Skip to content

Commit

Permalink
NSS: don't fchown() mem-cache files
Browse files Browse the repository at this point in the history
Since ec77ec4 mem-cache files aren't
tracked as a part of a package anymore so there is no need to keep
SSSD_USER ownership of those files.
  • Loading branch information
alexey-tikhonov committed Mar 13, 2024
1 parent 6b5d733 commit f27c099
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 50 deletions.
14 changes: 3 additions & 11 deletions src/responder/nss/nsssrv.c
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ sss_nss_clear_memcache(TALLOC_CTX *mem_ctx,
}

DEBUG(SSSDBG_TRACE_FUNC, "Clearing memory caches.\n");
ret = sss_mmap_cache_reinit(nctx, -1, -1,
ret = sss_mmap_cache_reinit(nctx,
-1, /* keep current size */
(time_t) memcache_timeout,
&nctx->pwd_mc_ctx);
Expand All @@ -102,7 +102,7 @@ sss_nss_clear_memcache(TALLOC_CTX *mem_ctx,
goto done;
}

ret = sss_mmap_cache_reinit(nctx, -1, -1,
ret = sss_mmap_cache_reinit(nctx,
-1, /* keep current size */
(time_t) memcache_timeout,
&nctx->grp_mc_ctx);
Expand All @@ -112,7 +112,7 @@ sss_nss_clear_memcache(TALLOC_CTX *mem_ctx,
goto done;
}

ret = sss_mmap_cache_reinit(nctx, -1, -1,
ret = sss_mmap_cache_reinit(nctx,
-1, /* keep current size */
(time_t)memcache_timeout,
&nctx->initgr_mc_ctx);
Expand Down Expand Up @@ -287,10 +287,6 @@ static int setup_memcaches(struct sss_nss_ctx *nctx)
int mc_size_group;
int mc_size_initgroups;
int mc_size_sid;
uid_t uid;
gid_t gid;

sss_sssd_user_uid_and_gid(&uid, &gid);

/* Remove the CLEAR_MC_FLAG file if exists. */
ret = unlink(SSS_NSS_MCACHE_DIR"/"CLEAR_MC_FLAG);
Expand Down Expand Up @@ -365,7 +361,6 @@ static int setup_memcaches(struct sss_nss_ctx *nctx)
/* Initialize the fast in-memory caches if they were not disabled */

ret = sss_mmap_cache_init(nctx, "passwd",
uid, gid,
SSS_MC_PASSWD,
mc_size_passwd * SSS_MC_CACHE_SLOTS_PER_MB,
(time_t)memcache_timeout,
Expand All @@ -377,7 +372,6 @@ static int setup_memcaches(struct sss_nss_ctx *nctx)
}

ret = sss_mmap_cache_init(nctx, "group",
uid, gid,
SSS_MC_GROUP,
mc_size_group * SSS_MC_CACHE_SLOTS_PER_MB,
(time_t)memcache_timeout,
Expand All @@ -389,7 +383,6 @@ static int setup_memcaches(struct sss_nss_ctx *nctx)
}

ret = sss_mmap_cache_init(nctx, "initgroups",
uid, gid,
SSS_MC_INITGROUPS,
mc_size_initgroups * SSS_MC_CACHE_SLOTS_PER_MB,
(time_t)memcache_timeout,
Expand All @@ -401,7 +394,6 @@ static int setup_memcaches(struct sss_nss_ctx *nctx)
}

ret = sss_mmap_cache_init(nctx, "sid",
uid, gid,
SSS_MC_SID,
mc_size_sid * SSS_MC_CACHE_SLOTS_PER_MB,
(time_t)memcache_timeout,
Expand Down
39 changes: 2 additions & 37 deletions src/responder/nss/nsssrv_mmap_cache.c
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,6 @@ struct sss_mc_ctx {
char *file; /* mmap cache file name */
int fd; /* file descriptor */

uid_t uid; /* User ID of owner */
gid_t gid; /* Group ID of owner */

uint32_t seed; /* pseudo-random seed to avoid collision attacks */
time_t valid_time_slot; /* maximum time the entry is valid in seconds */

