diff --git a/Makefile.am b/Makefile.am
index 6b54e1eea0..b16c605708 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -114,11 +114,6 @@ condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectory
# - 'sssd_pam': read keytab in gss ops (dac_read_search)
capabilities = CapabilityBoundingSet= CAP_SETGID CAP_SETUID CAP_DAC_READ_SEARCH
-if BUILD_CONF_SERVICE_USER_SUPPORT
-# If non-root service user is supported, monitor might need SET-ID to switch user (deprecated 'sssd.conf::user' option)
-capabilities += \n\# Comment this out if support of deprecated "sssd.conf::user" option is not required:\nAmbientCapabilities= CAP_SETGID CAP_SETUID
-endif # BUILD_CONF_SERVICE_USER_SUPPORT
-
if SSSD_NON_ROOT_USER
nss_service_user_group = User=$(SSSD_USER)\nGroup=$(SSSD_USER)
nss_socket_user_group = SocketUser=$(SSSD_USER)\nSocketGroup=$(SSSD_USER)
@@ -1465,10 +1460,6 @@ sssd_SOURCES = \
src/confdb/confdb_setup.c \
$(NULL)
-if BUILD_CONF_SERVICE_USER_SUPPORT
-sssd_SOURCES += src/monitor/become_user.c
-endif # BUILD_CONF_SERVICE_USER_SUPPORT
-
sssd_LDADD = \
$(SSSD_LIBS) \
$(INOTIFY_LIBS) \
diff --git a/configure.ac b/configure.ac
index 4f14575599..94c7fd3eee 100644
--- a/configure.ac
+++ b/configure.ac
@@ -182,7 +182,6 @@ WITH_SUDO_LIB_PATH
WITH_AUTOFS
WITH_EXTENDED_ENUMERATION_SUPPORT
WITH_ALLOW_REMOTE_DOMAIN_LOCAL_GROUPS
-WITH_CONF_SERVICE_USER_SUPPORT
WITH_SUBID
WITH_SUBID_LIB_PATH
WITH_PASSKEY
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 877d43e8de..ffe30508eb 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -807,25 +807,6 @@ AC_DEFUN([WITH_SSSD_USER],
fi
])
-AC_DEFUN([WITH_CONF_SERVICE_USER_SUPPORT],
- [ AC_ARG_WITH([conf-service-user-support],
- [AC_HELP_STRING([--with-conf-service-user-support],
- [Whether to build support for sssd.conf::user option [no].
- Requires "--with-sssd-user=..." to be used.
- Please take a note that this feature is deprecated and
- might be removed in further releases.]
- )
- ],
- [with_conf_service_user_support=$withval],
- with_conf_service_user_support=no
- )
-
- if test x"$with_conf_service_user_support" = xyes; then
- AC_DEFINE(BUILD_CONF_SERVICE_USER_SUPPORT, 1, [Whether to build support for sssd.conf::user option])
- fi
- AM_CONDITIONAL([BUILD_CONF_SERVICE_USER_SUPPORT], [test x"$with_conf_service_user_support" = xyes])
- ])
-
AC_DEFUN([WITH_AD_GPO_DEFAULT],
[ AC_ARG_WITH([ad-gpo-default],
[AS_HELP_STRING([--with-ad-gpo-default=[enforcing|permissive]],
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 5d071f0d11..2f5aa5dabf 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -60,9 +60,6 @@ AD_CONDS = ;with_allow_remote_domain_local_groups
endif
if SSSD_NON_ROOT_USER
SSSD_NON_ROOT_USER_CONDS = ;with_non_root_user_support
-if BUILD_CONF_SERVICE_USER_SUPPORT
-SSSD_CONF_SERVICE_USER_CONDS = ;with_conf_service_user_support
-endif
else
SSSD_NON_ROOT_USER_CONDS = ;without_non_root_user_support
endif
@@ -71,7 +68,7 @@ LIBNL_CONDS = ;have_libnl
endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(SSH_KNOWN_HOSTS_PROXY_CONDS)$(PAC_RESPONDER_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(SSSD_CONF_SERVICE_USER_CONDS)$(ENUM_CONDS)$(LIBNL_CONDS)$(AD_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(SSH_KNOWN_HOSTS_PROXY_CONDS)$(PAC_RESPONDER_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS)$(LIBNL_CONDS)$(AD_CONDS)
#Special Rules:
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index a52a25fe13..a3c161b3a3 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -384,37 +384,6 @@
-
- user (string)
-
-
- A legacy (deprecated) method to configure the user
- to drop the privileges to where appropriate to avoid
- running as the root user.
- The only supported value is '&sssd_user_name;'.
-
-
-
- This option is ignored if main SSSD process is started
- under non-root user initially (preferred method).
