Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Tue, Nov 18, 2014 at 05:43:40PM +0100, Sumit Bose wrote: > On Tue, Nov 18, 2014 at 02:56:35PM +0100, Jakub Hrozek wrote: > > On Mon, Nov 17, 2014 at 06:35:57PM +0100, Sumit Bose wrote: > > > On Fri, Nov 14, 2014 at 01:52:20PM +0100, Jakub Hrozek wrote: > > > > On Thu, Nov 13, 2014 at 07:30:41PM

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Tue, Nov 18, 2014 at 02:56:35PM +0100, Jakub Hrozek wrote: > On Mon, Nov 17, 2014 at 06:35:57PM +0100, Sumit Bose wrote: > > On Fri, Nov 14, 2014 at 01:52:20PM +0100, Jakub Hrozek wrote: > > > On Thu, Nov 13, 2014 at 07:30:41PM +0100, Jakub Hrozek wrote: > > > > On Wed, Nov 12, 2014 at 05:08:09P

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Mon, Nov 17, 2014 at 08:45:26PM +0100, Sumit Bose wrote: > On Mon, Nov 17, 2014 at 06:35:57PM +0100, Sumit Bose wrote: > > On Fri, Nov 14, 2014 at 01:52:20PM +0100, Jakub Hrozek wrote: > > > On Thu, Nov 13, 2014 at 07:30:41PM +0100, Jakub Hrozek wrote: > > > > On Wed, Nov 12, 2014 at 05:08:09PM

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Mon, Nov 17, 2014 at 06:35:57PM +0100, Sumit Bose wrote: > On Fri, Nov 14, 2014 at 01:52:20PM +0100, Jakub Hrozek wrote: > > On Thu, Nov 13, 2014 at 07:30:41PM +0100, Jakub Hrozek wrote: > > > On Wed, Nov 12, 2014 at 05:08:09PM +0100, Lukas Slebodnik wrote: > > > > > ... > > > > Thank you, se

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Mon, Nov 17, 2014 at 06:35:57PM +0100, Sumit Bose wrote: > On Fri, Nov 14, 2014 at 01:52:20PM +0100, Jakub Hrozek wrote: > > On Thu, Nov 13, 2014 at 07:30:41PM +0100, Jakub Hrozek wrote: > > > On Wed, Nov 12, 2014 at 05:08:09PM +0100, Lukas Slebodnik wrote: > > > > > ... > > > > Thank you, se

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Fri, Nov 14, 2014 at 01:52:20PM +0100, Jakub Hrozek wrote: > On Thu, Nov 13, 2014 at 07:30:41PM +0100, Jakub Hrozek wrote: > > On Wed, Nov 12, 2014 at 05:08:09PM +0100, Lukas Slebodnik wrote: > > ... > > Thank you, see the attached patches. > > I forgot to remove the extra find_uid.c from Ma

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On (14/11/14 13:52), Jakub Hrozek wrote: >On Thu, Nov 13, 2014 at 07:30:41PM +0100, Jakub Hrozek wrote: >> On Wed, Nov 12, 2014 at 05:08:09PM +0100, Lukas Slebodnik wrote: >> > On (12/11/14 15:44), Jakub Hrozek wrote: >> > >On Wed, Nov 12, 2014 at 01:45:26PM +0100, Lukas Slebodnik wrote: >> > >> On

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Thu, Nov 13, 2014 at 07:30:41PM +0100, Jakub Hrozek wrote: > On Wed, Nov 12, 2014 at 05:08:09PM +0100, Lukas Slebodnik wrote: > > On (12/11/14 15:44), Jakub Hrozek wrote: > > >On Wed, Nov 12, 2014 at 01:45:26PM +0100, Lukas Slebodnik wrote: > > >> On (11/11/14 22:37), Jakub Hrozek wrote: > > >>

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Wed, Nov 12, 2014 at 05:08:09PM +0100, Lukas Slebodnik wrote: > On (12/11/14 15:44), Jakub Hrozek wrote: > >On Wed, Nov 12, 2014 at 01:45:26PM +0100, Lukas Slebodnik wrote: > >> On (11/11/14 22:37), Jakub Hrozek wrote: > >> >On Tue, Nov 11, 2014 at 09:11:45PM +0100, Jakub Hrozek wrote: > >> >> O

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On (12/11/14 15:44), Jakub Hrozek wrote: >On Wed, Nov 12, 2014 at 01:45:26PM +0100, Lukas Slebodnik wrote: >> On (11/11/14 22:37), Jakub Hrozek wrote: >> >On Tue, Nov 11, 2014 at 09:11:45PM +0100, Jakub Hrozek wrote: >> >> On Tue, Nov 11, 2014 at 06:23:24PM +0100, Lukas Slebodnik wrote: >> >> > On

