diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 8df8ecdd6a4..b10865ad2b0 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -3433,11 +3433,6 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
Default: id_provider
is used if it
is set and can perform session related tasks.
-
- NOTE: In order to have this feature
- working as expected SSSD must be running as "root" and
- not as the unprivileged user.
-
diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index d6fa3cc3759..597bc8d9bfe 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -219,10 +219,7 @@ ipa_deskprofile_get_filename_path(TALLOC_CTX *mem_ctx,
}
errno_t
-ipa_deskprofile_rules_create_user_dir(
- const char *username, /* fully-qualified */
- uid_t uid,
- gid_t gid)
+ipa_deskprofile_rules_create_user_dir(const char *username /* fully-qualified */)
{
TALLOC_CTX *tmp_ctx;
char *shortname;
@@ -245,8 +242,7 @@ ipa_deskprofile_rules_create_user_dir(
}
old_umask = umask(0026);
- ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0751,
- getuid(), getgid());
+ ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0751);
umask(old_umask);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
@@ -267,7 +263,7 @@ ipa_deskprofile_rules_create_user_dir(
/* In order to read, create and traverse the directory, we need to have its
* permissions set as 'rwx------' (700). */
old_umask = umask(0077);
- ret = sss_create_dir(domain_dir, shortname, 0700, uid, gid);
+ ret = sss_create_dir(domain_dir, shortname, 0700);
umask(old_umask);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
@@ -684,9 +680,7 @@ ipa_deskprofile_rules_save_rule_to_disk(
struct sysdb_attrs *rule,
struct sss_domain_info *domain,
const char *hostname,
- const char *username, /* fully-qualified */
- uid_t uid,
- gid_t gid)
+ const char *username /* fully-qualified */)
{
TALLOC_CTX *tmp_ctx;
const char *rule_name;
@@ -706,8 +700,6 @@ ipa_deskprofile_rules_save_rule_to_disk(
const char *extension = "json";
uint32_t prio;
int fd = -1;
- gid_t orig_gid;
- uid_t orig_uid;
errno_t ret;
tmp_ctx = talloc_new(mem_ctx);
@@ -715,9 +707,6 @@ ipa_deskprofile_rules_save_rule_to_disk(
return ENOMEM;
}
- orig_gid = getegid();
- orig_uid = geteuid();
-
ret = sysdb_attrs_get_string(rule, IPA_CN, &rule_name);
if (ret != EOK) {
DEBUG(SSSDBG_TRACE_FUNC,
@@ -880,26 +869,6 @@ ipa_deskprofile_rules_save_rule_to_disk(
goto done;
}
- ret = setegid(gid);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Unable to set effective group id (%"PRIu32") of the domain's "
- "process [%d]: %s\n",
- gid, ret, sss_strerror(ret));
- goto done;
- }
-
- ret = seteuid(uid);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Unable to set effective user id (%"PRIu32") of the domain's "
- "process [%d]: %s\n",
- uid, ret, sss_strerror(ret));
- goto done;
- }
-
fd = open(filename_path, O_WRONLY | O_CREAT | O_TRUNC, 0400);
if (fd == -1) {
ret = errno;
@@ -920,94 +889,21 @@ ipa_deskprofile_rules_save_rule_to_disk(
goto done;
}
- ret = seteuid(orig_uid);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to set the effect user id (%"PRIu32") of the domain's "
- "process [%d]: %s\n",
- orig_uid, ret, sss_strerror(ret));
- goto done;
- }
-
- ret = setegid(orig_gid);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to set the effect group id (%"PRIu32") of the domain's "
- "process [%d]: %s\n",
- orig_gid, ret, sss_strerror(ret));
- goto done;
- }
-
ret = EOK;
done:
