From cceb66a935f58a41c8e015be96b32c859531f697 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Wed, 18 Sep 2024 20:38:05 +0200 Subject: [PATCH] SYSTEMD: replace 'sssd_check_socket_activated_responders' with a schell script. All sockets already have ``` After=sssd.service BindsTo=sssd.service ``` - this ensures SSSD was started and running before socket activation. New 'ExecStartPre' condition checks if a responder with the same name is running and, if so, if it runs in the same mnt namespace. The latter is to ignore processes run in a container on the same host. Resolves: https://github.com/SSSD/sssd/issues/4333 Resolves: https://github.com/SSSD/sssd/issues/5013 --- Makefile.am | 19 --- contrib/sssd.spec.in | 1 - src/sysv/systemd/sssd-autofs.socket.in | 2 +- src/sysv/systemd/sssd-nss.socket.in | 2 +- src/sysv/systemd/sssd-pac.socket.in | 2 +- src/sysv/systemd/sssd-pam.socket.in | 2 +- src/sysv/systemd/sssd-ssh.socket.in | 2 +- src/sysv/systemd/sssd-sudo.socket.in | 2 +- .../sssd_check_socket_activated_responders.c | 149 ------------------ 9 files changed, 6 insertions(+), 175 deletions(-) delete mode 100644 src/tools/sssd_check_socket_activated_responders.c diff --git a/Makefile.am b/Makefile.am index 61e34bbcf3f..3b94f7701f8 100644 --- a/Makefile.am +++ b/Makefile.am @@ -218,9 +218,6 @@ endif if BUILD_PAC_RESPONDER sssdlibexec_PROGRAMS += sssd_pac endif -if HAVE_SYSTEMD_UNIT -sssdlibexec_PROGRAMS += sssd_check_socket_activated_responders -endif if HAVE_CHECK non_interactive_check_based_tests = \ @@ -1999,22 +1996,6 @@ sss_ssh_knownhostsproxy_LDADD = \ $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS) endif -if HAVE_SYSTEMD_UNIT -sssd_check_socket_activated_responders_SOURCES = \ - src/tools/sssd_check_socket_activated_responders.c \ - $(NULL) -sssd_check_socket_activated_responders_CFLAGS = \ - $(AM_CFLAGS) \ - $(NULL) -sssd_check_socket_activated_responders_LDADD = \ - $(SSSD_INTERNAL_LTLIBS) \ - $(LTLIBINTL) \ - $(TALLOC_LIBS) \ - $(POPT_LIBS) \ - $(INI_CONFIG_LIBS) \ - $(NULL) -endif - pkgconfig_DATA += src/lib/certmap/sss_certmap.pc libsss_certmap_la_DEPENDENCIES = src/lib/certmap/sss_certmap.exports libsss_certmap_la_SOURCES = \ diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 90bb5bbdd0e..169a656cd62 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -800,7 +800,6 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf %{_libexecdir}/%{servicename}/sssd_ssh %{_libexecdir}/%{servicename}/sssd_sudo %{_libexecdir}/%{servicename}/p11_child -%{_libexecdir}/%{servicename}/sssd_check_socket_activated_responders %dir %{_libdir}/%{name} %if 0%{?rhel} == 9 diff --git a/src/sysv/systemd/sssd-autofs.socket.in b/src/sysv/systemd/sssd-autofs.socket.in index 201b33d90f8..f69392dfaf3 100644 --- a/src/sysv/systemd/sssd-autofs.socket.in +++ b/src/sysv/systemd/sssd-autofs.socket.in @@ -7,7 +7,7 @@ DefaultDependencies=no Conflicts=shutdown.target [Socket] -ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r autofs +ExecStartPre=/bin/sh -c "! (pidof -q sssd_autofs && pidof sssd_autofs | xargs ps -o mntns -p | grep -q `lsns -n -t mnt -o NS -p \\$\\$`)" ListenStream=@pipepath@/autofs SocketUser=@SSSD_USER@ SocketGroup=@SSSD_USER@ diff --git a/src/sysv/systemd/sssd-nss.socket.in b/src/sysv/systemd/sssd-nss.socket.in index ddf9ec39b9f..dc9ae83472f 100644 --- a/src/sysv/systemd/sssd-nss.socket.in +++ b/src/sysv/systemd/sssd-nss.socket.in @@ -8,7 +8,7 @@ DefaultDependencies=no Conflicts=shutdown.target [Socket] -ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r nss +ExecStartPre=/bin/sh -c "! (pidof -q sssd_nss && pidof sssd_nss | xargs ps -o mntns -p | grep -q `lsns -n -t mnt -o NS -p \\$\\$`)" ListenStream=@pipepath@/nss @nss_socket_user_group@ diff --git a/src/sysv/systemd/sssd-pac.socket.in b/src/sysv/systemd/sssd-pac.socket.in index 40dec44912a..5ee1d8f665b 100644 --- a/src/sysv/systemd/sssd-pac.socket.in +++ b/src/sysv/systemd/sssd-pac.socket.in @@ -7,7 +7,7 @@ DefaultDependencies=no Conflicts=shutdown.target [Socket] -ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pac +ExecStartPre=/bin/sh -c "! (pidof -q sssd_pac && pidof sssd_pac | xargs ps -o mntns -p | grep -q `lsns -n -t mnt -o NS -p \\$\\$`)" ListenStream=@pipepath@/pac SocketUser=@SSSD_USER@ SocketGroup=@SSSD_USER@ diff --git a/src/sysv/systemd/sssd-pam.socket.in b/src/sysv/systemd/sssd-pam.socket.in index e4916cac4ef..c9e91b658de 100644 --- a/src/sysv/systemd/sssd-pam.socket.in +++ b/src/sysv/systemd/sssd-pam.socket.in @@ -7,7 +7,7 @@ DefaultDependencies=no