A bunch of assorted patches related to socket activation feature (part 1)

Makefile.am

@@ -91,7 +91,7 @@ deskprofilepath = $(sss_statedir)/deskprofile
 
 if HAVE_SYSTEMD_UNIT
 ifp_dbus_exec_comment = \# If system is configured to use systemd ifp service ("SystemdService=") then "Exec=" and "User=" options are not used
-ifp_dbus_exec_cmd = $(sssdlibexecdir)/sssd_ifp --dbus-activated
+ifp_dbus_exec_cmd = $(sssdlibexecdir)/sssd_ifp --socket-activated
 ifp_systemdservice = SystemdService=sssd-ifp.service
 # SSSD requires a configuration file (either /etc/sssd/sssd.conf,
 # or some snippet under /etc/sssd/sssd.conf.d/) to be present.

src/confdb/confdb.c

@@ -779,12 +779,6 @@ static errno_t get_entry_as_bool(struct ldb_message *msg,
 }
 
 
-/* The default UID/GID for domains is 1. */
-static uint32_t confdb_get_min_id(struct sss_domain_info *domain)
-{
-    return SSSD_MIN_ID;
-}
-
 static errno_t init_cached_auth_timeout(struct confdb_ctx *cdb,
                                         struct ldb_message *msg,
                                         uint32_t *_cached_auth_timeout)
@@ -971,7 +965,7 @@ static errno_t confdb_init_domain(struct sss_domain_info *domain,
 
     ret = get_entry_as_uint32(res->msgs[0], &domain->id_min,
                               CONFDB_DOMAIN_MINID,
-                              confdb_get_min_id(domain));
+                              SSSD_MIN_ID);
     if (ret != EOK) {
         DEBUG(SSSDBG_FATAL_FAILURE, "Invalid value for minId\n");
         ret = EINVAL;

src/confdb/confdb.h

@@ -46,10 +46,6 @@
 #define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/"CONFDB_DEFAULT_CONFIG_DIR_NAME
 #define SSSD_MIN_ID 1
 #define CONFDB_DEFAULT_SHELL_FALLBACK "/bin/sh"
-#define CONFDB_FALLBACK_CONFIG \
-    "[sssd]\n" \
-    "services = nss\n"
-
 
 /* Configuration options */
 

src/monitor/monitor.c

@@ -290,6 +290,7 @@ monitor_sbus_RegisterService(TALLOC_CTX *mem_ctx,
      * from there and set the destructor back to NULL just before freeing
      * the service itself. */
     if (svc->socket_activated) {
+        DEBUG(SSSDBG_TRACE_FUNC, "'%s' is a socket activated service\n", name);
         sbus_connection_set_destructor(svc->conn, monitor_service_shutdown, svc);
     }
 
@@ -975,7 +976,9 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
                             CONFDB_SERVICE_COMMAND,
                             NULL, &svc->command);
     if (ret != EOK) {
-        DEBUG(SSSDBG_FATAL_FAILURE,"Failed to start service '%s'\n", svc->name);
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "Failed to get "CONFDB_SERVICE_COMMAND" for service '%s'\n",
+              svc->name);
         talloc_free(svc);
         return ret;
     }

src/responder/common/responder.h

@@ -141,7 +141,6 @@ struct resp_ctx {
 
     bool shutting_down;
     bool socket_activated;
-    bool dbus_activated;
     bool cache_first;
     bool enumeration_warn_logged;
 };

src/responder/common/responder_common.c

@@ -1316,7 +1316,6 @@ int sss_process_init(TALLOC_CTX *mem_ctx,
     rctx->confdb_service_path = confdb_service_path;
     rctx->shutting_down = false;
     rctx->socket_activated = is_socket_activated();
-    rctx->dbus_activated = is_dbus_activated();
 
     talloc_set_destructor((TALLOC_CTX*)rctx, sss_responder_ctx_destructor);
 
@@ -1336,7 +1335,7 @@ int sss_process_init(TALLOC_CTX *mem_ctx,
         rctx->client_idle_timeout = 10;
     }
 
-    if (rctx->socket_activated || rctx->dbus_activated) {
+    if (rctx->socket_activated) {
         ret = responder_setup_idle_timeout_config(rctx);
         if (ret != EOK) {
             goto fail;
@@ -1507,11 +1506,8 @@ int sss_process_init(TALLOC_CTX *mem_ctx,
         goto fail;
     }
 
-    DEBUG(SSSDBG_TRACE_FUNC,
-          "Responder initialization complete (%s)\n",
-          rctx->socket_activated  ? "socket-activated" :
-                                    rctx->dbus_activated ? "dbus-activated" :
-                                                            "explicitly configured");
+    DEBUG(SSSDBG_TRACE_FUNC, "Responder initialization complete (%s)\n",
+          rctx->socket_activated  ? "socket-activated" : "explicitly configured");
 
