68ef824a5f
And also ...
- Related: upstream#941 - return multiple server addresses to the Kerberos
locator plugin
- Related: upstream#3652 - kdcinfo doesn't get populated for other domains
- Resolves: upstream#3747 - sss_ssh_authorizedkeys exits abruptly if SSHD
closes its end of the pipe before reading all the
SSH keys
- Resolves: upstream#3607 - Handle conflicting e-mail addresses more gracefully
- Resolves: upstream#3754 - SSSD AD uses LDAP filter to detect POSIX attributes
stored in AD GC also for regular AD DC queries
- Related: upstream#3219 - [RFE] Regular expression used in sssd.conf not being
able to consume an @-sign in the user/group name.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
56 lines
2.4 KiB
Diff
56 lines
2.4 KiB
Diff
From 69eedc59283888a1d7d5f59284e032f9cad89b73 Mon Sep 17 00:00:00 2001
|
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
Date: Fri, 15 Jun 2018 22:29:34 +0200
|
|
Subject: [PATCH] SUDO: Create the socket with stricter permissions
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
This patch switches the sudo responder from being created as a public
|
|
responder where the permissions are open and not checked by the sssd
|
|
deaamon to a private socket. In this case, sssd creates the pipes with
|
|
strict permissions (see the umask in the call to create_pipe_fd() in
|
|
set_unix_socket()) and additionaly checks the permissions with every read
|
|
via the tevent integrations (see accept_fd_handler()).
|
|
|
|
Resolves:
|
|
https://pagure.io/SSSD/sssd/issue/3766 (CVE-2018-10852)
|
|
|
|
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
(cherry picked from commit ed90a20a0f0e936eb00d268080716c0384ffb01d)
|
|
---
|
|
src/responder/sudo/sudosrv.c | 3 ++-
|
|
src/sysv/systemd/sssd-sudo.socket.in | 1 +
|
|
2 files changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
|
|
index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644
|
|
--- a/src/responder/sudo/sudosrv.c
|
|
+++ b/src/responder/sudo/sudosrv.c
|
|
@@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
|
|
sudo_cmds = get_sudo_cmds();
|
|
ret = sss_process_init(mem_ctx, ev, cdb,
|
|
sudo_cmds,
|
|
- SSS_SUDO_SOCKET_NAME, -1, NULL, -1,
|
|
+ NULL, -1, /* No public socket */
|
|
+ SSS_SUDO_SOCKET_NAME, -1, /* Private socket only */
|
|
CONFDB_SUDO_CONF_ENTRY,
|
|
SSS_SUDO_SBUS_SERVICE_NAME,
|
|
SSS_SUDO_SBUS_SERVICE_VERSION,
|
|
diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in
|
|
index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644
|
|
--- a/src/sysv/systemd/sssd-sudo.socket.in
|
|
+++ b/src/sysv/systemd/sssd-sudo.socket.in
|
|
@@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo
|
|
ListenStream=@pipepath@/sudo
|
|
SocketUser=@SSSD_USER@
|
|
SocketGroup=@SSSD_USER@
|
|
+SocketMode=0600
|
|
|
|
[Install]
|
|
WantedBy=sssd.service
|
|
--
|
|
2.17.1
|
|
|