if (fd != -1) {
close(fd);
}
- if (geteuid() != orig_uid) {
- ret = seteuid(orig_uid);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Unable to set effective user id (%"PRIu32") of the "
- "domain's process [%d]: %s\n",
- orig_uid, ret, sss_strerror(ret));
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Sending SIGUSR2 to the process: %d\n", getpid());
- kill(getpid(), SIGUSR2);
- }
- }
- if (getegid() != orig_gid) {
- ret = setegid(orig_gid);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Unable to set effective group id (%"PRIu32") of the "
- "domain's process. Let's have the process restarted!\n",
- orig_gid);
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Sending SIGUSR2 to the process: %d\n", getpid());
- kill(getpid(), SIGUSR2);
- }
- }
talloc_free(tmp_ctx);
return ret;
}
errno_t
-ipa_deskprofile_rules_remove_user_dir(const char *user_dir,
- uid_t uid,
- gid_t gid)
+ipa_deskprofile_rules_remove_user_dir(const char *user_dir)
{
- gid_t orig_gid;
- uid_t orig_uid;
errno_t ret;
- orig_gid = getegid();
- orig_uid = geteuid();
-
- ret = setegid(gid);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Unable to set effective group id (%"PRIu32") of the domain's "
- "process [%d]: %s\n",
- gid, ret, sss_strerror(ret));
- goto done;
- }
-
- ret = seteuid(uid);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Unable to set effective user id (%"PRIu32") of the domain's "
- "process [%d]: %s\n",
- uid, ret, sss_strerror(ret));
- goto done;
- }
-
ret = sss_remove_subtree(user_dir);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_CRIT_FAILURE,
@@ -1016,26 +912,6 @@ ipa_deskprofile_rules_remove_user_dir(const char *user_dir,
goto done;
}
- ret = seteuid(orig_uid);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to set the effect user id (%"PRIu32") of the domain's "
- "process [%d]: %s\n",
- orig_uid, ret, sss_strerror(ret));
- goto done;
- }
-
- ret = setegid(orig_gid);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to set the effect group id (%"PRIu32") of the domain's "
- "process [%d]: %s\n",
- orig_gid, ret, sss_strerror(ret));
- goto done;
- }
-
ret = sss_remove_tree(user_dir);
if ((ret != EOK) && (ret != ENOENT)) {
DEBUG(SSSDBG_CRIT_FAILURE,
@@ -1047,32 +923,6 @@ ipa_deskprofile_rules_remove_user_dir(const char *user_dir,
ret = EOK;
done:
- if (geteuid() != orig_uid) {
- ret = seteuid(orig_uid);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "unable to set effective user id (%"PRIu32") of the "
- "domain's process [%d]: %s\n",
- orig_uid, ret, sss_strerror(ret));
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Sending SIGUSR2 to the process: %d\n", getpid());
- kill(getpid(), SIGUSR2);
- }
- }
- if (getegid() != orig_gid) {
- ret = setegid(orig_gid);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Unable to set effective user id (%"PRIu32") of the "
- "domain's process [%d]: %s\n",
- orig_uid, ret, sss_strerror(ret));
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Sending SIGUSR2 to the process: %d\n", getpid());
- kill(getpid(), SIGUSR2);
- }
- }
return ret;
}
diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.h b/src/providers/ipa/ipa_deskprofile_rules_util.h
index 063bbd20b65..369f5e139ec 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.h
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.h
@@ -45,10 +45,7 @@ ipa_deskprofile_get_filename_path(TALLOC_CTX *mem_ctx,
char **_filename_path);