     *responder_ctx = rctx;
     return EOK;

src/responder/nss/nsssrv_mmap_cache.c

@@ -1258,11 +1258,11 @@ static errno_t sss_mc_create_file(struct sss_mc_ctx *mc_ctx)
     int ret, uret;
 
     /* temporarily relax umask as we need the file to be readable
-     * by everyone for now */
-    old_mask = umask(0022);
+     * by everyone and writeable by group */
+    old_mask = umask(0002);
 
     errno = 0;
-    mc_ctx->fd = open(mc_ctx->file, O_CREAT | O_EXCL | O_RDWR, 0644);
+    mc_ctx->fd = open(mc_ctx->file, O_CREAT | O_EXCL | O_RDWR, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH);
     umask(old_mask);
     if (mc_ctx->fd == -1) {
         ret = errno;
@@ -1275,20 +1275,14 @@ static errno_t sss_mc_create_file(struct sss_mc_ctx *mc_ctx)
      * if the nss responder runs as root. This is because the specfile
      * has the ownership recorded as sssd.sssd
      */
-    ret = fchown(mc_ctx->fd, mc_ctx->uid, mc_ctx->gid);
-    if (ret != 0) {
-        ret = errno;
-        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to chown mmap file %s: %d(%s)\n",
-                                   mc_ctx->file, ret, strerror(ret));
-        return ret;
-    }
-
-    ret = fchmod(mc_ctx->fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH);
-    if (ret == -1) {
-        ret = errno;
-        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to chmod mmap file %s: %d(%s)\n",
-                                   mc_ctx->file, ret, strerror(ret));
-        return ret;
+    if ((getuid() == 0) || (geteuid() == 0)) {
+        ret = fchown(mc_ctx->fd, mc_ctx->uid, mc_ctx->gid);
+        if (ret != 0) {
+            ret = errno;
+            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to chown mmap file %s: %d(%s)\n",
+                                       mc_ctx->file, ret, strerror(ret));
+            return ret;
+        }
     }
 
     ret = sss_br_lock_file(mc_ctx->fd, 0, 1, retries, t);

src/sbus/connection/sbus_connection.c

@@ -73,7 +73,7 @@ sbus_connection_destructor(struct sbus_connection *conn)
     sbus_connection_release(conn);
 
     if (conn->destructor->destructor != NULL) {
-        DEBUG(SSSDBG_TRACE_FUNC, "Calling custom connection destructor %s\n",
+        DEBUG(SSSDBG_TRACE_FUNC, "Calling custom connection destructor '%s'\n",
               conn->destructor->name);
         conn->destructor->destructor(conn->destructor->data);
     }
@@ -327,22 +327,34 @@ void _sbus_connection_set_destructor(struct sbus_connection *conn,
     }
 
     if (destructor == NULL) {
-        DEBUG(SSSDBG_TRACE_FUNC, "Unsetting connection destructor\n");
+        DEBUG(SSSDBG_TRACE_FUNC, "Unsetting connection %p ('%s':'%s') destructor\n",
+              conn,
+              conn->address ? conn->address : "-",
+              conn->wellknown_name ? conn->wellknown_name : "-");
         conn->destructor->destructor = NULL;
         conn->destructor->data = NULL;
         conn->destructor->name = NULL;
         return;
     }
 
     if (conn->destructor->destructor != NULL) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "Bug: destructor is already set to %s\n",
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Bug: destructor for connection %p ('%s':'%s') is already set to '%s'\n",
+              conn,
+              conn->address ? conn->address : "-",
+              conn->wellknown_name ? conn->wellknown_name : "-",
               conn->destructor->name);
         return;
     }
 
     conn->destructor->destructor = destructor;
     conn->destructor->data = data;
     conn->destructor->name = name;
+    DEBUG(SSSDBG_TRACE_FUNC, "Set connection %p ('%s':'%s') destructor to '%s'\n",
+          conn,
+          conn->address ? conn->address : "-",
+          conn->wellknown_name ? conn->wellknown_name : "-",
+          name);
 }
 
 void _sbus_connection_set_access_check(struct sbus_connection *conn,
@@ -435,6 +447,7 @@ sbus_connection_free_handler(struct tevent_context *ev,
                              struct timeval tv,
                              void *data)
 {
+    DEBUG(SSSDBG_TRACE_FUNC, "Releasing connection %p\n", data);
     talloc_free(data);
 }
 
