From 6e6893108add570a0ec8a1cc983e87b11279bc98ee96e4f1af76ab397f1d0074 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Fri, 30 Aug 2024 11:37:19 +0200
Subject: [PATCH] Unprivileged mode for sssd

---
 sssd.changes |  1 +
 sssd.spec    | 92 ++++++++++++++++++++++++++++++++++++++--------------
 2 files changed, 69 insertions(+), 24 deletions(-)

diff --git a/sssd.changes b/sssd.changes
index f1b1dc8..5b4d1eb 100644
--- a/sssd.changes
+++ b/sssd.changes
@@ -20,6 +20,7 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
   0001-INI-relax-config-files-checks.patch,
   0001-Configuration-make-sure-etc-sssd-and-everything.patch
 - Fix socket activation of responders
+- Daemon runs now as unprivileged user 'sssd'
 
 -------------------------------------------------------------------
 Tue Oct  1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
diff --git a/sssd.spec b/sssd.spec
index a02ec95..d360e18 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -69,13 +69,14 @@ BuildRequires:  pkgconfig(dhash) >= 0.4.2
 BuildRequires:  pkgconfig(glib-2.0)
 BuildRequires:  pkgconfig(ini_config) >= 1.3
 BuildRequires:  pkgconfig(jansson)
-BuildRequires:  pkgconfig(ldb) >= 0.9.2
+BuildRequires:  pkgconfig(ldb) >= 1.2.0
 BuildRequires:  pkgconfig(libcap)
 BuildRequires:  pkgconfig(libcares)
 BuildRequires:  pkgconfig(libcrypto) >= 1.0.1
 %if 0%{?suse_version} >= 1600
 BuildRequires:  pkgconfig(libcurl)
 %endif
+BuildRequires:  pkgconfig(libcap)
 BuildRequires:  pkgconfig(libnfsidmap)
 BuildRequires:  pkgconfig(libnl-3.0) >= 3.0
 BuildRequires:  pkgconfig(libnl-route-3.0) >= 3.0
@@ -103,6 +104,8 @@ BuildRequires:  pkgconfig(uuid)
 %endif
 %sysusers_requires
 %{?systemd_ordering}
+Requires(post): permissions
+Requires(verify): permissions
 Requires:       sssd-ldap = %version-%release
 Requires(postun): pam-config
 Provides:       libsss_sudo = %version-%release
@@ -111,13 +114,17 @@ Obsoletes:      libsss_sudo < %version-%release
 Provides:       sssd-common = %version-%release
 Obsoletes:      sssd-common < %version-%release
 
+%global sssd_user sssd
 %define servicename	sssd
 %define sssdstatedir	%_localstatedir/lib/sss
 %define dbpath		%sssdstatedir/db
 %define pipepath	%sssdstatedir/pipes
 %define pubconfpath	%sssdstatedir/pubconf
 %define gpocachepath	%sssdstatedir/gpo_cache
+%define keytabdir	%sssdstatedir/keytabs
+%define mcpath		%sssdstatedir/mc
 %define ldbdir %(pkg-config ldb --variable=modulesdir)
+%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
 
 # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
 # %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
@@ -197,6 +204,8 @@ Summary:        SSSD helpers needed for Kerberos and GSSAPI authentication
 License:        GPL-3.0-or-later
 Group:          System/Daemons
 Requires:       cyrus-sasl-gssapi
+Requires(post): permissions
+Requires(verify): permissions
 
 %description krb5-common
 Provides helper processes that the LDAP and Kerberos back ends can
@@ -407,13 +416,14 @@ autoreconf -fiv
 	--with-environment-file="%_sysconfdir/sysconfig/sssd" \
 	--with-initscript=systemd \
 	--with-syslog=journald \
-	--with-pid-path="%_rundir" \
+	--with-pid-path="%_rundir/sssd" \
 	--enable-pammoddir="%_pam_moduledir" \
 	--with-ldb-lib-dir="%ldbdir" \
 	--with-os=suse \
 	--disable-ldb-version-check \
 	--without-python2-bindings \
 	--without-oidc-child \
+	--with-sssd-user="%sssd_user" \
 %if 0%{?suse_version} >= 1600
 	--with-selinux=yes \
 	--with-subid
@@ -463,16 +473,28 @@ mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils"
 ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin"
 %python3_fix_shebang
 %if 0%{?suse_version} > 1600
-%python3_fix_shebang_path %buildroot/%_libexecdir/%name/
+%python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze
 %elif 0%{?suse_version} == 1600
 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
 sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze"
 %endif
 
 echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf
-mkdir -p "$b/%_sysusersdir"
+mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d"
 cp -a system-user-sssd.conf "$b/%_sysusersdir/"
 %sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
+install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
+# should match entry from %%files list
+cat >"$b/etc/permissions.d/sssd" <<-EOF
+	%_libexecdir/sssd/sssd_pam root:sssd 0750
+	 +capabilities cap_dac_read_search=p
+	%_libexecdir/sssd/selinux_child root:sssd 0750
+	 +capabilities %child_capabilities
+	%_libexecdir/sssd/krb5_child root:sssd 0750
+	 +capabilities %child_capabilities
+	%_libexecdir/sssd/ldap_child root:sssd 0750
+	 +capabilities %child_capabilities
+EOF
 
