|
|
5482e1b |
From 07ae0da06c0d94a3198e484d0de28c9282c4d6cd Mon Sep 17 00:00:00 2001
|
|
|
5482e1b |
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
|
5482e1b |
Date: Mon, 22 Jan 2018 11:49:23 +0100
|
|
|
5482e1b |
Subject: [PATCH 86/88] DESKPROFILE: Use seteuid()/setegid() to create the
|
|
|
5482e1b |
profile
|
|
|
5482e1b |
MIME-Version: 1.0
|
|
|
5482e1b |
Content-Type: text/plain; charset=UTF-8
|
|
|
5482e1b |
Content-Transfer-Encoding: 8bit
|
|
|
5482e1b |
|
|
|
5482e1b |
In order to create the file, having its owner properly, let's use
|
|
|
5482e1b |
seteuid()/setegid() to create when creating the profile, as due to the
|
|
|
5482e1b |
drop of the CAP_DAC_OVERRIDE "root" doesn't have access to the folder
|
|
|
5482e1b |
where the profile will be created anymore.
|
|
|
5482e1b |
|
|
|
5482e1b |
By adopting the seteuid()/setegid() solution, calling fchown() in the
|
|
|
5482e1b |
profile doesn't make sense, thus it was also removed.
|
|
|
5482e1b |
|
|
|
5482e1b |
This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
|
|
|
5482e1b |
package.
|
|
|
5482e1b |
|
|
|
5482e1b |
Resolves:
|
|
|
5482e1b |
https://pagure.io/SSSD/sssd/issue/3621
|
|
|
5482e1b |
|
|
|
5482e1b |
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
5482e1b |
|
|
|
5482e1b |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
5482e1b |
---
|
|
|
5482e1b |
src/providers/ipa/ipa_deskprofile_rules_util.c | 70 ++++++++++++++++++++++++--
|
|
|
5482e1b |
1 file changed, 66 insertions(+), 4 deletions(-)
|
|
|
5482e1b |
|
|
|
5482e1b |
diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
|
|
|
5482e1b |
index 0846b16f6..eb04a69f8 100644
|
|
|
5482e1b |
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
|
|
|
5482e1b |
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
|
|
|
5482e1b |
@@ -706,6 +706,8 @@ ipa_deskprofile_rules_save_rule_to_disk(
|
|
|
5482e1b |
const char *extension = "json";
|
|
|
5482e1b |
uint32_t prio;
|
|
|
5482e1b |
int fd = -1;
|
|
|
5482e1b |
+ gid_t orig_gid;
|
|
|
5482e1b |
+ uid_t orig_uid;
|
|
|
5482e1b |
errno_t ret;
|
|
|
5482e1b |
|
|
|
5482e1b |
tmp_ctx = talloc_new(mem_ctx);
|
|
|
5482e1b |
@@ -713,6 +715,9 @@ ipa_deskprofile_rules_save_rule_to_disk(
|
|
|
5482e1b |
return ENOMEM;
|
|
|
5482e1b |
}
|
|
|
5482e1b |
|
|
|
5482e1b |
+ orig_gid = getegid();
|
|
|
5482e1b |
+ orig_uid = geteuid();
|
|
|
5482e1b |
+
|
|
|
5482e1b |
ret = sysdb_attrs_get_string(rule, IPA_CN, &rule_name);
|
|
|
5482e1b |
if (ret != EOK) {
|
|
|
5482e1b |
DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
5482e1b |
@@ -875,6 +880,26 @@ ipa_deskprofile_rules_save_rule_to_disk(
|
|
|
5482e1b |
goto done;
|
|
|
5482e1b |
}
|
|
|
5482e1b |
|
|
|
5482e1b |
+ ret = setegid(gid);
|
|
|
5482e1b |
+ if (ret == -1) {
|
|
|
5482e1b |
+ ret = errno;
|
|
|
5482e1b |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
5482e1b |
+ "Unable to set effective group id (%"PRIu32") of the domain's "
|
|
|
5482e1b |
+ "process [%d]: %s\n",
|
|
|
5482e1b |
+ gid, ret, sss_strerror(ret));
|
|
|
5482e1b |
+ goto done;
|
|
|
5482e1b |
+ }
|
|
|
5482e1b |
+
|
|
|
5482e1b |
+ ret = seteuid(uid);
|
|
|
5482e1b |