@@ -453,8 +466,8 @@ void sbus_connection_free(struct sbus_connection *conn)
     if (te == NULL) {
         /* We can't do anything about it. */
         DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set up free event!\n");
+    } else {
+        DEBUG(SSSDBG_TRACE_ALL, "Connection %p will be freed during next loop!\n",
+              conn);
     }
-
-    DEBUG(SSSDBG_TRACE_ALL, "Connection %p will be freed during next loop!\n",
-          conn);
 }

src/sysv/systemd/sssd-autofs.service.in

@@ -11,9 +11,8 @@ Also=sssd-autofs.socket
 [Service]
 Environment=DEBUG_LOGGER=--logger=files
 EnvironmentFile=-@environment_file@
-ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_autofs.log
+ExecStartPre=+-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_autofs.log
 ExecStart=@libexecdir@/sssd/sssd_autofs ${DEBUG_LOGGER} --socket-activated
 Restart=on-failure
 User=@SSSD_USER@
 Group=@SSSD_USER@
-PermissionsStartOnly=true

src/sysv/systemd/sssd-ifp.service.in

@@ -9,9 +9,12 @@ Environment=DEBUG_LOGGER=--logger=files
 EnvironmentFile=-@environment_file@
 Type=dbus
 BusName=org.freedesktop.sssd.infopipe
-ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ifp.log
-ExecStart=@libexecdir@/sssd/sssd_ifp ${DEBUG_LOGGER} --dbus-activated
-CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID
+ExecStartPre=+-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ifp.log
+ExecStart=@libexecdir@/sssd/sssd_ifp ${DEBUG_LOGGER} --socket-activated
+# 'CapabilityBoundingSet' is used to limit privileges set only in case
+# SSSD IFP service is configured to run under 'root' (if service
+# is configured to run under non-privileged user this is a "no-op"):
+CapabilityBoundingSet= @additional_caps@
 Restart=on-failure
 User=@SSSD_USER@
 Group=@SSSD_USER@

src/sysv/systemd/sssd-kcm.service.in

@@ -11,4 +11,7 @@ Also=sssd-kcm.socket
 Environment=DEBUG_LOGGER=--logger=files
 ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
 ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
-CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID
+# Currently SSSD KCM server ('sssd_kcm') always runs under 'root'
+# ('User=' and 'Group=' defaults to 'root' for system services)
+# 'CapabilityBoundingSet' is used to limit privileges set:
+CapabilityBoundingSet= @additional_caps@ CAP_SETGID CAP_SETUID

src/sysv/systemd/sssd-nss.service.in

@@ -13,3 +13,6 @@ Environment=DEBUG_LOGGER=--logger=files
 EnvironmentFile=-@environment_file@
 ExecStart=@libexecdir@/sssd/sssd_nss ${DEBUG_LOGGER} --socket-activated
 Restart=on-failure
+# Currently SSSD NSS service ('sssd_nss') can't be started under 'sssd' user
+# via systemd due to NSS loop when systemd resolves getgrouplist(sssd).
+# Hence 'User=' and 'Group=' aren't set (defaults to root).

src/sysv/systemd/sssd-pac.service.in

@@ -11,9 +11,8 @@ Also=sssd-pac.socket
 [Service]
 Environment=DEBUG_LOGGER=--logger=files
 EnvironmentFile=-@environment_file@
-ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pac.log
+ExecStartPre=+-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pac.log
 ExecStart=@libexecdir@/sssd/sssd_pac ${DEBUG_LOGGER} --socket-activated
 Restart=on-failure
 User=@SSSD_USER@
 Group=@SSSD_USER@
-PermissionsStartOnly=true

src/sysv/systemd/sssd-pam.service.in

@@ -11,9 +11,8 @@ Also=sssd-pam.socket sssd-pam-priv.socket
 [Service]
 Environment=DEBUG_LOGGER=--logger=files
 EnvironmentFile=-@environment_file@
-ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pam.log
+ExecStartPre=+-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pam.log
 ExecStart=@libexecdir@/sssd/sssd_pam ${DEBUG_LOGGER} --socket-activated
 Restart=on-failure
 User=@SSSD_USER@
 Group=@SSSD_USER@
-PermissionsStartOnly=true

src/sysv/systemd/sssd-ssh.service.in

@@ -11,9 +11,8 @@ Also=sssd-ssh.socket
 [Service]
 Environment=DEBUG_LOGGER=--logger=files
 EnvironmentFile=-@environment_file@
-ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ssh.log
+ExecStartPre=+-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ssh.log
 ExecStart=@libexecdir@/sssd/sssd_ssh ${DEBUG_LOGGER} --socket-activated
 Restart=on-failure
 User=@SSSD_USER@
 Group=@SSSD_USER@
-PermissionsStartOnly=true

