From ed90a20a0f0e936eb00d268080716c0384ffb01d Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Jun 25 2018 07:18:24 +0000 Subject: SUDO: Create the socket with stricter permissions This patch switches the sudo responder from being created as a public responder where the permissions are open and not checked by the sssd deaamon to a private socket. In this case, sssd creates the pipes with strict permissions (see the umask in the call to create_pipe_fd() in set_unix_socket()) and additionaly checks the permissions with every read via the tevent integrations (see accept_fd_handler()). Resolves: https://pagure.io/SSSD/sssd/issue/3766 (CVE-2018-10852) Reviewed-by: Sumit Bose Reviewed-by: Pavel Březina --- diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c index ac42587..e87a244 100644 --- a/src/responder/sudo/sudosrv.c +++ b/src/responder/sudo/sudosrv.c @@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, sudo_cmds = get_sudo_cmds(); ret = sss_process_init(mem_ctx, ev, cdb, sudo_cmds, - SSS_SUDO_SOCKET_NAME, -1, NULL, -1, + NULL, -1, /* No public socket */ + SSS_SUDO_SOCKET_NAME, -1, /* Private socket only */ CONFDB_SUDO_CONF_ENTRY, SSS_SUDO_SBUS_SERVICE_NAME, SSS_SUDO_SBUS_SERVICE_VERSION, diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in index c9abb87..96a8b03 100644 --- a/src/sysv/systemd/sssd-sudo.socket.in +++ b/src/sysv/systemd/sssd-sudo.socket.in @@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo ListenStream=@pipepath@/sudo SocketUser=@SSSD_USER@ SocketGroup=@SSSD_USER@ +SocketMode=0600 [Install] WantedBy=sssd.service