, -1, _mcc); + return sss_mmap_cache_reinit(talloc_parent(mcc), -1, -1, _mcc); } return ret; @@ -1291,22 +1286,6 @@ static errno_t sss_mc_create_file(struct sss_mc_ctx *mc_ctx) return ret; } -#ifdef SSSD_NON_ROOT_USER - /* Make sure that the memory cache files are chowned to sssd.sssd even - * if the nss responder runs as root. This is because the specfile - * has the ownership recorded as sssd.sssd - */ - if ((getuid() == 0) || (geteuid() == 0)) { - ret = fchown(mc_ctx->fd, mc_ctx->uid, mc_ctx->gid); - if (ret != 0) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, "Failed to chown mmap file %s: %d(%s)\n", - mc_ctx->file, ret, strerror(ret)); - return ret; - } - } -#endif /* SSSD_NON_ROOT_USER */ - ret = sss_br_lock_file(mc_ctx->fd, 0, 1, retries, t); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, @@ -1389,7 +1368,6 @@ static int mc_ctx_destructor(struct sss_mc_ctx *mc_ctx) #define POSIX_FALLOCATE_ATTEMPTS 3 errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name, - uid_t uid, gid_t gid, enum sss_mc_type type, size_t n_elem, time_t timeout, struct sss_mc_ctx **mcc) { @@ -1437,9 +1415,6 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name, goto done; } - mc_ctx->uid = uid; - mc_ctx->gid = gid; - mc_ctx->type = type; mc_ctx->valid_time_slot = timeout; @@ -1533,7 +1508,6 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name, } errno_t sss_mmap_cache_reinit(TALLOC_CTX *mem_ctx, - uid_t uid, gid_t gid, size_t n_elem, time_t timeout, struct sss_mc_ctx **mc_ctx) { @@ -1571,14 +1545,6 @@ errno_t sss_mmap_cache_reinit(TALLOC_CTX *mem_ctx, timeout = (*mc_ctx)->valid_time_slot; } - if (uid == (uid_t)-1) { - uid = (*mc_ctx)->uid; - } - - if (gid == (gid_t)-1) { - gid = (*mc_ctx)->gid; - } - talloc_free(*mc_ctx); /* make sure we do not leave a potentially freed pointer around */ @@ -1586,7 +1552,6 @@ errno_t sss_mmap_cache_reinit(TALLOC_CTX *mem_ctx, ret = sss_mmap_cache_init(mem_ctx, name, - uid, gid, type, n_elem, timeout, diff --git a/src/responder/nss/nsssrv_mmap_cache.h b/src/responder/nss/nsssrv_mmap_cache.h index 28ee5adb643..ed00ad1ba35 100644 --- a/src/responder/nss/nsssrv_mmap_cache.h +++ b/src/responder/nss/nsssrv_mmap_cache.h @@ -33,7 +33,6 @@ enum sss_mc_type { }; errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name, - uid_t uid, gid_t gid, enum sss_mc_type type, size_t n_elem, time_t valid_time, struct sss_mc_ctx **mcc); @@ -77,7 +76,6 @@ errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx **_mcc, const struct sized_string *name); errno_t sss_mmap_cache_reinit(TALLOC_CTX *mem_ctx, - uid_t uid, gid_t gid, size_t n_elem, time_t timeout, struct sss_mc_ctx **mc_ctx);