forked from pool/sssd
136 lines
3.8 KiB
Diff
136 lines
3.8 KiB
Diff
From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001
|
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
Date: Wed, 23 Oct 2024 20:59:32 +0200
|
|
Subject: [PATCH] INI: relax config files checks
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Only make sure:
|
|
- user is root or sssd
|
|
- group is root or sssd
|
|
- other can't access it
|
|
|
|
Don't make any assumptions wrt user/group read/write-ability.
|
|
|
|
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704)
|
|
---
|
|
src/man/sssd.conf.5.xml | 5 ++-
|
|
src/util/sss_ini.c | 68 +++++++++++++++++++++++++++++++++++++++++
|
|
2 files changed, 70 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
index a074cc674..bf10acb2a 100644
|
|
--- a/src/man/sssd.conf.5.xml
|
|
+++ b/src/man/sssd.conf.5.xml
|
|
@@ -57,9 +57,8 @@
|
|
readable, and writeable only by 'root'.
|
|
</para>
|
|
<para condition="with_non_root_user_support">
|
|
- <filename>sssd.conf</filename> must be a regular file that is owned,
|
|
- readable, and writeable by the same user as configured to run SSSD
|
|
- service.
|
|
+ <filename>sssd.conf</filename> must be a regular file that is
|
|
+ accessible only by the user used to run SSSD service or root.
|
|
</para>
|
|
</refsect1>
|
|
|
|
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
|
|
index e989d8caf..74cf61e0e 100644
|
|
--- a/src/util/sss_ini.c
|
|
+++ b/src/util/sss_ini.c
|
|
@@ -26,6 +26,7 @@
|
|
#include <unistd.h>
|
|
#include <string.h>
|
|
#include <errno.h>
|
|
+#include <sys/stat.h>
|
|
#include <talloc.h>
|
|
|
|
#include "config.h"
|
|
@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self,
|
|
return ret;
|
|
}
|
|
|
|
+static int access_check_file(const char *filename)
|
|
+{
|
|
+ int ret;
|
|
+ struct stat st;
|
|
+ uid_t uid;
|
|
+ gid_t gid;
|
|
+
|
|
+ sss_sssd_user_uid_and_gid(&uid, &gid);
|
|
+
|
|
+ ret = stat(filename, &st);
|
|
+ if (ret != 0) {
|
|
+ ret = errno;
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n",
|
|
+ filename, strerror(ret));
|
|
+ return EINVAL;
|
|
+ }
|
|
+
|
|
+ if ((st.st_uid != 0) && (st.st_uid != uid)) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n",
|
|
+ filename, st.st_uid);
|
|
+ return ERR_INI_INVALID_PERMISSION;
|
|
+ }
|
|
+
|
|
+ if ((st.st_gid != 0) && (st.st_gid != gid)) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n",
|
|
+ filename, st.st_gid);
|
|
+ return ERR_INI_INVALID_PERMISSION;
|
|
+ }
|
|
+
|
|
+ if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n",
|
|
+ filename);
|
|
+ return ERR_INI_INVALID_PERMISSION;
|
|
+ }
|
|
+
|
|
+ return EOK;
|
|
+}
|
|
+
|
|
+static int access_check_ini(struct sss_ini *self)
|
|
+{
|
|
+ int ret;
|
|
+ const char *path;
|
|
+ uint32_t i;
|
|
+ const char **snippet;
|
|
+ struct ref_array *used_snippets;
|
|
+
|
|
+ if (self->main_config_exists) {
|
|
+ path = ini_config_get_filename(self->file);
|
|
+ ret = access_check_file(path);
|
|
+ if (ret != EOK) {
|
|
+ return ret;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ used_snippets = sss_ini_get_ra_success_list(self);
|
|
+ for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) {
|
|
+ ret = access_check_file(*snippet);
|
|
+ if (ret != EOK) {
|
|
+ return ret;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ return EOK;
|
|
+}
|
|
+
|
|
int sss_ini_read_sssd_conf(struct sss_ini *self,
|
|
const char *config_file,
|
|
const char *config_dir)
|
|
@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
|
|
return ERR_INI_EMPTY_CONFIG;
|
|
}
|
|
|
|
+ ret = access_check_ini(self);
|
|
+
|
|
return ret;
|
|
}
|
|
--
|
|
2.47.0
|
|
|