Further restriction of child processes capabilities (part 2)

Makefile.am

@@ -103,10 +103,9 @@ condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectory
 # Capabilities usage by binaries:
 #   - 'ldap_child': read keytab (dac_read_search)
 #   - 'krb5_child':
-#         - store TGT for a given user (set*id);
-#         - create path components of DIR:/FILE: cache, for example: /run/user/$UID (dac_override, chown)
-#         - read keytab (dac_read_search could be enough but dac_override due to above)
-#     If system doesn't need to support DIR:/FILE: then 'cap_chown' can be stripped and 'cap_dac_override' replaced with 'dac_read_search'
+#         - check old ccache / pre-check ccache path (dac_read_search, set*id)
+#         - read keytab (dac_read_search)
+#         - store TGT for a given user (set*id)
 #   - 'selinux_child': currently chown, dac_override, set*id  --  to be narrowed
 #   - 'sssd_pam': read keytab in gss ops (dac_read_search)
 capabilities = CapabilityBoundingSet= CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID CAP_DAC_READ_SEARCH
@@ -370,7 +369,6 @@ endif   # HAVE_CMOCKA
 
 check_PROGRAMS = \
     stress-tests \
-    krb5-child-test \
     test_ssh_client \
     $(non_interactive_cmocka_based_tests) \
     $(non_interactive_check_based_tests)
@@ -1302,7 +1300,6 @@ libsss_util_la_SOURCES = \
     src/util/util_sss_idmap.c \
     src/util/well_known_sids.c \
     src/util/string_utils.c \
-    src/util/become_user.c \
     src/util/capabilities.c \
     src/util/util_watchdog.c \
     src/util/sss_ptr_hash.c \
@@ -1530,6 +1527,11 @@ sssd_SOURCES = \
     src/monitor/nscd.c \
     src/confdb/confdb_setup.c \
     $(NULL)
+
+if BUILD_CONF_SERVICE_USER_SUPPORT
+sssd_SOURCES += src/monitor/become_user.c
+endif # BUILD_CONF_SERVICE_USER_SUPPORT
+
 sssd_LDADD = \
     $(SSSD_LIBS) \
     $(INOTIFY_LIBS) \
@@ -2210,7 +2212,6 @@ krb5_utils_tests_SOURCES = \
     src/providers/data_provider_fo.c \
     src/providers/data_provider_opts.c \
     src/providers/data_provider_callbacks.c \
-    src/util/become_user.c \
     $(SSSD_FAILOVER_OBJ) \
     $(NULL)
 krb5_utils_tests_CFLAGS = \
@@ -2500,35 +2501,6 @@ stress_tests_LDADD = \
     $(SSSD_LIBS) \
     libsss_test_common.la
 
-krb5_child_test_SOURCES = \
-    src/tests/krb5_child-test.c \
-    src/providers/krb5/krb5_utils.c \
-    src/providers/krb5/krb5_ccache.c \
-    src/providers/krb5/krb5_child_handler.c \
-    src/providers/krb5/krb5_common.c \
-    src/providers/krb5/krb5_opts.c \
-    src/util/sss_krb5.c \
-    src/util/sss_iobuf.c \
-    src/providers/data_provider_fo.c \
-    src/providers/data_provider_opts.c \
-    src/providers/data_provider_callbacks.c \
-    src/util/become_user.c \
-    $(SSSD_FAILOVER_OBJ) \
-    $(NULL)
-krb5_child_test_CFLAGS = \
-    $(AM_CFLAGS) \
-    -DKRB5_CHILD_DIR=\"$(builddir)\" \
-    $(KRB5_CFLAGS) \
-    $(CHECK_CFLAGS)
-krb5_child_test_LDADD = \
-    $(SSSD_LIBS) \
-    $(CARES_LIBS) \
-    $(KRB5_LIBS) \
-    $(CHECK_LIBS) \
-    $(PCRE_LIBS) \
-    $(SSSD_INTERNAL_LTLIBS) \
-    libsss_test_common.la
-
 test_ssh_client_SOURCES = \
     src/tests/test_ssh_client.c \
     $(NULL)
@@ -4404,7 +4376,6 @@ libsss_krb5_common_la_SOURCES = \
     src/providers/krb5/krb5_ccache.c \
     src/util/sss_krb5.c \
     src/util/sss_iobuf.c \
-    src/util/become_user.c \
     src/util/pac_utils.c \
     $(NULL)
 libsss_krb5_common_la_CFLAGS = \
@@ -4715,7 +4686,6 @@ krb5_child_SOURCES = \
     src/util/signal.c \
     src/util/sss_chain_id.c \
     src/util/strtonum.c \
-    src/util/become_user.c \
     src/util/util_errors.c \
     src/sss_client/common.c \
     src/krb5_plugin/common/utils.c \
@@ -4758,7 +4728,6 @@ ldap_child_SOURCES = \
     src/util/util_ext.c \
     src/util/capabilities.c \
     src/util/signal.c \
-    src/util/become_user.c \
     src/util/util_errors.c \
     $(NULL)
 ldap_child_CFLAGS = \
@@ -5585,7 +5554,7 @@ if SSSD_USER
 	-$(SETCAP) cap_dac_read_search=p $(DESTDIR)$(sssdlibexecdir)/ldap_child
 	-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/krb5_child
 	chmod 750 $(DESTDIR)$(sssdlibexecdir)/krb5_child
-	-$(SETCAP) cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep $(DESTDIR)$(sssdlibexecdir)/krb5_child
+	-$(SETCAP) cap_dac_read_search,cap_setuid,cap_setgid=p $(DESTDIR)$(sssdlibexecdir)/krb5_child
 	-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/proxy_child
 	chmod 750 $(DESTDIR)$(sssdlibexecdir)/proxy_child
 	-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/sssd_pam

