Get rid of '--with-conf-service-user-support' ./configure option

Makefile.am

@@ -114,11 +114,6 @@ condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectory
 #   - 'sssd_pam': read keytab in gss ops (dac_read_search)
 capabilities = CapabilityBoundingSet= CAP_SETGID CAP_SETUID CAP_DAC_READ_SEARCH
 
-if BUILD_CONF_SERVICE_USER_SUPPORT
-# If non-root service user is supported, monitor might need SET-ID to switch user (deprecated 'sssd.conf::user' option)
-capabilities += \n\# Comment this out if support of deprecated "sssd.conf::user" option is not required:\nAmbientCapabilities= CAP_SETGID CAP_SETUID
-endif # BUILD_CONF_SERVICE_USER_SUPPORT
-
 if SSSD_NON_ROOT_USER
 nss_service_user_group = User=$(SSSD_USER)\nGroup=$(SSSD_USER)
 nss_socket_user_group = SocketUser=$(SSSD_USER)\nSocketGroup=$(SSSD_USER)
@@ -1465,10 +1460,6 @@ sssd_SOURCES = \
     src/confdb/confdb_setup.c \
     $(NULL)
 
-if BUILD_CONF_SERVICE_USER_SUPPORT
-sssd_SOURCES += src/monitor/become_user.c
-endif # BUILD_CONF_SERVICE_USER_SUPPORT
-
 sssd_LDADD = \
     $(SSSD_LIBS) \
     $(INOTIFY_LIBS) \

configure.ac

@@ -182,7 +182,6 @@ WITH_SUDO_LIB_PATH
 WITH_AUTOFS
 WITH_EXTENDED_ENUMERATION_SUPPORT
 WITH_ALLOW_REMOTE_DOMAIN_LOCAL_GROUPS
-WITH_CONF_SERVICE_USER_SUPPORT
 WITH_SUBID
 WITH_SUBID_LIB_PATH
 WITH_PASSKEY

src/conf_macros.m4

@@ -807,25 +807,6 @@ AC_DEFUN([WITH_SSSD_USER],
     fi
   ])
 
-AC_DEFUN([WITH_CONF_SERVICE_USER_SUPPORT],
-  [ AC_ARG_WITH([conf-service-user-support],
-                [AC_HELP_STRING([--with-conf-service-user-support],
-                                [Whether to build support for sssd.conf::user option [no].
-                                 Requires "--with-sssd-user=..." to be used.
-                                 Please take a note that this feature is deprecated and
-                                 might be removed in further releases.]
-                               )
-                ],
-                [with_conf_service_user_support=$withval],
-                with_conf_service_user_support=no
-               )
-
-    if test x"$with_conf_service_user_support" = xyes; then
-        AC_DEFINE(BUILD_CONF_SERVICE_USER_SUPPORT, 1, [Whether to build support for sssd.conf::user option])
-    fi
-    AM_CONDITIONAL([BUILD_CONF_SERVICE_USER_SUPPORT], [test x"$with_conf_service_user_support" = xyes])
-  ])
-
   AC_DEFUN([WITH_AD_GPO_DEFAULT],
     [ AC_ARG_WITH([ad-gpo-default],
                   [AS_HELP_STRING([--with-ad-gpo-default=[enforcing|permissive]],

src/man/Makefile.am

@@ -60,9 +60,6 @@ AD_CONDS = ;with_allow_remote_domain_local_groups
 endif
 if SSSD_NON_ROOT_USER
 SSSD_NON_ROOT_USER_CONDS = ;with_non_root_user_support
-if BUILD_CONF_SERVICE_USER_SUPPORT
-SSSD_CONF_SERVICE_USER_CONDS = ;with_conf_service_user_support
-endif
 else
 SSSD_NON_ROOT_USER_CONDS = ;without_non_root_user_support
 endif
@@ -71,7 +68,7 @@ LIBNL_CONDS = ;have_libnl
 endif
 
 
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(SSH_KNOWN_HOSTS_PROXY_CONDS)$(PAC_RESPONDER_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(SSSD_CONF_SERVICE_USER_CONDS)$(ENUM_CONDS)$(LIBNL_CONDS)$(AD_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(SSH_KNOWN_HOSTS_PROXY_CONDS)$(PAC_RESPONDER_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS)$(LIBNL_CONDS)$(AD_CONDS)
 