+ if (ret == -1) {
|
|
|
5482e1b |
+ ret = errno;
|
|
|
5482e1b |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
5482e1b |
+ "Unable to set effective user id (%"PRIu32") of the domain's "
|
|
|
5482e1b |
+ "process [%d]: %s\n",
|
|
|
5482e1b |
+ uid, ret, sss_strerror(ret));
|
|
|
5482e1b |
+ goto done;
|
|
|
5482e1b |
+ }
|
|
|
5482e1b |
+
|
|
|
5482e1b |
fd = open(filename_path, O_WRONLY | O_CREAT | O_TRUNC, 0600);
|
|
|
5482e1b |
if (fd == -1) {
|
|
|
5482e1b |
ret = errno;
|
|
|
5482e1b |
@@ -895,12 +920,23 @@ ipa_deskprofile_rules_save_rule_to_disk(
|
|
|
5482e1b |
goto done;
|
|
|
5482e1b |
}
|
|
|
5482e1b |
|
|
|
5482e1b |
- ret = fchown(fd, uid, gid);
|
|
|
5482e1b |
- if (ret != EOK) {
|
|
|
5482e1b |
+ ret = seteuid(orig_uid);
|
|
|
5482e1b |
+ if (ret == -1) {
|
|
|
5482e1b |
ret = errno;
|
|
|
5482e1b |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
5482e1b |
- "Failed to own the Desktop Profile Rule file \"%s\" [%d]: %s\n",
|
|
|
5482e1b |
- filename_path, ret, sss_strerror(ret));
|
|
|
5482e1b |
+ "Failed to set the effect user id (%"PRIu32") of the domain's "
|
|
|
5482e1b |
+ "process [%d]: %s\n",
|
|
|
5482e1b |
+ orig_uid, ret, sss_strerror(ret));
|
|
|
5482e1b |
+ goto done;
|
|
|
5482e1b |
+ }
|
|
|
5482e1b |
+
|
|
|
5482e1b |
+ ret = setegid(orig_gid);
|
|
|
5482e1b |
+ if (ret == -1) {
|
|
|
5482e1b |
+ ret = errno;
|
|
|
5482e1b |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
5482e1b |
+ "Failed to set the effect group id (%"PRIu32") of the domain's "
|
|
|
5482e1b |
+ "process [%d]: %s\n",
|
|
|
5482e1b |
+ orig_gid, ret, sss_strerror(ret));
|
|
|
5482e1b |
goto done;
|
|
|
5482e1b |
}
|
|
|
5482e1b |
|
|
|
5482e1b |
@@ -910,6 +946,32 @@ done:
|
|
|
5482e1b |
if (fd != -1) {
|
|
|
5482e1b |
close(fd);
|
|
|
5482e1b |
}
|
|
|
5482e1b |
+ if (geteuid() != orig_uid) {
|
|
|
5482e1b |
+ ret = seteuid(orig_uid);
|
|
|
5482e1b |
+ if (ret == -1) {
|
|
|
5482e1b |
+ ret = errno;
|
|
|
5482e1b |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
5482e1b |
+ "Unable to set effective user id (%"PRIu32") of the "
|
|
|
5482e1b |
+ "domain's process [%d]: %s\n",
|
|
|
5482e1b |
+ orig_uid, ret, sss_strerror(ret));
|
|
|
5482e1b |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
5482e1b |
+ "Sending SIGUSR2 to the process: %d\n", getpid());
|
|
|
5482e1b |
+ kill(getpid(), SIGUSR2);
|
|
|
5482e1b |
+ }
|
|
|
5482e1b |
+ }
|
|
|
5482e1b |
+ if (getegid() != orig_gid) {
|
|
|
5482e1b |
+ ret = setegid(orig_gid);
|
|
|
5482e1b |
+ if (ret == -1) {
|
|
|
5482e1b |
+ ret = errno;
|
|
|
5482e1b |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
5482e1b |
+ "Unable to set effective group id (%"PRIu32") of the "
|
|
|
5482e1b |
+ "domain's process. Let's have the process restartd!\n",
|
|
|
5482e1b |
+ orig_gid);
|
|
|
5482e1b |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
5482e1b |
+ "Sending SIGUSR2 to the process: %d\n", getpid());
|
|
|
5482e1b |
+ kill(getpid(), SIGUSR2);
|
|
|
5482e1b |
+ }
|
|
|
5482e1b |
+ }
|
|
|
5482e1b |
talloc_free(tmp_ctx);
|
|
|
5482e1b |
return ret;
|
|
|
5482e1b |
}
|
|
|
5482e1b |
--
|
|
|
5482e1b |
2.14.3
|
|
|
5482e1b |
|