File 0001-INI-relax-config-files-checks.patch of Package sssd

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-INI-relax-config-files-checks.patch of Package sssd

From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 23 Oct 2024 20:59:32 +0200
Subject: [PATCH] INI: relax config files checks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Only make sure:
 - user is root or sssd
 - group is root or sssd
 - other can't access it

Don't make any assumptions wrt user/group read/write-ability.

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704)
---
 src/man/sssd.conf.5.xml |  5 ++-
 src/util/sss_ini.c      | 68 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+), 3 deletions(-)

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index a074cc674..bf10acb2a 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -57,9 +57,8 @@
             readable, and writeable only by 'root'.
         </para>
         <para condition="with_non_root_user_support">
-            <filename>sssd.conf</filename> must be a regular file that is owned,
-            readable, and writeable by the same user as configured to run SSSD
-            service.
+            <filename>sssd.conf</filename> must be a regular file that is
+            accessible only by the user used to run SSSD service or root.
         </para>
     </refsect1>
 
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
index e989d8caf..74cf61e0e 100644
--- a/src/util/sss_ini.c
+++ b/src/util/sss_ini.c
@@ -26,6 +26,7 @@
 #include <unistd.h>
 #include <string.h>
 #include <errno.h>
+#include <sys/stat.h>
 #include <talloc.h>
 
 #include "config.h"
@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self,
     return ret;
 }
 
+static int access_check_file(const char *filename)
+{
+    int ret;
+    struct stat st;
+    uid_t uid;
+    gid_t gid;
+
+    sss_sssd_user_uid_and_gid(&uid, &gid);
+
+    ret = stat(filename, &st);
+    if (ret != 0) {
+        ret = errno;
+        DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n",
+              filename, strerror(ret));
+        return EINVAL;
+    }
+
+    if ((st.st_uid != 0) && (st.st_uid != uid)) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n",
+              filename, st.st_uid);
+        return ERR_INI_INVALID_PERMISSION;
+    }
+
+    if ((st.st_gid != 0) && (st.st_gid != gid)) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n",
+              filename, st.st_gid);
+        return ERR_INI_INVALID_PERMISSION;
+    }
+
+    if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n",
+              filename);
+        return ERR_INI_INVALID_PERMISSION;
+    }
+
+    return EOK;
+}
+
+static int access_check_ini(struct sss_ini *self)
+{
+    int ret;
+    const char *path;
+    uint32_t i;
+    const char **snippet;
+    struct ref_array *used_snippets;
+
+    if (self->main_config_exists) {
+        path = ini_config_get_filename(self->file);
+        ret = access_check_file(path);
+        if (ret != EOK) {
+            return ret;
+        }
+    }
+
+    used_snippets = sss_ini_get_ra_success_list(self);
+    for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) {
+        ret = access_check_file(*snippet);
+        if (ret != EOK) {
+            return ret;
+        }
+    }
+
+    return EOK;
+}
+
 int sss_ini_read_sssd_conf(struct sss_ini *self,
                            const char *config_file,
                            const char *config_dir)
@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
         return ERR_INI_EMPTY_CONFIG;
     }
 
+    ret = access_check_ini(self);
+
     return ret;
 }
-- 
2.47.0

Places

File 0001-INI-relax-config-files-checks.patch of Package sssd

Places