Conflicts=shutdown.target [Socket] -ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pam +ExecStartPre=/bin/sh -c "! (pidof -q sssd_pam && pidof sssd_pam | xargs ps -o mntns -p | grep -q `lsns -n -t mnt -o NS -p \\$\\$`)" ListenStream=@pipepath@/pam SocketUser=@SSSD_USER@ SocketGroup=@SSSD_USER@ diff --git a/src/sysv/systemd/sssd-ssh.socket.in b/src/sysv/systemd/sssd-ssh.socket.in index 4772ef3c01b..05f78b1ff0f 100644 --- a/src/sysv/systemd/sssd-ssh.socket.in +++ b/src/sysv/systemd/sssd-ssh.socket.in @@ -7,7 +7,7 @@ DefaultDependencies=no Conflicts=shutdown.target [Socket] -ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r ssh +ExecStartPre=/bin/sh -c "! (pidof -q sssd_ssh && pidof sssd_ssh | xargs ps -o mntns -p | grep -q `lsns -n -t mnt -o NS -p \\$\\$`)" ListenStream=@pipepath@/ssh SocketUser=@SSSD_USER@ SocketGroup=@SSSD_USER@ diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in index b0191a261e6..2e4cdc8e6ab 100644 --- a/src/sysv/systemd/sssd-sudo.socket.in +++ b/src/sysv/systemd/sssd-sudo.socket.in @@ -7,7 +7,7 @@ DefaultDependencies=no Conflicts=shutdown.target [Socket] -ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo +ExecStartPre=/bin/sh -c "! (pidof -q sssd_sudo && pidof sssd_sudo | xargs ps -o mntns -p | grep -q `lsns -n -t mnt -o NS -p \\$\\$`)" ListenStream=@pipepath@/sudo SocketUser=@SSSD_USER@ SocketGroup=@SSSD_USER@ diff --git a/src/tools/sssd_check_socket_activated_responders.c b/src/tools/sssd_check_socket_activated_responders.c deleted file mode 100644 index dddc02ee24e..00000000000 --- a/src/tools/sssd_check_socket_activated_responders.c +++ /dev/null @@ -1,149 +0,0 @@ -/* - Authors: - Fabiano FidĂȘncio - - Copyright (C) 2017 Red Hat - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -#include "config.h" - -#include -#include - -#include "util/util.h" -#include "util/sss_ini.h" -#include "confdb/confdb.h" - -static errno_t check_socket_activated_responder(const char *responder) -{ - errno_t ret; - char *services = NULL; - const char *str; - TALLOC_CTX *tmp_ctx; - struct sss_ini *init_data; - - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { - return ENOMEM; - } - - init_data = sss_ini_new(tmp_ctx); - if (init_data == NULL) { - ret = ENOMEM; - goto done; - } - - ret = sss_ini_read_sssd_conf(init_data, - SSSD_CONFIG_FILE, - CONFDB_DEFAULT_CONFIG_DIR); - if (ret != EOK) { - DEBUG(SSSDBG_DEFAULT, - "Failed to read configuration: [%d] [%s]. No reason to run " - "a responder if SSSD isn't configured.", - ret, - sss_strerror(ret)); - goto done; - } - - ret = sss_ini_get_cfgobj(init_data, "sssd", "services"); - - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "sss_ini_get_cfgobj() failed [%d].\n", ret); - goto done; - } - - ret = sss_ini_check_config_obj(init_data); - if (ret == ENOENT) { - /* In case there's no services' line at all, just return EOK. */ - ret = EOK; - goto done; - } - - services = sss_ini_get_string_config_value(init_data, &ret); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "sss_ini_get_string_config_value() failed [%d]\n", - ret); - goto done; - } - - str = strstr(services, responder); - if (str != NULL) { - ret = EEXIST; - goto done; - } - - ret = EOK; - -done: - free(services); - talloc_free(tmp_ctx); - - return ret; -} - -int main(int argc, const char *argv[]) -{ - int ret; - int opt; - poptContext pc; - char *responder = NULL; - - struct poptOption long_options[] = { - POPT_AUTOHELP - {"responders", 'r', POPT_ARG_STRING, &responder, 0, - _("The name of the responder to be checked"), NULL}, - POPT_TABLEEND - }; - - pc = poptGetContext(argv[0], argc, argv, long_options, 0); - while ((opt = poptGetNextOpt(pc)) != -1) { - switch (opt) { - default: - fprintf(stderr, "\nInvalid option %s: %s\n\n", - poptBadOption(pc, 0), poptStrerror(opt)); - poptPrintUsage(pc, stderr, 0); - ret = 1; - goto done; - } - } - - if (responder == NULL) { - poptPrintUsage(pc, stderr, 0); - ret = 1; - goto done; - } - - ret = check_socket_activated_responder(responder); - if (ret != EOK) { - DEBUG(SSSDBG_DEFAULT, - "Misconfiguration found for the %s responder.\n" - "The %s responder has been configured to be socket-activated " - "but it's still mentioned in the services' line in %s.\n" - "Please, consider either adjusting your services' line in %s " - "or disabling the %s's socket by calling:\n" - "\"systemctl disable sssd-%s.socket\"", - responder, responder, SSSD_CONFIG_FILE, SSSD_CONFIG_FILE, - responder, responder); - goto done; - } - - ret = EOK; -done: - poptFreeContext(pc); - return ret; -}