From 1d19b8ad9415e0a12ed3aaf039d4d0956ef4dbad Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 23 Oct 2024 19:53:09 +0200
Subject: [PATCH] INI: stop using 'libini_config' for access check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
 src/util/sss_ini.c |  100 +----------------------------------------------------
 src/util/sss_ini.h |   12 ------
 2 files changed, 3 insertions(+), 109 deletions(-)

Index: sssd-2.10.0/src/util/sss_ini.c
===================================================================
--- sssd-2.10.0.orig/src/util/sss_ini.c
+++ sssd-2.10.0/src/util/sss_ini.c
@@ -147,81 +147,6 @@ static int sss_ini_config_file_from_mem(
                                    &self->file);
 }
 
-/* Check configuration file permissions */
-
-static bool is_running_sssd(void)
-{
-    static char exe[1024];
-    int ret;
-    const char *s = NULL;
-
-    ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1);
-    if ((ret > 0) && (ret < 1024)) {
-        exe[ret] = 0;
-        s = strstr(exe, debug_prg_name);
-        if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) {
-            return true;
-        }
-    }
-
-    return false;
-}
-
-static int sss_ini_access_check(struct sss_ini *self)
-{
-    int ret;
-    uint32_t flags = INI_ACCESS_CHECK_MODE;
-
-    if (!self->main_config_exists) {
-        return EOK;
-    }
-
-    if (is_running_sssd()) {
-        flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
-    }
-
-    ret = ini_config_access_check(self->file,
-                                  flags,
-                                  geteuid(),
-                                  getegid(),
-                                  S_IRUSR, /* r**------ */
-                                  ALLPERMS & ~(S_IWUSR|S_IXUSR));
-
-    return ret;
-}
-
-
-
-/* Get cstat */
-
-int sss_ini_get_stat(struct sss_ini *self)
-{
-    self->cstat = ini_config_get_stat(self->file);
-
-    if (!self->cstat) return EIO;
-
-    return EOK;
-}
-
-
-
-/* Get mtime */
-
-int sss_ini_get_mtime(struct sss_ini *self,
-                      size_t timestr_len,
-                      char *timestr)
-{
-    return snprintf(timestr, timestr_len, "%llu",
-                    (long long unsigned)self->cstat->st_mtime);
-}
-
-/* Get file_exists */
-
-bool sss_ini_exists(struct sss_ini *self)
-{
-    return self->main_config_exists;
-}
-
 /* Print ini_config errors */
 
 static void sss_ini_config_print_errors(char **error_list)
@@ -289,7 +214,6 @@ static int sss_ini_add_snippets(struct s
     uint32_t i = 0;
     char *msg = NULL;
     struct ini_cfgobj *modified_sssd_config = NULL;
-    struct access_check snip_check;
 
     if (self == NULL || self->sssd_config == NULL || config_dir == NULL) {
         return EINVAL;
@@ -297,21 +221,11 @@ static int sss_ini_add_snippets(struct s
 
     sss_ini_free_ra_messages(self);
 
-    snip_check.flags = INI_ACCESS_CHECK_MODE;
-
-    if (is_running_sssd()) {
-        snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
-    }
-    snip_check.uid = geteuid();
-    snip_check.gid = getegid();
-    snip_check.mode = S_IRUSR; /* r**------ */
-    snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR);
-
     ret = ini_config_augment(self->sssd_config,
                              config_dir,
                              patterns,
                              sections,
-                             &snip_check,
+                             NULL,
                              INI_STOP_ON_ANY,
                              INI_MV1S_OVERWRITE,
                              INI_PARSE_NOWRAP,
@@ -894,15 +808,7 @@ int sss_ini_read_sssd_conf(struct sss_in
         return ERR_INI_OPEN_FAILED;
     }
 
-    if (sss_ini_exists(self)) {
-        ret = sss_ini_access_check(self);
-        if (ret != EOK) {
-            DEBUG(SSSDBG_CRIT_FAILURE,
-                  "Permission check on config file %s failed: %d\n",
-                  config_file, ret);
-            return ERR_INI_INVALID_PERMISSION;
-        }
-    } else {
+    if (!self->main_config_exists) {
         DEBUG(SSSDBG_CONF_SETTINGS,
               "File %s does not exist.\n", config_file);
     }
@@ -923,7 +829,7 @@ int sss_ini_read_sssd_conf(struct sss_in
         return ERR_INI_ADD_SNIPPETS_FAILED;
     }
 
-    if (!sss_ini_exists(self) &&
+    if ((!self->main_config_exists) &&
         (ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) {
         return ERR_INI_EMPTY_CONFIG;
     }
Index: sssd-2.10.0/src/util/sss_ini.h
===================================================================
--- sssd-2.10.0.orig/src/util/sss_ini.h
+++ sssd-2.10.0/src/util/sss_ini.h
@@ -81,18 +81,6 @@ int sss_ini_open(struct sss_ini *self,
                  const char *fallback_cfg);
 
 /**
- * @brief Check whether sss_ini_open() reported that ini file is
- *        not present
- *
- * @param[in] self  pointer to sss_ini structure
- *
- * @return
- *   - true   we are using ini file
- *   - false  file was not found
- */
-bool sss_ini_exists(struct sss_ini *self);
-
-/**
  * @brief get Cstat structure of the ini file
  */
 int sss_ini_get_stat(struct sss_ini *self);