Tree - rpms/sssd - src.fedoraproject.org

rpms / sssd

Blame 0086-DESKPROFILE-Use-seteuid-setegid-to-create-the-profil.patch

Blob History Raw

		5482e1b	`From 07ae0da06c0d94a3198e484d0de28c9282c4d6cd Mon Sep 17 00:00:00 2001`
		5482e1b	`From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>`
		5482e1b	`Date: Mon, 22 Jan 2018 11:49:23 +0100`
		5482e1b	`Subject: [PATCH 86/88] DESKPROFILE: Use seteuid()/setegid() to create the`
		5482e1b	`profile`
		5482e1b	`MIME-Version: 1.0`
		5482e1b	`Content-Type: text/plain; charset=UTF-8`
		5482e1b	`Content-Transfer-Encoding: 8bit`
		5482e1b
		5482e1b	`In order to create the file, having its owner properly, let's use`
		5482e1b	`seteuid()/setegid() to create when creating the profile, as due to the`
		5482e1b	`drop of the CAP_DAC_OVERRIDE "root" doesn't have access to the folder`
		5482e1b	`where the profile will be created anymore.`
		5482e1b
		5482e1b	`By adopting the seteuid()/setegid() solution, calling fchown() in the`
		5482e1b	`profile doesn't make sense, thus it was also removed.`
		5482e1b
		5482e1b	`This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora`
		5482e1b	`package.`
		5482e1b
		5482e1b	`Resolves:`
		5482e1b	`https://pagure.io/SSSD/sssd/issue/3621`
		5482e1b
		5482e1b	`Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>`
		5482e1b
		5482e1b	`Reviewed-by: Simo Sorce <simo@redhat.com>`
		5482e1b	`---`
		5482e1b	`src/providers/ipa/ipa_deskprofile_rules_util.c \| 70 ++++++++++++++++++++++++--`
		5482e1b	`1 file changed, 66 insertions(+), 4 deletions(-)`
		5482e1b
		5482e1b	`diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c`
		5482e1b	`index 0846b16f6..eb04a69f8 100644`
		5482e1b	`--- a/src/providers/ipa/ipa_deskprofile_rules_util.c`
		5482e1b	`+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c`
		5482e1b	`@@ -706,6 +706,8 @@ ipa_deskprofile_rules_save_rule_to_disk(`
		5482e1b	`const char *extension = "json";`
		5482e1b	`uint32_t prio;`
		5482e1b	`int fd = -1;`
		5482e1b	`+ gid_t orig_gid;`
		5482e1b	`+ uid_t orig_uid;`
		5482e1b	`errno_t ret;`
		5482e1b
		5482e1b	`tmp_ctx = talloc_new(mem_ctx);`
		5482e1b	`@@ -713,6 +715,9 @@ ipa_deskprofile_rules_save_rule_to_disk(`
		5482e1b	`return ENOMEM;`
		5482e1b	`}`
		5482e1b
		5482e1b	`+ orig_gid = getegid();`
		5482e1b	`+ orig_uid = geteuid();`
		5482e1b	`+`
		5482e1b	`ret = sysdb_attrs_get_string(rule, IPA_CN, &rule_name);`
		5482e1b	`if (ret != EOK) {`
		5482e1b	`DEBUG(SSSDBG_TRACE_FUNC,`
		5482e1b	`@@ -875,6 +880,26 @@ ipa_deskprofile_rules_save_rule_to_disk(`
		5482e1b	`goto done;`
		5482e1b	`}`
		5482e1b
		5482e1b	`+ ret = setegid(gid);`
		5482e1b	`+ if (ret == -1) {`
		5482e1b	`+ ret = errno;`
		5482e1b	`+ DEBUG(SSSDBG_CRIT_FAILURE,`
		5482e1b	`+ "Unable to set effective group id (%"PRIu32") of the domain's "`
		5482e1b	`+ "process [%d]: %s\n",`
		5482e1b	`+ gid, ret, sss_strerror(ret));`
		5482e1b	`+ goto done;`