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Wed, Nov 12, 2014 at 01:45:26PM +0100, Lukas Slebodnik wrote: > On (11/11/14 22:37), Jakub Hrozek wrote: > >On Tue, Nov 11, 2014 at 09:11:45PM +0100, Jakub Hrozek wrote: > >> On Tue, Nov 11, 2014 at 06:23:24PM +0100, Lukas Slebodnik wrote: > >> > On (11/11/14 13:45), Jakub Hrozek wrote: > >> > >

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On (11/11/14 22:37), Jakub Hrozek wrote: >On Tue, Nov 11, 2014 at 09:11:45PM +0100, Jakub Hrozek wrote: >> On Tue, Nov 11, 2014 at 06:23:24PM +0100, Lukas Slebodnik wrote: >> > On (11/11/14 13:45), Jakub Hrozek wrote: >> > >On Tue, Nov 11, 2014 at 11:15:30AM +0100, Jakub Hrozek wrote: >> > >> Can y

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Tue, Nov 11, 2014 at 09:11:45PM +0100, Jakub Hrozek wrote: > On Tue, Nov 11, 2014 at 06:23:24PM +0100, Lukas Slebodnik wrote: > > On (11/11/14 13:45), Jakub Hrozek wrote: > > >On Tue, Nov 11, 2014 at 11:15:30AM +0100, Jakub Hrozek wrote: > > >> Can you give me access to a host that reproduces th

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Tue, Nov 11, 2014 at 06:23:24PM +0100, Lukas Slebodnik wrote: > On (11/11/14 13:45), Jakub Hrozek wrote: > >On Tue, Nov 11, 2014 at 11:15:30AM +0100, Jakub Hrozek wrote: > >> Can you give me access to a host that reproduces this crash? ccname > >> should never be NULL with the new patches ... >

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On (11/11/14 13:45), Jakub Hrozek wrote: >On Tue, Nov 11, 2014 at 11:15:30AM +0100, Jakub Hrozek wrote: >> Can you give me access to a host that reproduces this crash? ccname >> should never be NULL with the new patches ... > >..except on access_provider=krb5... > >Thanks for catching that, new pat

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Tue, Nov 11, 2014 at 11:15:30AM +0100, Jakub Hrozek wrote: > Can you give me access to a host that reproduces this crash? ccname > should never be NULL with the new patches ... ..except on access_provider=krb5... Thanks for catching that, new patches are attached. >From dac56b92917b36a1f160286

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Tue, Nov 11, 2014 at 09:39:40AM +0100, Lukas Slebodnik wrote: > On (11/11/14 09:09), Lukas Slebodnik wrote: > >On (10/11/14 17:12), Jakub Hrozek wrote: > >>On Thu, Nov 06, 2014 at 10:21:17AM -0500, Simo Sorce wrote: > >>> On Wed, 5 Nov 2014 18:36:06 +0100 > >>> Jakub Hrozek wrote: > >>> > >>>

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On (11/11/14 09:09), Lukas Slebodnik wrote: >On (10/11/14 17:12), Jakub Hrozek wrote: >>On Thu, Nov 06, 2014 at 10:21:17AM -0500, Simo Sorce wrote: >>> On Wed, 5 Nov 2014 18:36:06 +0100 >>> Jakub Hrozek wrote: >>> >>> > From 1afae1740eb9bf232c33dba77f643f88d0eeb7a3 Mon Sep 17 00:00:00 2001 >>> >

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On (10/11/14 17:12), Jakub Hrozek wrote: >On Thu, Nov 06, 2014 at 10:21:17AM -0500, Simo Sorce wrote: >> On Wed, 5 Nov 2014 18:36:06 +0100 >> Jakub Hrozek wrote: >> >> > From 1afae1740eb9bf232c33dba77f643f88d0eeb7a3 Mon Sep 17 00:00:00 2001 >> > From: Jakub Hrozek >> > Date: Sat, 18 Oct 2014 22:

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Mon, Nov 10, 2014 at 11:50:11AM -0500, Simo Sorce wrote: > On Mon, 10 Nov 2014 17:44:48 +0100 > Jakub Hrozek wrote: > > > On Mon, Nov 10, 2014 at 11:37:41AM -0500, Simo Sorce wrote: > > > On Mon, 10 Nov 2014 17:12:55 +0100 > > > Jakub Hrozek wrote: > > > > > > > On Thu, Nov 06, 2014 at 10:21

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Mon, 10 Nov 2014 17:44:48 +0100 Jakub Hrozek wrote: > On Mon, Nov 10, 2014 at 11:37:41AM -0500, Simo Sorce wrote: > > On Mon, 10 Nov 2014 17:12:55 +0100 > > Jakub Hrozek wrote: > > > > > On Thu, Nov 06, 2014 at 10:21:17AM -0500, Simo Sorce wrote: > > > > On Wed, 5 Nov 2014 18:36:06 +0100 > >