 
 #Special Rules:

src/man/sssd.conf.5.xml

@@ -384,37 +384,6 @@
                             </para>
                         </listitem>
                     </varlistentry>
-                    <varlistentry condition="with_conf_service_user_support">
-                        <term>user (string)</term>
-                        <listitem>
-                            <para>
-                                A legacy (deprecated) method to configure the user
-                                to drop the privileges to where appropriate to avoid
-                                running as the root user.
-                                The only supported value is '&sssd_user_name;'.
-                            </para>
-
-                            <para>
-                                This option is ignored if main SSSD process is started
-                                under non-root user initially (preferred method).
-                            </para>
-
-                            <para condition="have_systemd">
-                                This option doesn't apply to socket activated
-                                services, as in this case the user to run the processes
-                                is configured in systemd service files.
-
-                                Keep in mind that using different service users for
-                                different SSSD components in general isn't supported:
-                                everything should be configured to run either under
-                                '&sssd_user_name;' or 'root'.
-                            </para>
-
-                            <para>
-                                Default: not set, process will run as root
-                            </para>
-                        </listitem>
-                    </varlistentry>
                     <varlistentry>
                         <term>default_domain_suffix (string)</term>
                         <listitem>

src/monitor/monitor.c

@@ -117,12 +117,6 @@ struct mt_ctx {
 
     struct sbus_server *sbus_server;
     struct sbus_connection *sbus_conn;
-
-#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
-    /* User to switch to in run time */
-    uid_t uid;
-    gid_t gid;
-#endif
 };
 
 static int start_service(struct mt_svc *mt_svc);
@@ -703,63 +697,6 @@ static char *check_services(char **services)
     return NULL;
 }
 
-#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
-static int get_service_user(struct sss_ini *config, struct mt_ctx *ctx)
-{
-    errno_t ret = EOK;
-
-    ctx->uid = 0;
-    ctx->gid = 0;
-
-/* If SSSD wasn't built '--with-sssd-user=sssd' then 'sssd.conf::user'
- * option isn't supported completely (no man page entry).
- */
-#ifdef SSSD_NON_ROOT_USER
-    char *user_str = NULL;
-
-    ret = sss_ini_get_cfgobj(config, "sssd", CONFDB_MONITOR_USER_RUNAS);
-    if (ret != 0) {
-        ERROR("Config operation failed\n");
-        return ret;
-    }
-    if (sss_ini_check_config_obj(config) == EOK) {
-        user_str = sss_ini_get_string_config_value(config, NULL);
-    }
-
-    if (geteuid() != 0) {
-        if (user_str != NULL) {
-            sss_log(SSS_LOG_ALERT, "'"CONFDB_MONITOR_USER_RUNAS"' config option is "
-                    "ignored when SSSD is run under non-root user initially.");
-            ERROR("'"CONFDB_MONITOR_USER_RUNAS"' config option is "
-                  "ignored when SSSD is run under non-root user initially.\n");
-            free(user_str);
-        }
-        ctx->uid = geteuid();
-        ctx->gid = getegid();
-        return EOK;
-    }
-
-    if (user_str == NULL) {
-        /* defaults to 'root' */
-    } else if (strcmp(user_str, SSSD_USER) == 0) {
-        sss_sssd_user_uid_and_gid(&ctx->uid, &ctx->gid);
-        /* Deprecation warning is given in `bootstrap_monitor_process()` */
-    } else if (strcmp(user_str, "root") != 0) {
-        ERROR("Unsupported value '%s' of config option '%s'! Only 'root' or '"
-              SSSD_USER"' are supported.\n",
-              user_str, CONFDB_MONITOR_USER_RUNAS);
-        sss_log(SSS_LOG_CRIT, "Unsupported value of config option '%s'!",
-                CONFDB_MONITOR_USER_RUNAS);
-        ret = ERR_INVALID_CONFIG;
-    }
-
-    free(user_str);
-#endif /* SSSD_NON_ROOT_USER */
-
-    return ret;
-}
-#endif /* BUILD_CONF_SERVICE_USER_SUPPORT */
-
 static void get_debug_level(struct sss_ini *config)
 {
     int ret;
@@ -1774,11 +1711,7 @@ static void monitor_restart_service(struct mt_svc *svc)
     }
 }
 
-#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
-int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid);
-#else
 int bootstrap_monitor_process(void);
-#endif
 
 void setup_keyring(void);
 
@@ -1938,17 +1871,7 @@ int main(int argc, const char *argv[])
         goto out;
     }
 