-
-
-
- This option doesn't apply to socket activated
- services, as in this case the user to run the processes
- is configured in systemd service files.
-
- Keep in mind that using different service users for
- different SSSD components in general isn't supported:
- everything should be configured to run either under
- '&sssd_user_name;' or 'root'.
-
-
-
- Default: not set, process will run as root
-
-
-
default_domain_suffix (string)
diff --git a/src/monitor/become_user.c b/src/monitor/become_user.c
deleted file mode 100644
index 2d9359a2bd..0000000000
--- a/src/monitor/become_user.c
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- SSSD
-
- Kerberos 5 Backend Module -- Utilities
-
- Authors:
- Sumit Bose
-
- Copyright (C) 2009 Red Hat
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see .
-*/
-
-#include "util/util.h"
-#include
-
-errno_t become_user(uid_t uid, gid_t gid, bool keep_set_uid)
-{
- uid_t cuid;
- int ret = EOK;
-
- DEBUG(SSSDBG_FUNC_DATA,
- "Trying to become user [%"SPRIuid"][%"SPRIgid"].\n", uid, gid);
-
- /* skip call if we already are the requested user */
- cuid = geteuid();
- if (uid == cuid) {
- DEBUG(SSSDBG_FUNC_DATA, "Already user [%"SPRIuid"].\n", uid);
- goto done;
- }
-
- /* drop supplementary groups first */
- ret = setgroups(0, NULL);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "setgroups failed [%d][%s].\n", ret, strerror(ret));
- goto done;
- }
-
- /* change GID so that root cannot be regained (changes saved GID too) */
- ret = setresgid(gid, gid, gid);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "setresgid failed [%d][%s].\n", ret, strerror(ret));
- goto done;
- }
-
- /* change UID so that root cannot be regained (changes saved UID too) */
- /* this call also takes care of dropping CAP_SETUID, so this is a PNR */
- ret = setresuid(uid, uid, (keep_set_uid ? -1 : uid));
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "setresuid failed [%d][%s].\n", ret, strerror(ret));
- goto done;
- }
-
-done:
- sss_drop_all_caps();
-
- return ret;
-}
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 8006dc454e..1ce482b678 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -117,12 +117,6 @@ struct mt_ctx {
struct sbus_server *sbus_server;
struct sbus_connection *sbus_conn;
-
-#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
- /* User to switch to in run time */
- uid_t uid;
- gid_t gid;
-#endif
};
static int start_service(struct mt_svc *mt_svc);
@@ -703,63 +697,6 @@ static char *check_services(char **services)
return NULL;
}
-#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
-static int get_service_user(struct sss_ini *config, struct mt_ctx *ctx)
-{
- errno_t ret = EOK;
-
- ctx->uid = 0;
- ctx->gid = 0;
-
-/* If SSSD wasn't built '--with-sssd-user=sssd' then 'sssd.conf::user'
- * option isn't supported completely (no man page entry).
- */
-#ifdef SSSD_NON_ROOT_USER
- char *user_str = NULL;
-
- ret = sss_ini_get_cfgobj(config, "sssd", CONFDB_MONITOR_USER_RUNAS);
- if (ret != 0) {
- ERROR("Config operation failed\n");
- return ret;
- }
- if (sss_ini_check_config_obj(config) == EOK) {
- user_str = sss_ini_get_string_config_value(config, NULL);
- }
-
- if (geteuid() != 0) {
- if (user_str != NULL) {
- sss_log(SSS_LOG_ALERT, "'"CONFDB_MONITOR_USER_RUNAS"' config option is "
- "ignored when SSSD is run under non-root user initially.");
- ERROR("'"CONFDB_MONITOR_USER_RUNAS"' config option is "
- "ignored when SSSD is run under non-root user initially.\n");
- free(user_str);
- }
- ctx->uid = geteuid();
- ctx->gid = getegid();
- return EOK;
- }
-
- if (user_str == NULL) {
- /* defaults to 'root' */
- } else if (strcmp(user_str, SSSD_USER) == 0) {
- sss_sssd_user_uid_and_gid(&ctx->uid, &ctx->gid);
- /* Deprecation warning is given in `bootstrap_monitor_process()` */