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Mon, Nov 10, 2014 at 11:37:41AM -0500, Simo Sorce wrote: > On Mon, 10 Nov 2014 17:12:55 +0100 > Jakub Hrozek wrote: > > > On Thu, Nov 06, 2014 at 10:21:17AM -0500, Simo Sorce wrote: > > > On Wed, 5 Nov 2014 18:36:06 +0100 > > > Jakub Hrozek wrote: > > > > > > > From 1afae1740eb9bf232c33dba77

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Mon, 10 Nov 2014 17:12:55 +0100 Jakub Hrozek wrote: > On Thu, Nov 06, 2014 at 10:21:17AM -0500, Simo Sorce wrote: > > On Wed, 5 Nov 2014 18:36:06 +0100 > > Jakub Hrozek wrote: > > > > > From 1afae1740eb9bf232c33dba77f643f88d0eeb7a3 Mon Sep 17 00:00:00 > > > 2001 From: Jakub Hrozek > > > Dat

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Thu, Nov 06, 2014 at 10:21:17AM -0500, Simo Sorce wrote: > On Wed, 5 Nov 2014 18:36:06 +0100 > Jakub Hrozek wrote: > > > From 1afae1740eb9bf232c33dba77f643f88d0eeb7a3 Mon Sep 17 00:00:00 2001 > > From: Jakub Hrozek > > Date: Sat, 18 Oct 2014 22:03:13 +0200 > > Subject: [PATCH 5/6] KRB5: Move

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Thu, Nov 06, 2014 at 09:56:13AM -0500, Simo Sorce wrote: > Comments inline. > (I'll send multiple emails per patch, where necessary) Thanks for the review and sorry about the delay, some other work came up... > > On Wed, 5 Nov 2014 18:36:06 +0100 > Jakub Hrozek wrote: > > > From c9d48463800

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Wed, 5 Nov 2014 22:34:50 +0100 Jakub Hrozek wrote: > On Wed, Nov 05, 2014 at 06:36:06PM +0100, Jakub Hrozek wrote: > > On Fri, Oct 31, 2014 at 06:00:59PM +0100, Jakub Hrozek wrote: > > > On Tue, Oct 28, 2014 at 03:13:37AM +0100, Jakub Hrozek wrote: > > > > Hi, > > > > > > > > attached are pat

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Wed, 5 Nov 2014 18:36:06 +0100 Jakub Hrozek wrote: > From 1afae1740eb9bf232c33dba77f643f88d0eeb7a3 Mon Sep 17 00:00:00 2001 > From: Jakub Hrozek > Date: Sat, 18 Oct 2014 22:03:13 +0200 > Subject: [PATCH 5/6] KRB5: Move all ccache operations to krb5_child.c > > The credential cache operations

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

Comments inline. (I'll send multiple emails per patch, where necessary) On Wed, 5 Nov 2014 18:36:06 +0100 Jakub Hrozek wrote: > From c9d484638009371cff3b1213b5640a7827b9e1ba Mon Sep 17 00:00:00 2001 > From: Jakub Hrozek > Date: Mon, 13 Oct 2014 21:13:38 +0200 > Subject: [PATCH 2/6] KRB5: Drop p

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Wed, Nov 05, 2014 at 06:36:06PM +0100, Jakub Hrozek wrote: > On Fri, Oct 31, 2014 at 06:00:59PM +0100, Jakub Hrozek wrote: > > On Tue, Oct 28, 2014 at 03:13:37AM +0100, Jakub Hrozek wrote: > > > Hi, > > > > > > attached are patches that apply on top of my previous ldap_child and > > > selinux_c

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Fri, Oct 31, 2014 at 06:00:59PM +0100, Jakub Hrozek wrote: > On Tue, Oct 28, 2014 at 03:13:37AM +0100, Jakub Hrozek wrote: > > Hi, > > > > attached are patches that apply on top of my previous ldap_child and > > selinux_child patches. The complete branch (including tests I'm still > > working o

Re: [SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

On Tue, Oct 28, 2014 at 03:13:37AM +0100, Jakub Hrozek wrote: > Hi, > > attached are patches that apply on top of my previous ldap_child and > selinux_child patches. The complete branch (including tests I'm still > working on) can be inspected here: > https://fedorapeople.org/cgit/jhrozek/publ

[SSSD] [PATCH] Move ccache operations to krb5_child, allow the krb5_auth code to run unprivileged

Hi, attached are patches that apply on top of my previous ldap_child and selinux_child patches. The complete branch (including tests I'm still working on) can be inspected here: https://fedorapeople.org/cgit/jhrozek/public_git/sssd.git/log/?h=nonroot Simo, Sumit, I added you to CC directly, b