Expand Down Expand Up @@ -650,9 +647,7 @@ static errno_t sss_mc_get_record(struct sss_mc_ctx **_mcc,
if (ret == EFAULT) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Fatal internal mmap cache error, invalidating cache!\n");
(void)sss_mmap_cache_reinit(talloc_parent(mcc),
-1, -1, -1, -1,
_mcc);
(void)sss_mmap_cache_reinit(talloc_parent(mcc), -1, -1, _mcc);
}
return ret;
}
Expand Down Expand Up @@ -773,7 +768,7 @@ static errno_t sss_mmap_cache_validate_or_reinit(struct sss_mc_ctx **_mcc)

done:
if (reinit) {
return sss_mmap_cache_reinit(talloc_parent(mcc), -1, -1, -1, -1, _mcc);
return sss_mmap_cache_reinit(talloc_parent(mcc), -1, -1, _mcc);
}

return ret;
Expand Down Expand Up @@ -1291,22 +1286,6 @@ static errno_t sss_mc_create_file(struct sss_mc_ctx *mc_ctx)
return ret;
}

#ifdef SSSD_NON_ROOT_USER
/* Make sure that the memory cache files are chowned to sssd.sssd even
* if the nss responder runs as root. This is because the specfile
* has the ownership recorded as sssd.sssd
*/
if ((getuid() == 0) || (geteuid() == 0)) {
ret = fchown(mc_ctx->fd, mc_ctx->uid, mc_ctx->gid);
if (ret != 0) {
ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to chown mmap file %s: %d(%s)\n",
mc_ctx->file, ret, strerror(ret));
return ret;
}
}
#endif /* SSSD_NON_ROOT_USER */

ret = sss_br_lock_file(mc_ctx->fd, 0, 1, retries, t);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
Expand Down Expand Up @@ -1389,7 +1368,6 @@ static int mc_ctx_destructor(struct sss_mc_ctx *mc_ctx)
#define POSIX_FALLOCATE_ATTEMPTS 3

errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name,
uid_t uid, gid_t gid,
enum sss_mc_type type, size_t n_elem,
time_t timeout, struct sss_mc_ctx **mcc)
{
Expand Down Expand Up @@ -1437,9 +1415,6 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name,
goto done;
}

mc_ctx->uid = uid;
mc_ctx->gid = gid;

mc_ctx->type = type;

mc_ctx->valid_time_slot = timeout;
Expand Down Expand Up @@ -1533,7 +1508,6 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name,
}

errno_t sss_mmap_cache_reinit(TALLOC_CTX *mem_ctx,
uid_t uid, gid_t gid,
size_t n_elem,
time_t timeout, struct sss_mc_ctx **mc_ctx)
{
Expand Down Expand Up @@ -1571,22 +1545,13 @@ errno_t sss_mmap_cache_reinit(TALLOC_CTX *mem_ctx,
timeout = (*mc_ctx)->valid_time_slot;
}

if (uid == (uid_t)-1) {
uid = (*mc_ctx)->uid;
}

if (gid == (gid_t)-1) {
gid = (*mc_ctx)->gid;
}

talloc_free(*mc_ctx);

/* make sure we do not leave a potentially freed pointer around */
*mc_ctx = NULL;

ret = sss_mmap_cache_init(mem_ctx,
name,
uid, gid,
type,
n_elem,
timeout,
Expand Down
2 changes: 0 additions & 2 deletions src/responder/nss/nsssrv_mmap_cache.h
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ enum sss_mc_type {
};

errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name,
uid_t uid, gid_t gid,
enum sss_mc_type type, size_t n_elem,
time_t valid_time, struct sss_mc_ctx **mcc);

Expand Down Expand Up @@ -77,7 +76,6 @@ errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx **_mcc,
const struct sized_string *name);

errno_t sss_mmap_cache_reinit(TALLOC_CTX *mem_ctx,
uid_t uid, gid_t gid,
size_t n_elem,
time_t timeout, struct sss_mc_ctx **mc_ctx);

Expand Down

0 comments on commit f27c099

Please sign in to comment.