SSSD · alexey-tikhonov · Sep 9, 2023 · Sep 9, 2023 · Sep 9, 2023 · Sep 9, 2023
diff --git a/Makefile.am b/Makefile.am
@@ -90,27 +90,34 @@ sssdkcmdatadir = $(datadir)/sssd-kcm
 deskprofilepath = $(sss_statedir)/deskprofile
 
 if HAVE_SYSTEMD_UNIT
+
 ifp_dbus_exec_comment = \# If system is configured to use systemd ifp service ("SystemdService=") then "Exec=" and "User=" options are not used
 ifp_dbus_exec_cmd = $(sssdlibexecdir)/sssd_ifp --socket-activated
 ifp_systemdservice = SystemdService=sssd-ifp.service
 # SSSD requires a configuration file (either /etc/sssd/sssd.conf,
 # or some snippet under /etc/sssd/sssd.conf.d/) to be present.
 condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectoryNotEmpty=\|/etc/sssd/conf.d/
-# If sssd is configured with --with-sssd-user=<user> where <user>!='root'
-# but is actually run under the root we need CAP_DAC_OVERRIDE to access
-# files owned by <user>:<user>
-# If sssd is really run under non-root account that doesn't have this cap
-# originally then it's addition to CapabilityBoundingSet doesn't matter.
+
 if SSSD_NON_ROOT_USER
-additional_caps = CAP_DAC_OVERRIDE
+# If non-root service user is supported, monitor might need SET-ID to switch user (deprecated 'sssd.conf::user' option)
+# but this is non default configuration, so 'AmbientCapabilities=' are commented out.
+# Bounding set needs to list capabilities required by ldap/krb5/selinux_childs, otherwise they can't gain it.
+capabilities = CapabilityBoundingSet= CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID\n\# Uncomment if support of deprecated "sssd.conf::user" option is required:\n\#AmbientCapabilities= CAP_SETGID CAP_SETUID
 nss_service_user_group = User=$(SSSD_USER)\nGroup=$(SSSD_USER)
 nss_socket_user_group = SocketUser=$(SSSD_USER)\nSocketGroup=$(SSSD_USER)
-endif
+supplementary_groups = \# If service configured to be run under "root", uncomment "SupplementaryGroups"\n\#SupplementaryGroups=$(SSSD_USER)
+else
+# If non-root service user isn't supported, monitor/sssd_be/responders don't need any effective capabilities
+# but bounding set needs to list capabilities required by ldap/krb5/selinux_childs, otherwise they can't gain it.
+capabilities = CapabilityBoundingSet= CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID
+supplementary_groups = \# Note: SSSD package was built without support of running as non-privileged user
+endif # SSSD_NON_ROOT_USER
+
 else
 ifp_dbus_exec_comment = \# "sss_signal" is used to force SSSD monitor to trigger "sssd_ifp" reconnection to dbus
 ifp_dbus_exec_cmd = $(sssdlibexecdir)/sss_signal
 ifp_systemdservice =
-endif
+endif # HAVE_SYSTEMD_UNIT
 
 secdbpath = @secdbpath@
 
@@ -1286,6 +1293,7 @@ libsss_util_la_SOURCES = \
     src/util/well_known_sids.c \
     src/util/string_utils.c \
     src/util/become_user.c \
+    src/util/capabilities.c \
     src/util/util_watchdog.c \
     src/util/sss_ptr_hash.c \
     src/util/files.c \
@@ -1302,6 +1310,7 @@ libsss_util_la_CFLAGS = \
 libsss_util_la_LIBADD = \
     $(LIBADD_TIMER) \
     $(SSSD_LIBS) \
+    $(CAP_LIBS) \
     $(SYSTEMD_LOGIN_LIBS) \
     $(UNICODE_LIBS) \
     $(PCRE_LIBS) \
@@ -1511,6 +1520,7 @@ endif
 ####################
 sssd_SOURCES = \
     src/monitor/monitor.c \
+    src/monitor/monitor_bootstrap.c \
     src/monitor/monitor_netlink.c \
     src/confdb/confdb_setup.c \
     src/util/nscd.c \
@@ -4685,6 +4695,7 @@ krb5_child_SOURCES = \
     src/util/authtok.c \
     src/util/authtok-utils.c \
     src/util/util.c \
+    src/util/capabilities.c \
     src/util/util_ext.c \
     src/util/signal.c \
     src/util/sss_chain_id.c \
@@ -4713,6 +4724,7 @@ krb5_child_LDADD = \
     $(CLIENT_LIBS) \
     $(SYSTEMD_LOGIN_LIBS) \
     $(JANSSON_LIBS) \
+    $(CAP_LIBS) \
     $(NULL)
 
 ldap_child_SOURCES = \
@@ -4726,6 +4738,7 @@ ldap_child_SOURCES = \
     src/util/authtok-utils.c \
     src/util/util.c \
     src/util/util_ext.c \
+    src/util/capabilities.c \
     src/util/signal.c \
     src/util/become_user.c \
     src/util/util_errors.c \
@@ -4738,6 +4751,7 @@ ldap_child_LDADD = \
     libsss_debug.la \
     $(TALLOC_LIBS) \
     $(POPT_LIBS) \
+    $(CAP_LIBS) \
     $(DHASH_LIBS) \
     $(KRB5_LIBS)
 