errno_t
-ipa_deskprofile_rules_create_user_dir(
- const char *username, /* fully-qualified */
- uid_t uid,
- gid_t gid);
+ipa_deskprofile_rules_create_user_dir(const char *username /* fully-qualified */);
errno_t
ipa_deskprofile_rules_save_rule_to_disk(
TALLOC_CTX *mem_ctx,
@@ -56,13 +53,9 @@ ipa_deskprofile_rules_save_rule_to_disk(
struct sysdb_attrs *rule,
struct sss_domain_info *domain,
const char *hostname,
- const char *username, /* fully-qualified */
- uid_t uid,
- gid_t gid);
+ const char *username /* fully-qualified */);
errno_t
-ipa_deskprofile_rules_remove_user_dir(const char *user_dir,
- uid_t uid,
- gid_t gid);
+ipa_deskprofile_rules_remove_user_dir(const char *user_dir);
errno_t
deskprofile_get_cached_priority(struct sss_domain_info *domain,
diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c
index bcd8055a871..b45a791ec91 100644
--- a/src/providers/ipa/ipa_session.c
+++ b/src/providers/ipa/ipa_session.c
@@ -449,7 +449,6 @@ struct ipa_pam_session_handler_state {
char *domain;
char *user_dir;
uid_t uid;
- gid_t gid;
};
static errno_t
@@ -460,8 +459,7 @@ ipa_pam_session_handler_get_deskprofile_user_info(
char **_shortname,
char **_domain,
char **_user_dir,
- uid_t *uid,
- gid_t *gid);
+ uid_t *uid);
static void ipa_pam_session_handler_done(struct tevent_req *subreq);
static errno_t
ipa_pam_session_handler_save_deskprofile_rules(
@@ -470,8 +468,7 @@ ipa_pam_session_handler_save_deskprofile_rules(
const char *username, /* fully-qualified */
const char *user_dir,
const char *hostname,
- uid_t uid,
- gid_t gid);
+ uid_t uid);
static errno_t
ipa_pam_session_handler_notify_deskprofile_client(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
@@ -515,8 +512,7 @@ ipa_pam_session_handler_send(TALLOC_CTX *mem_ctx,
&state->shortname,
&state->domain,
&state->user_dir,
- &state->uid,
- &state->gid);
+ &state->uid);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"ipa_deskprofile_get_user_info() failed [%d]: %s\n",
@@ -528,9 +524,7 @@ ipa_pam_session_handler_send(TALLOC_CTX *mem_ctx,
/* As no proper merging mechanism has been implemented yet ...
* let's just remove the user directory stored in the disk as it's
* going to be created again in case there's any rule fetched. */
- ret = ipa_deskprofile_rules_remove_user_dir(state->user_dir,
- state->uid,
- state->gid);
+ ret = ipa_deskprofile_rules_remove_user_dir(state->user_dir);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"ipa_deskprofile_rules_remove_user_dir() failed.\n");
@@ -593,8 +587,7 @@ ipa_pam_session_handler_done(struct tevent_req *subreq)
state->pd->user,
state->user_dir,
hostname,
- state->uid,
- state->gid);
+ state->uid);
if (ret == EOK || ret == ENOENT) {
state->pd->pam_status = PAM_SUCCESS;
@@ -630,8 +623,7 @@ ipa_pam_session_handler_get_deskprofile_user_info(TALLOC_CTX *mem_ctx,
char **_shortname,
char **_domain,
char **_user_dir,
- uid_t *_uid,
- gid_t *_gid)
+ uid_t *_uid)
{
TALLOC_CTX *tmp_ctx;
struct ldb_result *res = NULL;
@@ -681,7 +673,7 @@ ipa_pam_session_handler_get_deskprofile_user_info(TALLOC_CTX *mem_ctx,
uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0);
gid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_GIDNUM, 0);
if (uid == 0 || gid == 0) {
- /* As IPA doesn't handle root users ou groups, we know for sure that's
+ /* As IPA doesn't handle root users or groups, we know for sure that's
* something wrong in case we get uid = 0 or gid = 0.