contrib/sssd.spec.in

@@ -914,7 +914,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
 %license COPYING
 %attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
 %attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{servicename}/ldap_child
-%attr(0750,root,%{sssd_user}) %caps(cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep) %{_libexecdir}/%{servicename}/krb5_child
+%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search,cap_setuid,cap_setgid=p) %{_libexecdir}/%{servicename}/krb5_child
 
 %files krb5 -f sssd_krb5.lang
 %license COPYING

src/monitor/become_user.c

@@ -0,0 +1,75 @@
+/*
+    SSSD
+
+    Kerberos 5 Backend Module -- Utilities
+
+    Authors:
+        Sumit Bose <sbose@redhat.com>
+
+    Copyright (C) 2009 Red Hat
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "util/util.h"
+#include <grp.h>
+
+errno_t become_user(uid_t uid, gid_t gid, bool keep_set_uid)
+{
+    uid_t cuid;
+    int ret = EOK;
+
+    DEBUG(SSSDBG_FUNC_DATA,
+          "Trying to become user [%"SPRIuid"][%"SPRIgid"].\n", uid, gid);
+
+    /* skip call if we already are the requested user */
+    cuid = geteuid();
+    if (uid == cuid) {
+        DEBUG(SSSDBG_FUNC_DATA, "Already user [%"SPRIuid"].\n", uid);
+        goto done;
+    }
+
+    /* drop supplementary groups first */
+    ret = setgroups(0, NULL);
+    if (ret == -1) {
+        ret = errno;
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "setgroups failed [%d][%s].\n", ret, strerror(ret));
+        goto done;
+    }
+
+    /* change GID so that root cannot be regained (changes saved GID too) */
+    ret = setresgid(gid, gid, gid);
+    if (ret == -1) {
+        ret = errno;
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "setresgid failed [%d][%s].\n", ret, strerror(ret));
+        goto done;
+    }
+
+    /* change UID so that root cannot be regained (changes saved UID too) */
+    /* this call also takes care of dropping CAP_SETUID, so this is a PNR */
+    ret = setresuid(uid, uid, (keep_set_uid ? -1 : uid));
+    if (ret == -1) {
+        ret = errno;
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "setresuid failed [%d][%s].\n", ret, strerror(ret));
+        goto done;
+    }
+
+done:
+    sss_drop_all_caps();
+
+    return ret;
+}

src/monitor/monitor_bootstrap.c

@@ -78,6 +78,8 @@ static int check_supplementary_group(gid_t gid)
 #endif /* SSSD_NON_ROOT_USER */
 
 #ifdef BUILD_CONF_SERVICE_USER_SUPPORT
+errno_t become_user(uid_t uid, gid_t gid, bool keep_set_uid);
+
 int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid)
 #else
 int bootstrap_monitor_process(void)

src/providers/krb5/krb5_auth.h

@@ -38,8 +38,6 @@
 
 #define ILLEGAL_PATH_PATTERN "//|/\\./|/\\.\\./"
 
-#define CHILD_OPT_FAST_CCACHE_UID "fast-ccache-uid"
-#define CHILD_OPT_FAST_CCACHE_GID "fast-ccache-gid"
 #define CHILD_OPT_FAST_USE_ANONYMOUS_PKINIT "fast-use-anonymous-pkinit"
 #define CHILD_OPT_REALM "realm"
 #define CHILD_OPT_LIFETIME "lifetime"