- } else if (strcmp(user_str, "root") != 0) {
- ERROR("Unsupported value '%s' of config option '%s'! Only 'root' or '"
- SSSD_USER"' are supported.\n",
- user_str, CONFDB_MONITOR_USER_RUNAS);
- sss_log(SSS_LOG_CRIT, "Unsupported value of config option '%s'!",
- CONFDB_MONITOR_USER_RUNAS);
- ret = ERR_INVALID_CONFIG;
- }
-
- free(user_str);
-#endif /* SSSD_NON_ROOT_USER */
-
- return ret;
-}
-#endif /* BUILD_CONF_SERVICE_USER_SUPPORT */
-
static void get_debug_level(struct sss_ini *config)
{
int ret;
@@ -1774,11 +1711,7 @@ static void monitor_restart_service(struct mt_svc *svc)
}
}
-#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
-int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid);
-#else
int bootstrap_monitor_process(void);
-#endif
void setup_keyring(void);
@@ -1938,17 +1871,7 @@ int main(int argc, const char *argv[])
goto out;
}
-#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
- ret = get_service_user(config, monitor);
- if (ret != EOK) {
- ret = 4; /* Error message already logged */
- goto out;
- }
-
- ret = bootstrap_monitor_process(monitor->uid, monitor->gid);
-#else
ret = bootstrap_monitor_process();
-#endif
if (ret != 0) {
ERROR("Failed to boostrap SSSD 'monitor' process: %s", sss_strerror(ret));
sss_log(SSS_LOG_ALERT, "Failed to boostrap SSSD 'monitor' process.");
diff --git a/src/monitor/monitor_bootstrap.c b/src/monitor/monitor_bootstrap.c
index fa7866789b..4a83b9e38b 100644
--- a/src/monitor/monitor_bootstrap.c
+++ b/src/monitor/monitor_bootstrap.c
@@ -77,63 +77,41 @@ static int check_supplementary_group(gid_t gid)
}
#endif /* SSSD_NON_ROOT_USER */
-#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
-errno_t become_user(uid_t uid, gid_t gid, bool keep_set_uid);
-
-int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid)
-#else
int bootstrap_monitor_process(void)
-#endif
{
#ifdef SSSD_NON_ROOT_USER
int ret;
gid_t sssd_gid = 0;
if (geteuid() == 0) {
-#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
- if (target_uid != 0) {
- /* Started under root but non-root 'sssd.conf::user' configured -
- * deprecated method.
- */
- sss_log(SSS_LOG_WARNING, "'sssd.conf::"CONFDB_MONITOR_USER_RUNAS"' "
- "option is deprecated. Run under '"SSSD_USER"' initially instead.");
- ret = become_user(target_uid, target_gid, false); /* drops all caps */
+ /* In case SSSD is built with non-root user support, but
+ * runs under 'root', a number of files are still sssd:sssd owned.
+ * Make sure all processes are added to 'sssd' supplementary
+ * group to avoid the need for CAP_DAC_OVERRIDE.
+ */
+ sss_sssd_user_uid_and_gid(NULL, &sssd_gid);
+ ret = check_supplementary_group(sssd_gid);
+ if (ret == -1) {
+ sss_log(SSS_LOG_ALERT, "Can't check own supplementary groups.");
+ return 1;
+ }
+ /* Expected outcome is 'ret == 1' since supplementary group should be set
+ by systemd service description. */
+ if (ret == 0) {
+ /* Probably non-systemd based system or service file was edited,
+ let's try to set group manually. */
+ sss_log(SSS_LOG_NOTICE,
+ "SSSD is built with support of 'run under non-root user' "
+ "feature but started under 'root'. Trying to add process "
+ "to SSSD supplementary group.");
+ ret = setgroups(1, &sssd_gid);
if (ret != 0) {
- sss_log(SSS_LOG_ALERT, "Failed to change uid:gid");
+ sss_log(SSS_LOG_CRIT,
+ "Failed to add process to the "SSSD_USER" supplementary group. "
+ "Either run under '"SSSD_USER"' or make sure that run-under-root "
+ "main SSSD process has CAP_SETGID.");
return 1;
}
- } else
-#endif /* BUILD_CONF_SERVICE_USER_SUPPORT */
- {
- /* In case SSSD is built with non-root user support, but
- * runs under 'root', a number of files are still sssd:sssd owned.
- * Make sure all processes are added to 'sssd' supplementary
- * group to avoid the need for CAP_DAC_OVERRIDE.