*/
ret = EINVAL;
@@ -694,7 +686,6 @@ ipa_pam_session_handler_get_deskprofile_user_info(TALLOC_CTX *mem_ctx,
*_domain = talloc_steal(mem_ctx, domain_name);
*_user_dir = talloc_steal(mem_ctx, user_dir);
*_uid = uid;
- *_gid = gid;
done:
talloc_free(tmp_ctx);
@@ -708,8 +699,7 @@ ipa_pam_session_handler_save_deskprofile_rules(
const char *username, /* fully-qualified */
const char *user_dir,
const char *hostname,
- uid_t uid,
- gid_t gid)
+ uid_t uid)
{
TALLOC_CTX *tmp_ctx;
const char **attrs_get_cached_rules;
@@ -764,7 +754,7 @@ ipa_pam_session_handler_save_deskprofile_rules(
}
/* Create the user directory where the rules are going to be stored */
- ret = ipa_deskprofile_rules_create_user_dir(username, uid, gid);
+ ret = ipa_deskprofile_rules_create_user_dir(username);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot create the user directory [%d]: %s\n",
@@ -779,9 +769,7 @@ ipa_pam_session_handler_save_deskprofile_rules(
rules[i],
domain,
hostname,
- username,
- uid,
- gid);
+ username);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Failed to save a Desktop Profile Rule to disk [%d]: %s\n",
diff --git a/src/tests/files-tests.c b/src/tests/files-tests.c
index 07e2bb3a81a..5c1443fa1a5 100644
--- a/src/tests/files-tests.c
+++ b/src/tests/files-tests.c
@@ -40,8 +40,6 @@
static char tpl_dir[] = "file-tests-dir-XXXXXX";
static char *dir_path;
static char *dst_path;
-static uid_t uid;
-static gid_t gid;
static TALLOC_CTX *test_ctx = NULL;
static void setup_files_test(void)
@@ -51,9 +49,6 @@ static void setup_files_test(void)
mkdir(TESTS_PATH, 0700);
dir_path = mkdtemp(talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, tpl_dir));
dst_path = mkdtemp(talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, tpl_dir));
-
- uid = getuid();
- gid = getgid();
}
static void teardown_files_test(void)
@@ -217,7 +212,7 @@ START_TEST(test_create_dir)
ck_assert_msg(errno == 0, "Cannot getcwd\n");
/* create a dir */
- ret = sss_create_dir(dir_path, "testdir", S_IRUSR | S_IXUSR, uid, gid);
+ ret = sss_create_dir(dir_path, "testdir", S_IRUSR | S_IXUSR);
ck_assert_msg(ret == EOK, "cannot create dir: %s", strerror(ret));
new_dir = talloc_asprintf(NULL, "%s/testdir", dir_path);
@@ -232,10 +227,6 @@ START_TEST(test_create_dir)
ck_assert_msg((info.st_mode & S_IWUSR) == 0, "Write permission is set\n");
ck_assert_msg((info.st_mode & S_IXUSR) != 0, "Exec permission is not set\n");
- /* check the owner is okay */
- ck_assert_msg(info.st_uid == uid, "Dir created with the wrong uid\n");
- ck_assert_msg(info.st_gid == gid, "Dir created with the wrong gid\n");
-
talloc_free(new_dir);
}
END_TEST
diff --git a/src/util/files.c b/src/util/files.c
index 03fd062bdcc..868ed2c598b 100644
--- a/src/util/files.c
+++ b/src/util/files.c
@@ -213,14 +213,12 @@ static int remove_tree_with_ctx(TALLOC_CTX *mem_ctx,
int sss_create_dir(const char *parent_dir_path,
const char *dir_name,
- mode_t mode,
- uid_t uid, gid_t gid)
+ mode_t mode)
{
TALLOC_CTX *tmp_ctx;
char *dir_path;
int ret = EOK;
int parent_dir_fd = -1;
- int dir_fd = -1;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -257,33 +255,12 @@ int sss_create_dir(const char *parent_dir_path,
}
}
- dir_fd = sss_open_cloexec(dir_path, O_RDONLY | O_DIRECTORY, &ret);
- if (dir_fd == -1) {
- DEBUG(SSSDBG_TRACE_FUNC,
- "Cannot open() directory '%s' [%d]: %s\n",
- dir_path, ret, sss_strerror(ret));
- goto fail;
- }
-
- errno = 0;
- ret = fchown(dir_fd, uid, gid);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to own the newly created directory '%s' [%d]: %s\n",
- dir_path, ret, sss_strerror(ret));
- goto fail;
- }
-
ret = EOK;
fail:
if (parent_dir_fd != -1) {
close(parent_dir_fd);
}
- if (dir_fd != -1) {
- close(dir_fd);
- }
talloc_free(tmp_ctx);
return ret;
}
diff --git a/src/util/util.h b/src/util/util.h
index 71cb2ef7ff1..960f301fd6d 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -813,8 +813,7 @@ int sss_remove_subtree(const char *root);
int sss_create_dir(const char *parent_dir_path,
const char *dir_name,
- mode_t mode,
- uid_t uid, gid_t gid);
+ mode_t mode);
/* from selinux.c */
int selinux_file_context(const char *dst_name);