On (10/11/14 17:12), Jakub Hrozek wrote:
>On Thu, Nov 06, 2014 at 10:21:17AM -0500, Simo Sorce wrote:
>> On Wed, 5 Nov 2014 18:36:06 +0100
>> Jakub Hrozek <jhro...@redhat.com> wrote:
>>
>> > From 1afae1740eb9bf232c33dba77f643f88d0eeb7a3 Mon Sep 17 00:00:00 2001
>> > From: Jakub Hrozek <jhro...@redhat.com>
>> > Date: Sat, 18 Oct 2014 22:03:13 +0200
>> > Subject: [PATCH 5/6] KRB5: Move all ccache operations to krb5_child.c
>> >
>> > The credential cache operations must be now performed by the
>> > krb5_child completely, because the sssd_be process might be running
>> > as the sssd user who doesn't have access to the ccaches.
>> >
>> > src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5
>> > until we fix Kerberos ticket renewal as non-root.
>> >
>> > Also includes a new error code that indicates that the back end should
>> > remove the old ccache attribute -- the child can't do that if it's
>> > running as the user.
>>
>> I think I see an ordering issue but I am not completely sure
>> (unfortunately I am looking only at the patches because git am fails to
>> bring them on a copy of the master tree).
>
>The patches depended on the SELinux changes that were since merged to
>master. The attached patchset should apply on master cleanly.
>
>>
>> The main reason ccache handling was done in 2 parts is that in some
>> cases we need to do some preparatory work as root.
>> For example creating a user directory for DIR: ccache and similar.
>> I think this patches moves things around and causes all these functions
>> to be run after krb5_child has already dropped root in
>> k5c_setup() though. If that's the case as it looks to me I think this
>> patchset will not work as well as it should.
>
>You're right, I admit I tested on RHEL and Fedora where we only use
>KEYRING: and FILE:/tmp/ where I didn't hit this issue. I was also
>confused by our removal of creating public ccache dir components -- now
>I realize we can still create user-owned directories under root-writably
>directories and DIR:/run/user/$UID is exactly this case.
>
>This means we need to examine the ccache as root in order to determine
>whether to re-create it...with the attached patches the DIR cache seems
>to work fine.
>
>>
>> I also see that you added ERR_CREDS_EXPIRED_CCACHE to delete the ccache
>> once the reply is returned to the backend. But I am afraid deleting a
>> ccache may also require root privs as the ccache is owned by the user
>> but the sssd backend is running as the sssd user. Or am I missing
>> another change that addresses this ?
>>
>> Also ERR_CREDS_EXPIRED_CCACHE seem not performing the same checks as
>> ERR_CREDS_EXPIRED, why (and why does it need to be different) ?
>
>No, the ERR_CREDS_EXPIRED_CCACHE semantics is different. The krb5_child
>is able to remove the old ccache from disk or from the kernel keyring,
>but in case the child dropped privileges to the user who is logging in,
>it cannot delete the ccache attribute from sysdb..so
>ERR_CREDS_EXPIRED_CCACHE is a way of telling sssd_be to remove this
>attribute istead.
>
>Thank you for the review. New patches are attached (and I just realized
>I didn't CC you in my reply to your other mail; sorry)
>From 7addb7d573a2ef06f60e0c026f4bd01423d073ea Mon Sep 17 00:00:00 2001
>From: Jakub Hrozek <jhro...@redhat.com>
>Date: Fri, 24 Oct 2014 22:44:17 +0200
>Subject: [PATCH 1/6] BUILD: Install krb5_child as suid if running under
> non-privileged user
>
>If sssd_be is running unprivileged, then krb5_child must be setuid to be
>able to access the keytab and become arbitrary user.
>---
There is a crash in krb_child with refactoring patches.
#0 sss_krb5_precreate_ccache (ccname=0x0, uid=2003, gid=2003) at
src/providers/krb5/krb5_ccache.c:222
222 if (ccname[0] == '/') {
(gdb) p ccname
$1 = 0x0
(gdb) bt full
#0 sss_krb5_precreate_ccache (ccname=0x0, uid=2003, gid=2003) at
src/providers/krb5/krb5_ccache.c:222
tmp_ctx = 0x0
filename = <value optimized out>
ccdirname = <value optimized out>
end = <value optimized out>
ret = <value optimized out>
__FUNCTION__ = "sss_krb5_precreate_ccache"
#1 0x0000000000405adc in k5c_precreate_ccache (kr=0x785450, offline=0) at
src/providers/krb5/krb5_child.c:1993
ret = <value optimized out>
#2 k5c_setup (kr=0x785450, offline=0) at src/providers/krb5/krb5_child.c:2042
kerr = <value optimized out>
parse_flags = <value optimized out>
fast_val = K5C_FAST_NEVER
__FUNCTION__ = "k5c_setup"
#3 0x0000000000408a86 in main (argc=5, argv=<value optimized out>) at
src/providers/krb5/krb5_child.c:2246
kr = 0x785450
offline = 0
opt = <value optimized out>
pc = <value optimized out>
debug_fd = 18
ret = <value optimized out>
long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg
= 0x617980, val = 0, descrip = 0x4121e9 "Help options:", argDescrip = 0x0}, {
longName = 0x4121f7 "debug-level", shortName = 100 'd', argInfo =
2, arg = 0x617a40, val = 0, descrip = 0x4121c8 "Debug level", argDescrip =
0x0}, {
longName = 0x412203 "debug-timestamps", shortName = 0 '\000',
argInfo = 2, arg = 0x617960, val = 0, descrip = 0x4121d4 "Add debug
timestamps", argDescrip = 0x0}, {
longName = 0x412214 "debug-microseconds", shortName = 0 '\000',
argInfo = 2, arg = 0x617a50, val = 0, descrip = 0x412e18 "Show timestamps with
microseconds",
argDescrip = 0x0}, {longName = 0x412227 "debug-fd", shortName = 0
'\000', argInfo = 2, arg = 0x7fff7a3bed08, val = 0,
descrip = 0x412e40 "An open file descriptor for the debug logs",
argDescrip = 0x0}, {longName = 0x412230 "debug-to-stderr", shortName = 0
'\000', argInfo = 1073741824,
arg = 0x617a58, val = 0, descrip = 0x412e70 "Send the debug output
to stderr directly.", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000',
argInfo = 0, arg = 0x0,
val = 0, descrip = 0x0, argDescrip = 0x0}}
__FUNCTION__ = "main"
LS
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