		5482e1b	`+ }`
		5482e1b	`+`
		5482e1b	`+ ret = seteuid(uid);`
		5482e1b	`+ if (ret == -1) {`
		5482e1b	`+ ret = errno;`
		5482e1b	`+ DEBUG(SSSDBG_CRIT_FAILURE,`
		5482e1b	`+ "Unable to set effective user id (%"PRIu32") of the domain's "`
		5482e1b	`+ "process [%d]: %s\n",`
		5482e1b	`+ uid, ret, sss_strerror(ret));`
		5482e1b	`+ goto done;`
		5482e1b	`+ }`
		5482e1b	`+`
		5482e1b	`fd = open(filename_path, O_WRONLY \| O_CREAT \| O_TRUNC, 0600);`
		5482e1b	`if (fd == -1) {`
		5482e1b	`ret = errno;`
		5482e1b	`@@ -895,12 +920,23 @@ ipa_deskprofile_rules_save_rule_to_disk(`
		5482e1b	`goto done;`
		5482e1b	`}`
		5482e1b
		5482e1b	`- ret = fchown(fd, uid, gid);`
		5482e1b	`- if (ret != EOK) {`
		5482e1b	`+ ret = seteuid(orig_uid);`
		5482e1b	`+ if (ret == -1) {`
		5482e1b	`ret = errno;`
		5482e1b	`DEBUG(SSSDBG_CRIT_FAILURE,`
		5482e1b	`- "Failed to own the Desktop Profile Rule file \"%s\" [%d]: %s\n",`
		5482e1b	`- filename_path, ret, sss_strerror(ret));`
		5482e1b	`+ "Failed to set the effect user id (%"PRIu32") of the domain's "`
		5482e1b	`+ "process [%d]: %s\n",`
		5482e1b	`+ orig_uid, ret, sss_strerror(ret));`
		5482e1b	`+ goto done;`
		5482e1b	`+ }`
		5482e1b	`+`
		5482e1b	`+ ret = setegid(orig_gid);`
		5482e1b	`+ if (ret == -1) {`
		5482e1b	`+ ret = errno;`
		5482e1b	`+ DEBUG(SSSDBG_CRIT_FAILURE,`
		5482e1b	`+ "Failed to set the effect group id (%"PRIu32") of the domain's "`
		5482e1b	`+ "process [%d]: %s\n",`
		5482e1b	`+ orig_gid, ret, sss_strerror(ret));`
		5482e1b	`goto done;`
		5482e1b	`}`
		5482e1b
		5482e1b	`@@ -910,6 +946,32 @@ done:`
		5482e1b	`if (fd != -1) {`
		5482e1b	`close(fd);`
		5482e1b	`}`
		5482e1b	`+ if (geteuid() != orig_uid) {`
		5482e1b	`+ ret = seteuid(orig_uid);`
		5482e1b	`+ if (ret == -1) {`
		5482e1b	`+ ret = errno;`
		5482e1b	`+ DEBUG(SSSDBG_CRIT_FAILURE,`
		5482e1b	`+ "Unable to set effective user id (%"PRIu32") of the "`
		5482e1b	`+ "domain's process [%d]: %s\n",`
		5482e1b	`+ orig_uid, ret, sss_strerror(ret));`
		5482e1b	`+ DEBUG(SSSDBG_CRIT_FAILURE,`
		5482e1b	`+ "Sending SIGUSR2 to the process: %d\n", getpid());`
		5482e1b	`+ kill(getpid(), SIGUSR2);`
		5482e1b	`+ }`
		5482e1b	`+ }`
		5482e1b	`+ if (getegid() != orig_gid) {`
		5482e1b	`+ ret = setegid(orig_gid);`
		5482e1b	`+ if (ret == -1) {`
		5482e1b	`+ ret = errno;`
		5482e1b	`+ DEBUG(SSSDBG_CRIT_FAILURE,`
		5482e1b	`+ "Unable to set effective group id (%"PRIu32") of the "`
		5482e1b	`+ "domain's process. Let's have the process restartd!\n",`
		5482e1b	`+ orig_gid);`
		5482e1b	`+ DEBUG(SSSDBG_CRIT_FAILURE,`
		5482e1b	`+ "Sending SIGUSR2 to the process: %d\n", getpid());`
		5482e1b	`+ kill(getpid(), SIGUSR2);`
		5482e1b	`+ }`
		5482e1b	`+ }`
		5482e1b	`talloc_free(tmp_ctx);`
		5482e1b	`return ret;`
		5482e1b	`}`
		5482e1b	`--`
		5482e1b	`2.14.3`
		5482e1b

rpms / sssd

Source Code

Blame 0086-DESKPROFILE-Use-seteuid-setegid-to-create-the-profil.patch