-#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
-    ret = get_service_user(config, monitor);
-    if (ret != EOK) {
-        ret = 4; /* Error message already logged */
-        goto out;
-    }
-
-    ret = bootstrap_monitor_process(monitor->uid, monitor->gid);
-#else
     ret = bootstrap_monitor_process();
-#endif
     if (ret != 0) {
         ERROR("Failed to boostrap SSSD 'monitor' process: %s", sss_strerror(ret));
         sss_log(SSS_LOG_ALERT, "Failed to boostrap SSSD 'monitor' process.");

src/monitor/monitor_bootstrap.c

@@ -77,63 +77,41 @@
 }
 #endif /* SSSD_NON_ROOT_USER */
 
-#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
-errno_t become_user(uid_t uid, gid_t gid, bool keep_set_uid);
-
-int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid)
-#else
 int bootstrap_monitor_process(void)
-#endif
 {
 #ifdef SSSD_NON_ROOT_USER
     int ret;
     gid_t sssd_gid = 0;
 
     if (geteuid() == 0) {
-#ifdef BUILD_CONF_SERVICE_USER_SUPPORT
-        if (target_uid != 0) {
-            /* Started under root but non-root 'sssd.conf::user' configured -
-             * deprecated method.
-             */
-            sss_log(SSS_LOG_WARNING, "'sssd.conf::"CONFDB_MONITOR_USER_RUNAS"' "
-                    "option is deprecated. Run under '"SSSD_USER"' initially instead.");
-            ret = become_user(target_uid, target_gid, false); /* drops all caps */
+        /* In case SSSD is built with non-root user support, but
+         * runs under 'root', a number of files are still sssd:sssd owned.
+         * Make sure all processes are added to 'sssd' supplementary
+         * group to avoid the need for CAP_DAC_OVERRIDE.
+         */
+        sss_sssd_user_uid_and_gid(NULL, &sssd_gid);
+        ret = check_supplementary_group(sssd_gid);
+        if (ret == -1) {
+            sss_log(SSS_LOG_ALERT, "Can't check own supplementary groups.");
+            return 1;
+        }
+        /* Expected outcome is 'ret == 1' since supplementary group should be set
+           by systemd service description. */
+        if (ret == 0) {
+            /* Probably non-systemd based system or service file was edited,
+               let's try to set group manually. */
+            sss_log(SSS_LOG_NOTICE,
+                    "SSSD is built with support of 'run under non-root user' "
+                    "feature but started under 'root'. Trying to add process "
+                    "to SSSD supplementary group.");
+            ret = setgroups(1, &sssd_gid);
             if (ret != 0) {
-                sss_log(SSS_LOG_ALERT, "Failed to change uid:gid");
+                sss_log(SSS_LOG_CRIT,
+                        "Failed to add process to the "SSSD_USER" supplementary group. "
+                        "Either run under '"SSSD_USER"' or make sure that run-under-root "
+                        "main SSSD process has CAP_SETGID.");
                 return 1;
             }
-        } else
-#endif /* BUILD_CONF_SERVICE_USER_SUPPORT */
-        {
-            /* In case SSSD is built with non-root user support, but
-             * runs under 'root', a number of files are still sssd:sssd owned.
-             * Make sure all processes are added to 'sssd' supplementary
-             * group to avoid the need for CAP_DAC_OVERRIDE.
-             */
-            sss_sssd_user_uid_and_gid(NULL, &sssd_gid);
-            ret = check_supplementary_group(sssd_gid);
-            if (ret == -1) {
-                sss_log(SSS_LOG_ALERT, "Can't check own supplementary groups.");
-                return 1;
-            }
-            /* Expected outcome is 'ret == 1' since supplementary group should be set
-               by systemd service description. */
-            if (ret == 0) {
-                /* Probably non-systemd based system or service file was edited,
-                   let's try to set group manually. */
-                sss_log(SSS_LOG_NOTICE,
-                        "SSSD is built with support of 'run under non-root user' "
-                        "feature but started under 'root'. Trying to add process "
-                        "to SSSD supplementary group.");
-                ret = setgroups(1, &sssd_gid);
-                if (ret != 0) {
-                    sss_log(SSS_LOG_CRIT,
-                            "Failed to add process to the "SSSD_USER" supplementary group. "
-                            "Either run under '"SSSD_USER"' or make sure that run-under-root "
-                            "main SSSD process has CAP_SETGID.");
-                    return 1;
-                }
-            }
         }
     } else {
         /* SSSD started under non 'root' initially - nothing to do */