SHA256
1
0
forked from jengelh/sssd
sssd/0001-INI-relax-config-files-checks.patch

136 lines
3.8 KiB
Diff

From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 23 Oct 2024 20:59:32 +0200
Subject: [PATCH] INI: relax config files checks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Only make sure:
- user is root or sssd
- group is root or sssd
- other can't access it
Don't make any assumptions wrt user/group read/write-ability.
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704)
---
src/man/sssd.conf.5.xml | 5 ++-
src/util/sss_ini.c | 68 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 70 insertions(+), 3 deletions(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index a074cc674..bf10acb2a 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -57,9 +57,8 @@
readable, and writeable only by 'root'.
</para>
<para condition="with_non_root_user_support">
- <filename>sssd.conf</filename> must be a regular file that is owned,
- readable, and writeable by the same user as configured to run SSSD
- service.
+ <filename>sssd.conf</filename> must be a regular file that is
+ accessible only by the user used to run SSSD service or root.
</para>
</refsect1>
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
index e989d8caf..74cf61e0e 100644
--- a/src/util/sss_ini.c
+++ b/src/util/sss_ini.c
@@ -26,6 +26,7 @@
#include <unistd.h>
#include <string.h>
#include <errno.h>
+#include <sys/stat.h>
#include <talloc.h>
#include "config.h"
@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self,
return ret;
}
+static int access_check_file(const char *filename)
+{
+ int ret;
+ struct stat st;
+ uid_t uid;
+ gid_t gid;
+
+ sss_sssd_user_uid_and_gid(&uid, &gid);
+
+ ret = stat(filename, &st);
+ if (ret != 0) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n",
+ filename, strerror(ret));
+ return EINVAL;
+ }
+
+ if ((st.st_uid != 0) && (st.st_uid != uid)) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n",
+ filename, st.st_uid);
+ return ERR_INI_INVALID_PERMISSION;
+ }
+
+ if ((st.st_gid != 0) && (st.st_gid != gid)) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n",
+ filename, st.st_gid);
+ return ERR_INI_INVALID_PERMISSION;
+ }
+
+ if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n",
+ filename);
+ return ERR_INI_INVALID_PERMISSION;
+ }
+
+ return EOK;
+}
+
+static int access_check_ini(struct sss_ini *self)
+{
+ int ret;
+ const char *path;
+ uint32_t i;
+ const char **snippet;
+ struct ref_array *used_snippets;
+
+ if (self->main_config_exists) {
+ path = ini_config_get_filename(self->file);
+ ret = access_check_file(path);
+ if (ret != EOK) {
+ return ret;
+ }
+ }
+
+ used_snippets = sss_ini_get_ra_success_list(self);
+ for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) {
+ ret = access_check_file(*snippet);
+ if (ret != EOK) {
+ return ret;
+ }
+ }
+
+ return EOK;
+}
+
int sss_ini_read_sssd_conf(struct sss_ini *self,
const char *config_file,
const char *config_dir)
@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
return ERR_INI_EMPTY_CONFIG;
}
+ ret = access_check_ini(self);
+
return ret;
}
--
2.47.0