On (04/04/13 12:24), Simo Sorce wrote: >Commit should say it all. >We do not have any security issue (that I know off) with the current >code, but I want to tighten up the privileges more given we do not need >the additional capabilities in the krb5_child anyway. > >Simo. > >-- >Simo Sorce * Red Hat, Inc * New York Nack
Patch make impossible user authentication. sh-4.2$ su - usersssd02 Password: su: incorrect password From krb5_child.log: [become_user] (0x0200): Trying to become user [325600012][325600012]. [create_ccache_in_dir] (0x0200): Creating ccache at [DIR:/run/user/325600012/krb5cc] [become_user] (0x0200): Trying to become user [325600012][325600012]. [become_user] (0x0020): setgroups failed [1][Operation not permitted]. ^^^^^ The second call of function become_user fail with EPERM [create_ccache_in_dir] (0x0020): become_user failed. [get_and_save_tgt] (0x0020): 1140: [1][Operation not permitted] [map_krb5_error] (0x0020): 1160: [1][Operation not permitted] > errno_t become_user(uid_t uid, gid_t gid) > { > int ret; > > DEBUG(SSSDBG_FUNC_DATA, ("Trying to become user [%d][%d].\n", uid, gid)); >- ret = setgid(gid); >- if (ret == -1) { >- ret = errno; >- DEBUG(SSSDBG_CRIT_FAILURE, >- ("setgid failed [%d][%s].\n", ret, strerror(ret))); >- return ret; >- } > >- ret = setuid(uid); >+ /* drop supplmentary groups first */ >+ ret = setgroups(0, NULL); > if (ret == -1) { > ret = errno; If errno is EPERM, than we should ignore this error and continue. > DEBUG(SSSDBG_CRIT_FAILURE, >- ("setuid failed [%d][%s].\n", ret, strerror(ret))); >+ ("setgroups failed [%d][%s].\n", ret, strerror(ret))); > return ret; > } > _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel