Skip to content

Commit

Permalink
(SIMP-10414) Fix sssd-sudo service permissions (#110)
Browse files Browse the repository at this point in the history 
- Add an override for sssd-sudo.service to start it as root:root. This aligns
  with how sssd itself would start the service and the daemon cannot access
  /var/lib/sss/db/config.ldb otherwise.
- Ensure sssd_sudo log file is created

SIMP-10414 #close
  • Loading branch information
@trevor-vaughan
trevor-vaughan authored Aug 18, 2021
1 parent 19bd5c6 commit bd52ce4
Show file tree
Hide file tree
Showing 8 changed files with 75 additions and 14 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
* Thu Aug 05 2021 Trevor Vaughan <[email protected]> - 7.1.1
- Add an override for sssd-sudo.service to start it as root:root. This aligns
with how sssd itself would start the service and the daemon cannot access
/var/lib/sss/db/config.ldb otherwise.

* Thu Jun 17 2021 Chris Tessmer <[email protected]> - 7.1.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
Expand Down
4 changes: 2 additions & 2 deletions REFERENCE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,11 +145,11 @@ Default value: ``undef``

##### <a name="enable_files_domain"></a>`enable_files_domain`

Data type: `Optional[Boolean]`
Data type: `Boolean`



Default value: ``undef``
Default value: ``true``

##### <a name="config_file_version"></a>`config_file_version`

Expand Down
22 changes: 21 additions & 1 deletion manifests/service/sudo.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,29 @@
content => $_content
}

$_override_content = @(END)
# This is required due to the permissions on /var/lib/sss/db/config.ldb
# This may be a regression in sssd
[Service]
ExecStartPre=-/bin/touch /var/log/sssd/sssd_sudo.log
ExecStartPre=-/bin/chown sssd:sssd /var/log/sssd/sssd_sudo.log
User=root
Group=root
| END

systemd::dropin_file { '00_sssd_sudo_user_group.conf':
unit => 'sssd-sudo.service',
content => $_override_content,
daemon_reload => 'eager',
selinux_ignore_defaults => true
}

service { 'sssd-sudo.socket':
enable => true,
require => Sssd::Config::Entry['puppet_service_sudo'],
require => [
Sssd::Config::Entry['puppet_service_sudo'],
Systemd::Dropin_file['00_sssd_sudo_user_group.conf']
],
notify => Class["${module_name}::service"]
}
}
6 changes: 5 additions & 1 deletion metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "simp-sssd",
"version": "7.1.0",
"version": "7.1.1",
"author": "SIMP Team",
"summary": "Manages SSSD",
"license": "Apache-2.0",
Expand All @@ -12,6 +12,10 @@
"sssd"
],
"dependencies": [
{
"name": "camptocamp/systemd",
"version_requirement": ">= 2.2.0 < 3.0.0"
},
{
"name": "puppetlabs/stdlib",
"version_requirement": ">= 6.6.0 < 8.0.0"
Expand Down
19 changes: 15 additions & 4 deletions spec/acceptance/suites/ds389/10_setup_clients_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,10 @@
}
class { 'nsswitch':
passwd => ['sss', 'files'],
group => ['sss', 'files'],
shadow => ['sss', 'files'],
passwd => ['sss', 'files'],
group => ['sss', 'files'],
shadow => ['sss', 'files'],
sudoers => ['files', 'sss']
}
EOS
}
Expand Down Expand Up @@ -84,8 +85,18 @@ class { 'nsswitch':
expect(id.stdout).to match(/#{user}/)
end
end
end

it 'should run sssd-sudo after querying for sudo rules' do
on(client, 'sudo -l')
response = YAML.safe_load(on(client, %(puppet resource service sssd-sudo --to_yaml)).stdout)
expect(response['service']['sssd-sudo']['ensure']).to eq('running')
end

it 'should have a sssd_sudo.log file after querying for sudo rules' do
response = YAML.safe_load(on(client, %(puppet resource file /var/log/sssd/sssd_sudo.log --to_yaml)).stdout)
expect(response['file']['/var/log/sssd/sssd_sudo.log']['ensure']).to eq('file')
end
end
end
end
end
8 changes: 5 additions & 3 deletions spec/acceptance/suites/ds389/nodesets/default.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,21 +6,23 @@
end
-%>
HOSTS:
ldapserver:
ldapserver.beaker:
roles:
- ldap
- default
platform: el-8-x86_64
box: generic/centos8
hypervisor: <%= hypervisor %>
centos8:

centos8.beaker:
roles:
- client
- sssdv2
platform: el-8-x86_64
box: generic/centos8
hypervisor: <%= hypervisor %>
centos7:

centos7.beaker:
roles:
- client
- sssdv1
Expand Down
8 changes: 5 additions & 3 deletions spec/acceptance/suites/ds389/nodesets/oel.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,22 @@
end
-%>
HOSTS:
ldapserver:
ldapserver.beaker:
roles:
- ldap
platform: el-8-x86_64
box: generic/oracle8
hypervisor: <%= hypervisor %>
oel8:

oel8.beaker:
roles:
- default
- client
platform: el-8-x86_64
box: generic/oracle8
hypervisor: <%= hypervisor %>
oel7:

oel7.beaker:
roles:
- client
platform: el-7-x86_64
Expand Down
17 changes: 17 additions & 0 deletions spec/classes/service/sudo_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,23 @@

it { is_expected.to compile.with_all_deps }
it { is_expected.to create_sssd__config__entry('puppet_service_sudo').without_content(%r(=\s*$)) }
it {
is_expected.to create_systemd__dropin_file('00_sssd_sudo_user_group.conf')
.with_unit('sssd-sudo.service')
.with_content(%r(ExecStartPre=-/bin/touch /var/log/sssd/sssd_sudo.log))
.with_content(%r(ExecStartPre=-/bin/chown sssd:sssd /var/log/sssd/sssd_sudo.log))
.with_content(/User=root/)
.with_content(/Group=root/)
.with_daemon_reload('eager')
.with_selinux_ignore_defaults(true)
}
it {
is_expected.to create_service('sssd-sudo.socket')
.with_enable(true)
.that_requires('Sssd::Config::Entry[puppet_service_sudo]')
.that_requires('Systemd::Dropin_file[00_sssd_sudo_user_group.conf]')
.that_notifies('Class[sssd::service]')
}
end
end
end
Expand Down

0 comments on commit bd52ce4

Please sign in to comment.