src/sysv/systemd/sssd-sudo.service.in

@@ -11,9 +11,8 @@ Also=sssd-sudo.socket
 [Service]
 Environment=DEBUG_LOGGER=--logger=files
 EnvironmentFile=-@environment_file@
-ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_sudo.log
+ExecStartPre=+-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_sudo.log
 ExecStart=@libexecdir@/sssd/sssd_sudo --socket-activated
 Restart=on-failure
 User=@SSSD_USER@
 Group=@SSSD_USER@
-PermissionsStartOnly=true

src/sysv/systemd/sssd.service.in

@@ -14,7 +14,10 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
 Type=notify
 NotifyAccess=main
 PIDFile=@pidpath@/sssd.pid
-CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
+# Currently main SSSD process ('sssd') always runs under 'root'
+# ('User=' and 'Group=' defaults to 'root' for system services)
+# 'CapabilityBoundingSet' is used to limit privileges set:
+CapabilityBoundingSet= @additional_caps@ CAP_CHOWN CAP_KILL CAP_SETGID CAP_SETUID
 Restart=on-abnormal
 
 [Install]

src/tools/sssctl/sssctl_config.c

@@ -114,23 +114,16 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
                                  config_path,
                                  config_snippet_path);
 
-    if (ret != EOK) {
-        PRINT("Failed to read '%s': %s\n", config_path, sss_strerror(ret));
-        goto done;
-    }
-
-    if (!sss_ini_exists(init_data)) {
+    if (ret == ERR_INI_EMPTY_CONFIG) {
         PRINT("File %1$s does not exist.\n", config_path);
-    }
-
-    /* Used snippet files */
-    ra_success = sss_ini_get_ra_success_list(init_data);
-    num_ra_success = ref_array_len(ra_success);
-    if ((sss_ini_exists(init_data) == false) && (num_ra_success == 0)) {
         PRINT("There is no configuration.\n");
         ret = ERR_INI_OPEN_FAILED;
         goto done;
     }
+    else if (ret != EOK) {
+        PRINT("Failed to read '%s': %s\n", config_path, sss_strerror(ret));
+        goto done;
+    }
 
     /* Run validators */
     ret = sss_ini_call_validators_strs(tmp_ctx, init_data,
@@ -163,6 +156,8 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
     printf("\n");
 
     /* Used snippets */
+    ra_success = sss_ini_get_ra_success_list(init_data);
+    num_ra_success = ref_array_len(ra_success);
     PRINT("Used configuration snippet files: %zu\n", num_ra_success);
 
     i = 0;

src/tools/sssd_check_socket_activated_responders.c

@@ -50,8 +50,9 @@ static errno_t check_socket_activated_responder(const char *responder)
                                  SSSD_CONFIG_FILE,
                                  CONFDB_DEFAULT_CONFIG_DIR);
     if (ret != EOK) {
-        DEBUG(SSSDBG_CRIT_FAILURE,
-              "Failed to read configuration: [%d] [%s]",
+        DEBUG(SSSDBG_DEFAULT,
+              "Failed to read configuration: [%d] [%s]. No reason to run "
+              "a responder if SSSD isn't configured.",
               ret,
               sss_strerror(ret));
         goto done;

src/util/server.c

@@ -524,7 +524,7 @@ int server_setup(const char *name, bool is_responder,
               sss_strerror(ret), ret);
     }
 
-    if (!is_socket_activated() && !is_dbus_activated()) {
+    if (!is_socket_activated()) {
         ret = chown_debug_file(NULL, uid, gid);
         if (ret != EOK) {
             DEBUG(SSSDBG_MINOR_FAILURE,

src/util/sss_ini.c

@@ -961,7 +961,14 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
         return EINVAL;
     }
 
-    ret = sss_ini_open(self, config_file, CONFDB_FALLBACK_CONFIG);
+    /* "[sssd]\n" is supplied to `sss_ini_open()` to create empty context
+     * in case main config file ('sssd.conf') is missing. This is done in
+     * order to be able to add config snippets later - sss_ini_add_snippets()
+     * Take a note if both 'sssd.conf' and snippets are missing, then
+     * sss_ini_read_sssd_conf() returns ERR_INI_EMPTY_CONFIG, so there is no
+     * "fallback config" per se.
+     */
+    ret = sss_ini_open(self, config_file, "[sssd]\n");
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE,
               "The sss_ini_open failed %s: %d\n",
@@ -997,5 +1004,10 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
         return ERR_INI_ADD_SNIPPETS_FAILED;
     }
 
+    if (!sss_ini_exists(self) &&
+        (ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) {
+        return ERR_INI_EMPTY_CONFIG;
+    }
+
     return ret;
 }