Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSS: Avoid changing the memory cache ownership away from the sssd user (sssd-1-16 backport) #718

Closed
wants to merge 1 commit into from

Conversation

Projects
None yet
2 participants
@jhrozek
Copy link
Contributor

commented Dec 18, 2018

Resolves:
https://pagure.io/SSSD/sssd/issue/3890

In case SSSD is compiled --with-sssd-user but run as root (which is the
default on RHEL and derivatives), then the memory cache will be owned by
the user that sssd_nss runs as, so root.

This conflicts with the packaging which specifies sssd.sssd as the owner. And
in turn, this means that users can't reliably assess the package integrity
using rpm -V.

This patch makes sure that the memory cache files are chowned to sssd.sssd
even if the nss responder runs as root.

Also, this patch changes the sssd_nss responder so that is becomes a member
of the supplementary sssd group. Even though in traditional UNIX sense,
a process running as root could write to a file owned by sssd:sssd, with
SELinux enforcing mode this becomes problematic as SELinux emits an error
such as:

type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for
pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:sssd_t:s0 tclass=capability

To make it possible for the sssd_nss process to write to the files, the
files are also made group-writable. The 'others' permission is still set
to read only.

Reviewed-by: Michal Židek mzidek@redhat.com
(cherry picked from commit 61e4ba5)

NSS: Avoid changing the memory cache ownership away from the sssd user
Resolves:
https://pagure.io/SSSD/sssd/issue/3890

In case SSSD is compiled --with-sssd-user but run as root (which is the
default on RHEL and derivatives), then the memory cache will be owned by
the user that sssd_nss runs as, so root.

This conflicts with the packaging which specifies sssd.sssd as the owner. And
in turn, this means that users can't reliably assess the package integrity
using rpm -V.

This patch makes sure that the memory cache files are chowned to sssd.sssd
even if the nss responder runs as root.

Also, this patch changes the sssd_nss responder so that is becomes a member
of the supplementary sssd group. Even though in traditional UNIX sense,
a process running as root could write to a file owned by sssd:sssd, with
SELinux enforcing mode this becomes problematic as SELinux emits an error
such as:

type=AVC msg=audit(1543524888.125:1495): avc:  denied  { fsetid } for
pid=7706 comm="sssd_nss" capability=4  scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:sssd_t:s0 tclass=capability

To make it possible for the sssd_nss process to write to the files, the
files are also made group-writable. The 'others' permission is still set
to read only.

Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 61e4ba5)

@mzidek-rh mzidek-rh self-assigned this Feb 13, 2019

@mzidek-rh

This comment has been minimized.

Copy link
Contributor

commented Feb 25, 2019

I found no issues. Just waiting for CI to finish.

@mzidek-rh

This comment has been minimized.

Copy link
Contributor

commented Feb 25, 2019

ACK.

@mzidek-rh mzidek-rh added the Accepted label Feb 25, 2019

@jhrozek

This comment has been minimized.

Copy link
Contributor Author

commented Feb 26, 2019

@jhrozek jhrozek closed this Feb 26, 2019

@jhrozek jhrozek added the Pushed label Feb 26, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.