pac responder: limit access by checking UIDs

A check for allowed UIDs is added in the common responder code directly
after accept(). If the platform does not support reading the UID of the
peer but allowed UIDs are configured, access is denied.

Currently only the PAC responder sets the allowed UIDs for a socket. The
default is that only root is allowed to access the socket of the PAC
responder.

Fixes: https://fedorahosted.org/sssd/ticket/1382

1 files changed, 19 insertions, 0 deletions

diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c
index db6e6b49..348fc6f4 100644
--- a/src/responder/pac/pacsrv.c
+++ b/src/responder/pac/pacsrv.c
@@ -45,6 +45,7 @@
 
 #define SSS_PAC_PIPE_NAME "pac"
 #define DEFAULT_PAC_FD_LIMIT 8192
+#define DEFAULT_ALLOWED_UIDS "0"
 
 struct sbus_method monitor_pac_methods[] = {
     { MON_CLI_METHOD_PING, monitor_common_pong },
@@ -124,6 +125,7 @@ int pac_process_init(TALLOC_CTX *mem_ctx,
     int ret, max_retries;
     enum idmap_error_code err;
     int fd_limit;
+    char *uid_str;
 
     pac_ctx = talloc_zero(mem_ctx, struct pac_ctx);
     if (!pac_ctx) {
@@ -147,6 +149,23 @@ int pac_process_init(TALLOC_CTX *mem_ctx,
     }
     pac_ctx->rctx->pvt_ctx = pac_ctx;
 
+
+    ret = confdb_get_string(pac_ctx->rctx->cdb, pac_ctx->rctx,
+                            CONFDB_PAC_CONF_ENTRY, CONFDB_SERVICE_ALLOWED_UIDS,
+                            DEFAULT_ALLOWED_UIDS, &uid_str);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE, ("Failed to get allowed UIDs.\n"));
+        return ret;
+    }
+
+    ret = csv_string_to_uid_array(pac_ctx->rctx, uid_str, true,
+                                  &pac_ctx->rctx->allowed_uids_count,
+                                  &pac_ctx->rctx->allowed_uids);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE, ("Failed to set allowed UIDs.\n"));
+        return ret;
+    }
+
     /* Enable automatic reconnection to the Data Provider */
     ret = confdb_get_int(pac_ctx->rctx->cdb,
                          CONFDB_PAC_CONF_ENTRY,