URL: https://github.com/SSSD/sssd/pull/702 Author: jhrozek Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user Action: opened
PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3890
In case SSSD is compiled --with-sssd-user but run as root (which is the default on RHEL and derivatives), then the memory cache will be owned by the user that sssd_nss runs as, so root.
This conflicts with the packaging which specifies sssd.sssd as the owner. And in turn, this means that users can't reliably assess the package integrity using rpm -V.
This patch makes sure that the memory cache files are chowned to sssd.sssd even if the nss responder runs as root.
Also, this patch changes the sssd_nss responder so that is becomes a member of the supplementary sssd group. Even though in traditional UNIX sense, a process running as root could write to a file owned by sssd:sssd, with SELinux enforcing mode this becomes problematic as SELinux emits an error such as:
type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability
To make it possible for the sssd_nss process to write to the files, the files are also made group-writable. The 'others' permission is still set to read only. """
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/702/head:pr702 git checkout pr702
URL: https://github.com/SSSD/sssd/pull/702 Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user
jhrozek commented: """ retest this please """
See the full comment at https://github.com/SSSD/sssd/pull/702#issuecomment-444096255
URL: https://github.com/SSSD/sssd/pull/702 Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user
mzidek-rh commented: """ Could you add comment before this code (the comment can be "Make sure that the memory cache files are chowned to sssd.sssd even if the nss responder runs as root."): ``` ret = fchown(mc_ctx->fd, mc_ctx->uid, mc_ctx->gid); if (ret != 0) { ret = errno; return ret; } ret = fchmod(mc_ctx->fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH); if (ret == -1) { ret = errno; DEBUG(SSSDBG_CRIT_FAILURE, "Failed to chmod mmap file %s: %d(%s)\n", mc_ctx->file, ret, strerror(ret)); return ret; } ``` """
See the full comment at https://github.com/SSSD/sssd/pull/702#issuecomment-444131943
URL: https://github.com/SSSD/sssd/pull/702 Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user
Label: +Changes requested
URL: https://github.com/SSSD/sssd/pull/702 Author: jhrozek Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/702/head:pr702 git checkout pr702
URL: https://github.com/SSSD/sssd/pull/702 Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user
jhrozek commented: """ OK, the comment is there. I also did some more changes, because the integration tests started failing intermittently.
This was beause each invalidation of each cache ran getpwnam(sssd), which slowed things down a lot, so there was a race between calling sss_cache and the cache being really recreated.
So in the end, I saved the uid and gid of the sssd user into the nss_ctx and just pass it on. I hope it's OK. """
See the full comment at https://github.com/SSSD/sssd/pull/702#issuecomment-445980795
URL: https://github.com/SSSD/sssd/pull/702 Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user
Label: -Changes requested
URL: https://github.com/SSSD/sssd/pull/702 Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user
mzidek-rh commented: """ Thanks. CI passed except for unrelated failure on debian and jhrozek showed me the fix in interactive session.
ACK. """
See the full comment at https://github.com/SSSD/sssd/pull/702#issuecomment-446623537
URL: https://github.com/SSSD/sssd/pull/702 Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user
Label: +Accepted
URL: https://github.com/SSSD/sssd/pull/702 Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user
jhrozek commented: """ * master: 61e4ba58934b20a950255e05797aca25aadc1242
I'll submit a 1-16 backport separately """
See the full comment at https://github.com/SSSD/sssd/pull/702#issuecomment-446932330
URL: https://github.com/SSSD/sssd/pull/702 Author: jhrozek Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user Action: closed
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/702/head:pr702 git checkout pr702
sssd-devel@lists.fedorahosted.org