SPEC: make ownership of sssd.conf consistent with config folders.

:packaging: sssd.conf should be owned by user specified with '--with-sssd-user=' at build time. If SSSD runs under 'root' then 'root' ownership of this file will be also allowed in runtime. Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Pavel Březina <[email protected]>
alexey-tikhonov · Aug 7, 2023 · 91d32fe · 91d32fe
1 parent a540f91
commit 91d32fe
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 14 deletions.
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
@@ -776,7 +776,7 @@ done
 %attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
 %attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
 %attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/pki
-%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
+%ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
 %dir %{_sysconfdir}/logrotate.d
 %config(noreplace) %{_sysconfdir}/logrotate.d/sssd
 %dir %{_sysconfdir}/rwtab.d

diff --git a/src/man/Makefile.am b/src/man/Makefile.am
@@ -62,6 +62,8 @@ ENUM_CONDS = ;without_ext_enumeration
 endif
 if SSSD_NON_ROOT_USER
 SSSD_NON_ROOT_USER_CONDS = ;with_non_root_user_support
+else
+SSSD_NON_ROOT_USER_CONDS = ;without_non_root_user_support
 endif
 
 

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
@@ -52,9 +52,15 @@
             is only as a label for the section.
         </para>
 
-        <para>
-            <filename>sssd.conf</filename> must be a regular file, owned by
-            root and only root may read from or write to the file.
+        <para condition="without_non_root_user_support">
+            <filename>sssd.conf</filename> must be a regular file that is owned,
+            readable, and writeable only by 'root'.
+        </para>
+        <para condition="with_non_root_user_support">
+            <filename>sssd.conf</filename> must be a regular file that is owned,
+            readable, and writeable by '&sssd_user_name;' user (if SSSD is configured
+            to run under 'root' then <filename>sssd.conf</filename> also
+            can be owned by 'root').
         </para>
     </refsect1>
 
@@ -92,8 +98,7 @@
 
         <para>
             The snippet files require the same owner and permissions
-            as <filename>sssd.conf</filename>. Which are by default
-            root:root and 0600.
+            as <filename>sssd.conf</filename>.
         </para>
     </refsect1>
 

diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
@@ -149,18 +149,39 @@ static int sss_ini_config_file_from_mem(struct sss_ini *self,
 
 static int sss_ini_access_check(struct sss_ini *self)
 {
+    uid_t uid = 0;
+    gid_t gid = 0;
+    int ret;
+
     if (!self->main_config_exists) {
         return EOK;
     }
 
-    return ini_config_access_check(self->file,
-                                   INI_ACCESS_CHECK_MODE |
-                                   INI_ACCESS_CHECK_UID |
-                                   INI_ACCESS_CHECK_GID,
-                                   0, /* owned by root */
-                                   0, /* owned by root */
-                                   S_IRUSR, /* r**------ */
-                                   ALLPERMS & ~(S_IWUSR|S_IXUSR));
+    /* 'sssd:sssd' owned config is always fine */
+    sss_sssd_user_uid_and_gid(&uid, &gid);
+    ret = ini_config_access_check(self->file,
+                                  INI_ACCESS_CHECK_MODE |
+                                  INI_ACCESS_CHECK_UID |
+                                  INI_ACCESS_CHECK_GID,
+                                  uid, /* owned by SSSD_USER */
+                                  gid, /* owned by SSSD_USER */
+                                  S_IRUSR, /* r**------ */
+                                  ALLPERMS & ~(S_IWUSR|S_IXUSR));
+    if (ret != 0) {
+        /* if SSSD runs under 'root' then 'root:root' owned config is also fine */
+        if ((getuid() == 0) && (uid != 0)) {
+            ret = ini_config_access_check(self->file,
+                                          INI_ACCESS_CHECK_MODE |
+                                          INI_ACCESS_CHECK_UID |
+                                          INI_ACCESS_CHECK_GID,
+                                          0, /* owned by root */
+                                          0, /* owned by root */
+                                          S_IRUSR, /* r**------ */
+                                          ALLPERMS & ~(S_IWUSR|S_IXUSR));
+        }
+    }
+
+    return ret;
 }