Re: [SSSD] [PATCH] Thighten up become_user()

Fri, 05 Apr 2013 05:48:07 -0700 

On Fri, 2013-04-05 at 12:26 +0200, Lukas Slebodnik wrote:
> On (04/04/13 12:24), Simo Sorce wrote:
> >Commit should say it all.
> >We do not have any security issue (that I know off) with the current
> >code, but I want to tighten up the privileges more given we do not need
> >the additional capabilities in the krb5_child anyway.
> >
> >Simo.
> >
> >-- 
> >Simo Sorce * Red Hat, Inc * New York
> Nack
> 
> Patch make impossible user authentication.
> 
> sh-4.2$ su - usersssd02
> Password: 
> su: incorrect password
> 
> 
> From krb5_child.log:
> [become_user] (0x0200): Trying to become user [325600012][325600012].
> [create_ccache_in_dir] (0x0200): Creating ccache at 
> [DIR:/run/user/325600012/krb5cc]
> [become_user] (0x0200): Trying to become user [325600012][325600012].
> [become_user] (0x0020): setgroups failed [1][Operation not permitted].
>                                    ^^^^^
> The second call of function become_user fail with EPERM
> 
> [create_ccache_in_dir] (0x0020): become_user failed.
> [get_and_save_tgt] (0x0020): 1140: [1][Operation not permitted]
> [map_krb5_error] (0x0020): 1160: [1][Operation not permitted]
> 
> > errno_t become_user(uid_t uid, gid_t gid)
> > {
> >     int ret;
> > 
> >     DEBUG(SSSDBG_FUNC_DATA, ("Trying to become user [%d][%d].\n", uid, 
> > gid));
> >-    ret = setgid(gid);
> >-    if (ret == -1) {
> >-        ret = errno;
> >-        DEBUG(SSSDBG_CRIT_FAILURE,
> >-              ("setgid failed [%d][%s].\n", ret, strerror(ret)));
> >-        return ret;
> >-    }
> > 
> >-    ret = setuid(uid);
> >+    /* drop supplmentary groups first */
> >+    ret = setgroups(0, NULL);
> >     if (ret == -1) {
> >         ret = errno;
> If errno is EPERM, than we should ignore this error and continue.
> 
> >         DEBUG(SSSDBG_CRIT_FAILURE,
> >-              ("setuid failed [%d][%s].\n", ret, strerror(ret)));
> >+              ("setgroups failed [%d][%s].\n", ret, strerror(ret)));
> >         return ret;
> >     }
> > 

It is very odd that we get EPERM .. is this function beeing called
twice ? Once as root before the fork, and then again in the code ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to