ca31e2be64
Together with the patches backported from upstream, we're changing
the deskprofilepath permissions from 755 to 751, reflecting the
upstream spec file changes.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 4b1fe8a0ab)
145 lines
4.6 KiB
Diff
145 lines
4.6 KiB
Diff
From 07ae0da06c0d94a3198e484d0de28c9282c4d6cd Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
Date: Mon, 22 Jan 2018 11:49:23 +0100
|
|
Subject: [PATCH 86/88] DESKPROFILE: Use seteuid()/setegid() to create the
|
|
profile
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
In order to create the file, having its owner properly, let's use
|
|
seteuid()/setegid() to create when creating the profile, as due to the
|
|
drop of the CAP_DAC_OVERRIDE "root" doesn't have access to the folder
|
|
where the profile will be created anymore.
|
|
|
|
By adopting the seteuid()/setegid() solution, calling fchown() in the
|
|
profile doesn't make sense, thus it was also removed.
|
|
|
|
This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
|
|
package.
|
|
|
|
Resolves:
|
|
https://pagure.io/SSSD/sssd/issue/3621
|
|
|
|
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
---
|
|
src/providers/ipa/ipa_deskprofile_rules_util.c | 70 ++++++++++++++++++++++++--
|
|
1 file changed, 66 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
|
|
index 0846b16f6..eb04a69f8 100644
|
|
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
|
|
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
|
|
@@ -706,6 +706,8 @@ ipa_deskprofile_rules_save_rule_to_disk(
|
|
const char *extension = "json";
|
|
uint32_t prio;
|
|
int fd = -1;
|
|
+ gid_t orig_gid;
|
|
+ uid_t orig_uid;
|
|
errno_t ret;
|
|
|
|
tmp_ctx = talloc_new(mem_ctx);
|
|
@@ -713,6 +715,9 @@ ipa_deskprofile_rules_save_rule_to_disk(
|
|
return ENOMEM;
|
|
}
|
|
|
|
+ orig_gid = getegid();
|
|
+ orig_uid = geteuid();
|
|
+
|
|
ret = sysdb_attrs_get_string(rule, IPA_CN, &rule_name);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_TRACE_FUNC,
|
|
@@ -875,6 +880,26 @@ ipa_deskprofile_rules_save_rule_to_disk(
|
|
goto done;
|
|
}
|
|
|
|
+ ret = setegid(gid);
|
|
+ if (ret == -1) {
|
|
+ ret = errno;
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "Unable to set effective group id (%"PRIu32") of the domain's "
|
|
+ "process [%d]: %s\n",
|
|
+ gid, ret, sss_strerror(ret));
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ ret = seteuid(uid);
|
|
+ if (ret == -1) {
|
|
+ ret = errno;
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "Unable to set effective user id (%"PRIu32") of the domain's "
|
|
+ "process [%d]: %s\n",
|
|
+ uid, ret, sss_strerror(ret));
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
fd = open(filename_path, O_WRONLY | O_CREAT | O_TRUNC, 0600);
|
|
if (fd == -1) {
|
|
ret = errno;
|
|
@@ -895,12 +920,23 @@ ipa_deskprofile_rules_save_rule_to_disk(
|
|
goto done;
|
|
}
|
|
|
|
- ret = fchown(fd, uid, gid);
|
|
- if (ret != EOK) {
|
|
+ ret = seteuid(orig_uid);
|
|
+ if (ret == -1) {
|
|
ret = errno;
|
|
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
- "Failed to own the Desktop Profile Rule file \"%s\" [%d]: %s\n",
|
|
- filename_path, ret, sss_strerror(ret));
|
|
+ "Failed to set the effect user id (%"PRIu32") of the domain's "
|
|
+ "process [%d]: %s\n",
|
|
+ orig_uid, ret, sss_strerror(ret));
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ ret = setegid(orig_gid);
|
|
+ if (ret == -1) {
|
|
+ ret = errno;
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "Failed to set the effect group id (%"PRIu32") of the domain's "
|
|
+ "process [%d]: %s\n",
|
|
+ orig_gid, ret, sss_strerror(ret));
|
|
goto done;
|
|
}
|
|
|
|
@@ -910,6 +946,32 @@ done:
|
|
if (fd != -1) {
|
|
close(fd);
|
|
}
|
|
+ if (geteuid() != orig_uid) {
|
|
+ ret = seteuid(orig_uid);
|
|
+ if (ret == -1) {
|
|
+ ret = errno;
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "Unable to set effective user id (%"PRIu32") of the "
|
|
+ "domain's process [%d]: %s\n",
|
|
+ orig_uid, ret, sss_strerror(ret));
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "Sending SIGUSR2 to the process: %d\n", getpid());
|
|
+ kill(getpid(), SIGUSR2);
|
|
+ }
|
|
+ }
|
|
+ if (getegid() != orig_gid) {
|
|
+ ret = setegid(orig_gid);
|
|
+ if (ret == -1) {
|
|
+ ret = errno;
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "Unable to set effective group id (%"PRIu32") of the "
|
|
+ "domain's process. Let's have the process restartd!\n",
|
|
+ orig_gid);
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "Sending SIGUSR2 to the process: %d\n", getpid());
|
|
+ kill(getpid(), SIGUSR2);
|
|
+ }
|
|
+ }
|
|
talloc_free(tmp_ctx);
|
|
return ret;
|
|
}
|
|
--
|
|
2.14.3
|
|
|