On (05/04/13 09:27), Simo Sorce wrote:
>On Fri, 2013-04-05 at 15:02 +0200, Lukas Slebodnik wrote:
>> On (05/04/13 08:47), Simo Sorce wrote:
>> >On Fri, 2013-04-05 at 12:26 +0200, Lukas Slebodnik wrote:
>> >> On (04/04/13 12:24), Simo Sorce wrote:
>> >> >Commit should say it all.
>> >> >We do not have any security issue (that I know off) with the current
>> >> >code, but I want to tighten up the privileges more given we do not need
>> >> >the additional capabilities in the krb5_child anyway.
>> >> >
>> >> >Simo.
>> >> >
>> >> >--
>> >> >Simo Sorce * Red Hat, Inc * New York
>> >> Nack
>> >>
>> >> Patch make impossible user authentication.
>> >>
>> >> sh-4.2$ su - usersssd02
>> >> Password:
>> >> su: incorrect password
>> >>
>> >>
>> >> From krb5_child.log:
>> >> [become_user] (0x0200): Trying to become user [325600012][325600012].
>> >> [create_ccache_in_dir] (0x0200): Creating ccache at
>> >> [DIR:/run/user/325600012/krb5cc]
>> >> [become_user] (0x0200): Trying to become user [325600012][325600012].
>> >> [become_user] (0x0020): setgroups failed [1][Operation not permitted].
>> >> ^^^^^
>> >> The second call of function become_user fail with EPERM
>> >>
>> >> [create_ccache_in_dir] (0x0020): become_user failed.
>> >> [get_and_save_tgt] (0x0020): 1140: [1][Operation not permitted]
>> >> [map_krb5_error] (0x0020): 1160: [1][Operation not permitted]
>> >>
>> >> > errno_t become_user(uid_t uid, gid_t gid)
>> >> > {
>> >> > int ret;
>> >> >
>> >> > DEBUG(SSSDBG_FUNC_DATA, ("Trying to become user [%d][%d].\n", uid,
>> >> > gid));
>> >> >- ret = setgid(gid);
>> >> >- if (ret == -1) {
>> >> >- ret = errno;
>> >> >- DEBUG(SSSDBG_CRIT_FAILURE,
>> >> >- ("setgid failed [%d][%s].\n", ret, strerror(ret)));
>> >> >- return ret;
>> >> >- }
>> >> >
>> >> >- ret = setuid(uid);
>> >> >+ /* drop supplmentary groups first */
>> >> >+ ret = setgroups(0, NULL);
>> >> > if (ret == -1) {
>> >> > ret = errno;
>> >> If errno is EPERM, than we should ignore this error and continue.
>> >>
>> >> > DEBUG(SSSDBG_CRIT_FAILURE,
>> >> >- ("setuid failed [%d][%s].\n", ret, strerror(ret)));
>> >> >+ ("setgroups failed [%d][%s].\n", ret, strerror(ret)));
>> >> > return ret;
>> >> > }
>> >> >
>> >
>> >It is very odd that we get EPERM .. is this function beeing called
>> >twice ? Once as root before the fork, and then again in the code ?
>> >
>> >Simo.
>>
>> Yes twice.
>>
>> 1st call:
>> --------------------------------------------
>> #0 become_user (uid=325600012, gid=325600012)
>> at src/providers/krb5/krb5_become_user.c:29
>> #1 0x00000000004101dd in get_and_save_tgt (kr=kr@entry=0x227f090,
>> password=<optimized out>) at src/providers/krb5/krb5_child.c:1128
>> #2 0x0000000000407972 in tgt_req_child (kr=0x227f090)
>> at src/providers/krb5/krb5_child.c:1337
>> #3 main (argc=<optimized out>, argv=<optimized out>)
>> at src/providers/krb5/krb5_child.c:2126
>>
>>
>> 2nd call:
>> --------------------------------------------
>> #0 become_user (uid=uid@entry=325600012, gid=gid@entry=325600012)
>> at src/providers/krb5/krb5_become_user.c:29
>> #1 0x000000000040b569 in create_ccache_in_dir (uid=uid@entry=325600012,
>> gid=gid@entry=325600012, ctx=ctx@entry=0x2280010,
>> princ=princ@entry=0x2287760,
>> ccname=ccname@entry=0x227f280 "DIR:/run/user/325600012/krb5cc",
>> creds=creds@entry=0x22807a0) at src/providers/krb5/krb5_child.c:659
>> #2 0x000000000040eb7c in create_ccache (uid=325600012, gid=325600012,
>> ctx=0x2280010, princ=0x2287760,
>> ccname=0x227f280 "DIR:/run/user/325600012/krb5cc", creds=0x22807a0)
>> at src/providers/krb5/krb5_child.c:732
>> #3 0x000000000041020a in get_and_save_tgt (kr=kr@entry=0x227f090,
>> password=<optimized out>) at src/providers/krb5/krb5_child.c:1136
>> #4 0x0000000000407972 in tgt_req_child (kr=0x227f090)
>> at src/providers/krb5/krb5_child.c:1337
>> #5 main (argc=<optimized out>, argv=<optimized out>)
>> at src/providers/krb5/krb5_child.c:2126
>
>Ok, attached augmented patch should handle this case too.
>
>Thanks for testing.
>
>Simo.
>
>--
>Simo Sorce * Red Hat, Inc * New York
Ack
LS
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
