On Wed, 15 Oct 2014 22:24:04 +0200
Jakub Hrozek <jhrozek(a)redhat.com> wrote:
From c0385561ee5e9d050d2222aa43ebf46514f37dad Mon Sep 17 00:00:00
2001
From: Michal Zidek <mzidek(a)redhat.com>
Date: Thu, 9 Oct 2014 17:15:56 +0200
Subject: [PATCH 5/7] MONITOR: Allow confdb to be accessed by nonroot
user
---
src/monitor/monitor.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index
44614be173325aa5b6f7ed03f00b6d4489ddf522..bd2c373008ef75ab46cf7dccdefd12468894f1ba
100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c
@@ -1718,7 +1718,6 @@ static errno_t load_configuration(TALLOC_CTX
*mem_ctx, DEBUG(SSSDBG_FATAL_FAILURE, "Fatal error initializing
confdb\n"); goto done;
}
- talloc_zfree(cdb_file);
ret = confdb_init_db(config_file, ctx->cdb);
if (ret != EOK) {
@@ -1734,6 +1733,16 @@ static errno_t load_configuration(TALLOC_CTX
*mem_ctx, goto done;
}
+ /* Allow configuration database to be accessible
+ * when SSSD runs as nonroot */
+ ret = chown(cdb_file, ctx->uid, ctx->gid);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "chown failed for [%s]: [%d][%s].\n",
+ cdb_file, ret, sss_strerror(ret));
+ goto done;
+ }
+
*monitor = ctx;
ret = EOK;
I wonder if we shouldn't be more cautious here.
Do we need to give the sssd user write access ?
I think probably not, sounds like a great way to prevent "accidental"
changes would be to chown to (0, gid) and chmod so that the group can
only read, while root can read/write.
This way non-root process will be allowed to read but not change the
database.
Simo.
--
Simo Sorce * Red Hat, Inc * New York