From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Wed, 23 Oct 2024 20:59:32 +0200 Subject: [PATCH] INI: relax config files checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Only make sure: - user is root or sssd - group is root or sssd - other can't access it Don't make any assumptions wrt user/group read/write-ability. Reviewed-by: Justin Stephenson Reviewed-by: Pavel Březina Reviewed-by: Sumit Bose (cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704) --- src/man/sssd.conf.5.xml | 5 ++- src/util/sss_ini.c | 68 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+), 3 deletions(-) diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index a074cc674..bf10acb2a 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -57,9 +57,8 @@ readable, and writeable only by 'root'. - sssd.conf must be a regular file that is owned, - readable, and writeable by the same user as configured to run SSSD - service. + sssd.conf must be a regular file that is + accessible only by the user used to run SSSD service or root. diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c index e989d8caf..74cf61e0e 100644 --- a/src/util/sss_ini.c +++ b/src/util/sss_ini.c @@ -26,6 +26,7 @@ #include #include #include +#include #include #include "config.h" @@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self, return ret; } +static int access_check_file(const char *filename) +{ + int ret; + struct stat st; + uid_t uid; + gid_t gid; + + sss_sssd_user_uid_and_gid(&uid, &gid); + + ret = stat(filename, &st); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n", + filename, strerror(ret)); + return EINVAL; + } + + if ((st.st_uid != 0) && (st.st_uid != uid)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n", + filename, st.st_uid); + return ERR_INI_INVALID_PERMISSION; + } + + if ((st.st_gid != 0) && (st.st_gid != gid)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n", + filename, st.st_gid); + return ERR_INI_INVALID_PERMISSION; + } + + if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n", + filename); + return ERR_INI_INVALID_PERMISSION; + } + + return EOK; +} + +static int access_check_ini(struct sss_ini *self) +{ + int ret; + const char *path; + uint32_t i; + const char **snippet; + struct ref_array *used_snippets; + + if (self->main_config_exists) { + path = ini_config_get_filename(self->file); + ret = access_check_file(path); + if (ret != EOK) { + return ret; + } + } + + used_snippets = sss_ini_get_ra_success_list(self); + for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) { + ret = access_check_file(*snippet); + if (ret != EOK) { + return ret; + } + } + + return EOK; +} + int sss_ini_read_sssd_conf(struct sss_ini *self, const char *config_file, const char *config_dir) @@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, return ERR_INI_EMPTY_CONFIG; } + ret = access_check_ini(self); + return ret; } -- 2.47.0