@@ -5270,16 +5284,16 @@ edit_cmd = $(SED) \
         -e 's|@environment_file[@]|$(environment_file)|g' \
         -e 's|@localstatedir[@]|$(localstatedir)|g' \
         -e 's|@runstatedir[@]|$(runstatedir)|g' \
-        -e 's|@pidpath[@]|$(pidpath)|g' \
         -e 's|@logpath[@]|$(logpath)|g' \
         -e 's|@libexecdir[@]|$(libexecdir)|g' \
         -e 's|@pipepath[@]|$(pipepath)|g' \
         -e 's|@prefix[@]|$(prefix)|g' \
         -e 's|@SSSD_USER[@]|$(SSSD_USER)|g' \
         -e 's|@condconfigexists[@]|$(condconfigexists)|g' \
-        -e 's|@additional_caps[@]|$(additional_caps)|g' \
+        -e 's|@capabilities[@]|$(capabilities)|g' \
         -e 's|@nss_service_user_group[@]|$(nss_service_user_group)|g' \
-        -e 's|@nss_socket_user_group[@]|$(nss_socket_user_group)|g'
+        -e 's|@nss_socket_user_group[@]|$(nss_socket_user_group)|g' \
+        -e 's|@supplementary_groups[@]|$(supplementary_groups)|g'
 
 replace_script = \
     @rm -f $@ $@.tmp; \
@@ -5686,7 +5700,6 @@ dist_noinst_DATA += \
     src/tests/multihost/conftest.py \
     src/tests/multihost/basic/mhc.yaml \
     src/tests/multihost/basic/test_basic.py \
-    src/tests/multihost/basic/test_config.py \
     src/tests/multihost/basic/test_files.py \
     src/tests/multihost/basic/test_ifp.py \
     src/tests/multihost/basic/test_kcm.py \

diff --git a/configure.ac b/configure.ac
@@ -513,6 +513,13 @@ AS_IF([test x$have_check = x], [
     AC_CHECK_HEADERS([check.h],,AC_MSG_ERROR([Could not find CHECK headers]))
 ])
 
+PKG_CHECK_MODULES([CAP], [libcap], [have_libcap=1], [have_libcap=])
+AS_IF([test x$have_libcap = x], [
+    AC_MSG_ERROR([libcap is missing])
+], [
+    AC_CHECK_HEADERS([sys/capability.h],,AC_MSG_ERROR([Could not find sys/capability.h headers]))
+])
+
 AC_PATH_PROG([DOXYGEN], [doxygen], [false])
 AM_CONDITIONAL([HAVE_DOXYGEN], [test x$DOXYGEN != xfalse ])
 

diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
@@ -46,6 +46,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
         krb5-server
         krb5-workstation
         libunistring-devel
+        libcap-devel
     )
 
     if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-8.*- ||
@@ -180,6 +181,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
         libp11-kit-dev
         bc
         libunistring-dev
+        libcap-dev
     )
 
     DEPS_INTGCHECK_SATISFIED=true

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
@@ -14,12 +14,8 @@
 %global use_sysusers 0
 %endif
 
-# Set setuid bit on child helpers if we support non-root user.
-%if "%{sssd_user}" == "root"
-%global child_attrs 0750
-%else
-%global child_attrs 4750
-%endif
+# Capabilities of privileged child helpers (required even if SSSD runs under root)
+%global child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
 
 %if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
 %global build_subid 1
@@ -112,6 +108,7 @@ BuildRequires: gettext-devel
 # required for p11_child smartcard tests
 BuildRequires: gnutls-utils
 BuildRequires: jansson-devel
+BuildRequires: libcap-devel
 BuildRequires: libcurl-devel
 BuildRequires: libjose-devel
 BuildRequires: keyutils-libs-devel
@@ -201,6 +198,7 @@ Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs)
 Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap)
 Requires: libsss_idmap = %{version}-%{release}
 Requires: libsss_certmap = %{version}-%{release}
+Requires(post): coreutils
 Requires(postun): coreutils
 %if 0%{?rhel}
 Requires(pre): shadow-utils
@@ -561,7 +559,6 @@ autoreconf -ivf
     --with-initscript=systemd \
     --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
     --with-mcache-path=%{mcpath} \
-    --with-pid-path=%{_rundir} \
     --with-pipe-path=%{pipepath} \
     --with-pubconf-path=%{pubconfpath} \
     --with-sssd-user=%{sssd_user} \
@@ -783,20 +780,20 @@ install -D -p -m 0644 contrib/sssd.sysusers %{buildroot}%{_sysusersdir}/sssd.con
 %{_sbindir}/sss_cache
 %{_libexecdir}/%{servicename}/sss_signal
 