 %check
 # sss_config-tests fails
@@ -495,6 +517,10 @@ if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
 fi
 %service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
 
+%_bindir/rm -f %mcpath/passwd %mcpath/group %mcpath/initgroups %mcpath/sid
+%tmpfiles_create %name.conf
+%set_permissions %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
+
 # install SSSD cifs-idmap plugin as an alternative
 update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
 
@@ -519,6 +545,9 @@ fi
 %ldconfig_scriptlets -n libsss_nss_idmap0
 %ldconfig_scriptlets -n libsss_simpleifp0
 
+%verifyscript
+%verify_permissions -e %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
+
 %triggerun -- %name < %version-%release
 # sssd takes care of upgrading the database but it doesn't handle downgrades.
 # Clear caches when downgrading the package, which may have an
@@ -552,6 +581,16 @@ fi
 %postun kcm
 %service_del_postun sssd-kcm.service sssd-kcm.socket
 
+%pre krb5-common -f random.pre
+
+%post krb5-common
+%set_permissions %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child
+
+%verifyscript krb5-common
+%verify_permissions -e %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child
+
+%pre proxy -f random.pre
+
 %pretrans
 # Migrate sssd.service from sssd-common to sssd
 systemctl is-enabled sssd.service > /dev/null
@@ -606,6 +645,9 @@ fi
 %_unitdir/sssd-sudo.socket
 %_unitdir/sssd-sudo.service
 %_sysusersdir/*sssd*
+%_tmpfilesdir/*sssd*
+%_sysconfdir/permissions.d/*
+%_datadir/polkit-1/
 %_bindir/sss_ssh_*
 %_sbindir/sssd
 %if 0%{?suse_version} < 1600
@@ -662,32 +704,33 @@ fi
 %_libexecdir/%name/sssd_autofs
 %_libexecdir/%name/sssd_be
 %_libexecdir/%name/sssd_nss
-%_libexecdir/%name/sssd_pam
+%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/sssd_pam
 %_libexecdir/%name/sssd_ssh
 %_libexecdir/%name/sssd_sudo
 %_libexecdir/%name/sss_signal
 %_libexecdir/%name/sssd_check_socket_activated_responders
 %if 0%{?suse_version} >= 1600
-%_libexecdir/%name/selinux_child
+%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/selinux_child
 %endif
 %dir %sssdstatedir
-%attr(700,root,root) %dir %dbpath/
-%attr(755,root,root) %dir %pipepath/
-%attr(700,root,root) %dir %pipepath/private/
-%attr(755,root,root) %dir %pubconfpath/
-%attr(755,root,root) %dir %pubconfpath/krb5.include.d
-%attr(755,root,root) %dir %gpocachepath/
-%attr(755,root,root) %dir %sssdstatedir/mc/
-%attr(700,root,root) %dir %sssdstatedir/keytabs/
-%attr(750,root,root) %dir %_localstatedir/log/%name/
+%attr(700,%sssd_user,%sssd_user) %dir %dbpath/
+%attr(755,%sssd_user,%sssd_user) %dir %pipepath/
+%attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/
+%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/
+%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/krb5.include.d
+%attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/
+%attr(755,%sssd_user,%sssd_user) %dir %mcpath/
+%attr(700,%sssd_user,%sssd_user) %dir %keytabdir/
+%attr(750,%sssd_user,%sssd_user) %dir %_localstatedir/log/%name/
+%attr(775,%sssd_user,%sssd_user) %dir %sssdstatedir/
 %if "%{?_distconfdir}" != ""
-%dir %_distconfdir/sssd/
-%%dir %_distconfdir/sssd/conf.d
-%config(noreplace) %_distconfdir/sssd/sssd.conf
+%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/
+%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/conf.d
+%attr(640,root,%sssd_user) %_distconfdir/sssd/sssd.conf
 %else
-%dir %_sysconfdir/sssd/
-%%dir %_sysconfdir/sssd/conf.d
-%config(noreplace) %_sysconfdir/sssd/sssd.conf
+%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/
+%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/conf.d
+%ghost %attr(640,root,%sssd_user) %config(noreplace) %_sysconfdir/sssd/sssd.conf
 %endif
 %if 0%{?suse_version} > 1500
 %_distconfdir/logrotate.d/sssd
@@ -706,6 +749,7 @@ fi
 %else
 %exclude %_mandir/*/*/sssd-files.5.gz
 %endif
+%attr(775,%sssd_user,%sssd_user) %ghost %dir %_rundir/sssd
 %doc src/examples/sssd.conf
 #
 # sssd-client
@@ -795,8 +839,8 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5_common.so
 %dir %_libexecdir/%name/
-%_libexecdir/%name/krb5_child
-%_libexecdir/%name/ldap_child
+%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/krb5_child
+%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/ldap_child
 
 %files ldap
 %dir %_libdir/%name/
@@ -813,7 +857,7 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_proxy.so
 %dir %_libexecdir/%name/
-%_libexecdir/%name/proxy_child
+%attr(750,root,%sssd_user) %_libexecdir/%name/proxy_child
 %dir %_datadir/%name/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-proxy.conf