- */
- sss_sssd_user_uid_and_gid(NULL, &sssd_gid);
- ret = check_supplementary_group(sssd_gid);
- if (ret == -1) {
- sss_log(SSS_LOG_ALERT, "Can't check own supplementary groups.");
- return 1;
- }
- /* Expected outcome is 'ret == 1' since supplementary group should be set
- by systemd service description. */
- if (ret == 0) {
- /* Probably non-systemd based system or service file was edited,
- let's try to set group manually. */
- sss_log(SSS_LOG_NOTICE,
- "SSSD is built with support of 'run under non-root user' "
- "feature but started under 'root'. Trying to add process "
- "to SSSD supplementary group.");
- ret = setgroups(1, &sssd_gid);
- if (ret != 0) {
- sss_log(SSS_LOG_CRIT,
- "Failed to add process to the "SSSD_USER" supplementary group. "
- "Either run under '"SSSD_USER"' or make sure that run-under-root "
- "main SSSD process has CAP_SETGID.");
- return 1;
- }
- }
}
} else {
/* SSSD started under non 'root' initially - nothing to do */
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
index 79d9aa92b4..064fcfac13 100644
--- a/src/tests/cwrap/Makefile.am
+++ b/src/tests/cwrap/Makefile.am
@@ -104,7 +104,6 @@ if HAVE_CMOCKA
if HAVE_NSS_WRAPPER
if HAVE_UID_WRAPPER
check_PROGRAMS += \
- become_user-tests \
server-tests \
usertools-tests \
responder_common-tests \
@@ -115,19 +114,6 @@ endif # HAVE_CMOCKA
TESTS = $(check_PROGRAMS)
-become_user_tests_SOURCES = \
- test_become_user.c \
- $(NULL)
-become_user_tests_CFLAGS = \
- $(AM_CFLAGS) \
- $(NULL)
-become_user_tests_LDADD = \
- $(POPT_LIBS) \
- $(CMOCKA_LIBS) \
- $(abs_top_builddir)/libsss_debug.la \
- $(abs_top_builddir)/libsss_test_common.la \
- $(NULL)
-
server_tests_SOURCES = \
test_server.c \
../../../src/util/server.c \
diff --git a/src/tests/cwrap/test_become_user.c b/src/tests/cwrap/test_become_user.c
deleted file mode 100644
index 53dd582c41..0000000000
--- a/src/tests/cwrap/test_become_user.c
+++ /dev/null
@@ -1,109 +0,0 @@
-/*
- Authors:
- Jakub Hrozek
-
- Copyright (C) 2014 Red Hat
-
- SSSD tests: User switching
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see .
-*/
-
-/* Yes, a .c file. We need to call static functions during the test */
-#include "../../../src/monitor/become_user.c"
-
-#include
-#include "util/util.h"
-#include "tests/cmocka/common_mock.h"
-
-void test_become_user(void **state)
-{
- struct passwd *sssd;
- errno_t ret;
- pid_t pid, wpid;
- int status;
-
- /* Must root as root, real or fake */
- assert_int_equal(geteuid(), 0);
-
- sssd = getpwnam("sssd");
- assert_non_null(sssd);
-
- pid = fork();
- if (pid == 0) {
- /* Change the UID in a child */
- ret = become_user(sssd->pw_uid, sssd->pw_gid, false);
- assert_int_equal(ret, EOK);
-
- /* Make sure we have the requested UID and GID now and there
- * are no supplementary groups
- */
- assert_int_equal(geteuid(), sssd->pw_uid);
- assert_int_equal(getegid(), sssd->pw_gid);
- assert_int_equal(getuid(), sssd->pw_uid);
- assert_int_equal(getgid(), sssd->pw_gid);
-
- /* Another become_user is a no-op */
- ret = become_user(sssd->pw_uid, sssd->pw_gid, false);
- assert_int_equal(ret, EOK);
-
- assert_int_equal(getgroups(0, NULL), 0);
- exit(0);
- }
-
- assert_int_not_equal(pid, -1);
-
- wpid = waitpid(pid, &status, 0);
- assert_int_equal(wpid, pid);
- assert_true(WIFEXITED(status));
- assert_int_equal(WEXITSTATUS(status), 0);
-}
-
-int main(int argc, const char *argv[])
-{
- poptContext pc;
- int opt;
- struct poptOption long_options[] = {
- POPT_AUTOHELP
- SSSD_DEBUG_OPTS
- POPT_TABLEEND
- };
-
- const struct CMUnitTest tests[] = {
- cmocka_unit_test(test_become_user),
- };
-
- /* Set debug level to invalid value so we can decide if -d 0 was used. */
- debug_level = SSSDBG_INVALID;
-
- pc = poptGetContext(argv[0], argc, argv, long_options, 0);
- while((opt = poptGetNextOpt(pc)) != -1) {
- switch(opt) {
- default:
- fprintf(stderr, "\nInvalid option %s: %s\n\n",
- poptBadOption(pc, 0), poptStrerror(opt));
- poptPrintUsage(pc, stderr, 0);
- return 1;
- }
- }
- poptFreeContext(pc);
-
- DEBUG_CLI_INIT(debug_level);
-
- /* Even though normally the tests should clean up after themselves
- * they might not after a failed run. Remove the old DB to be sure */
- tests_set_cwd();
-
- return cmocka_run_group_tests(tests, NULL, NULL);
-}