-%dir %{sssdstatedir}
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{sssdstatedir}
 %dir %{_localstatedir}/cache/krb5rcache
-%attr(700,%{sssd_user},%{sssd_user}) %dir %{dbpath}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{dbpath}
 %attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath}
 %attr(700,root,root) %dir %{secdbpath}
 %attr(751,%{sssd_user},%{sssd_user}) %dir %{deskprofilepath}
-%attr(755,%{sssd_user},%{sssd_user}) %dir %{pipepath}
-%attr(750,%{sssd_user},root) %dir %{pipepath}/private
-%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
-%attr(750,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
-%attr(750,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
-%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
-%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
-%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/pki
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{pipepath}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{pipepath}/private
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/pki
 %ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
 %dir %{_sysconfdir}/logrotate.d
 %config(noreplace) %{_sysconfdir}/logrotate.d/sssd
@@ -845,8 +842,8 @@ install -D -p -m 0644 contrib/sssd.sysusers %{buildroot}%{_sysusersdir}/sssd.con
 %files krb5-common
 %license COPYING
 %attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
-%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/ldap_child
-%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/krb5_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/ldap_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/krb5_child
 
 %files krb5 -f sssd_krb5.lang
 %license COPYING
@@ -864,7 +861,7 @@ install -D -p -m 0644 contrib/sssd.sysusers %{buildroot}%{_sysusersdir}/sssd.con
 %license COPYING
 %attr(700,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
 %{_libdir}/%{name}/libsss_ipa.so
-%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/selinux_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/selinux_child
 %{_mandir}/man5/sssd-ipa.5*
 
 %files ad -f sssd_ad.lang
@@ -1048,6 +1045,13 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
 %systemd_post sssd-pam.socket
 %systemd_post sssd-ssh.socket
 %systemd_post sssd-sudo.socket
+%__rm -f %{mcpath}/passwd
+%__rm -f %{mcpath}/group
+%__rm -f %{mcpath}/initgroups
+%__rm -f %{mcpath}/sid
+%__chown %{sssd_user}:%{sssd_user} %{dbpath}/*
+%__chown %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf
+%__chown -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d/*
 
 %preun common
 %systemd_preun sssd.service

diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
@@ -35,12 +35,12 @@ AC_DEFUN([WITH_PLUGIN_PATH],
 AC_DEFUN([WITH_PID_PATH],
   [ AC_ARG_WITH([pid-path],
                 [AC_HELP_STRING([--with-pid-path=PATH],
-                                [Where to store pid files for the SSSD [/var/run]]
+                                [Where to store pid files for the SSSD [/var/lib/sss/]]
                                )
                 ]
                )
-    config_pidpath="\"VARDIR\"/run"
-    pidpath="${localstatedir}/run"
+    config_pidpath="\"SSS_STATEDIR\"/"
+    pidpath="${localstatedir}/lib/sss/"
     if test x"$with_pid_path" != x; then
         config_pidpath=$with_pid_path
         pidpath=$with_pid_path

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
@@ -649,8 +649,6 @@ int confdb_init(TALLOC_CTX *mem_ctx,
     struct confdb_ctx *cdb;
     int ret = EOK;
     mode_t old_umask;
-    uid_t sssd_uid;
-    gid_t sssd_gid;
 
     cdb = talloc_zero(mem_ctx, struct confdb_ctx);
     if (!cdb)
@@ -683,19 +681,9 @@ int confdb_init(TALLOC_CTX *mem_ctx,
     }
 
     old_umask = umask(SSS_DFL_UMASK);
-    /* file may exists and could be owned by root from previous version */
-    sss_sssd_user_uid_and_gid(&sssd_uid, &sssd_gid);
-    ret = chown(confdb_location, sssd_uid, sssd_gid);
-    if (ret != EOK && errno != ENOENT) {
-        DEBUG(SSSDBG_MINOR_FAILURE, "Unable to chown config database [%s]: %s\n",
-              confdb_location, sss_strerror(errno));
-    }
-    sss_set_sssd_user_eid();
-
     ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL);
-
-    sss_restore_sssd_user_eid();
     umask(old_umask);
+
     if (ret != LDB_SUCCESS) {
         DEBUG(SSSDBG_FATAL_FAILURE, "Unable to open config database [%s]\n",
                   confdb_location);