On Tue, Nov 11, 2014 at 09:39:40AM +0100, Lukas Slebodnik wrote: > On (11/11/14 09:09), Lukas Slebodnik wrote: > >On (10/11/14 17:12), Jakub Hrozek wrote: > >>On Thu, Nov 06, 2014 at 10:21:17AM -0500, Simo Sorce wrote: > >>> On Wed, 5 Nov 2014 18:36:06 +0100 > >>> Jakub Hrozek <jhro...@redhat.com> wrote: > >>> > >>> > From 1afae1740eb9bf232c33dba77f643f88d0eeb7a3 Mon Sep 17 00:00:00 2001 > >>> > From: Jakub Hrozek <jhro...@redhat.com> > >>> > Date: Sat, 18 Oct 2014 22:03:13 +0200 > >>> > Subject: [PATCH 5/6] KRB5: Move all ccache operations to krb5_child.c > >>> > > >>> > The credential cache operations must be now performed by the > >>> > krb5_child completely, because the sssd_be process might be running > >>> > as the sssd user who doesn't have access to the ccaches. > >>> > > >>> > src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5 > >>> > until we fix Kerberos ticket renewal as non-root. > >>> > > >>> > Also includes a new error code that indicates that the back end should > >>> > remove the old ccache attribute -- the child can't do that if it's > >>> > running as the user. > >>> > >>> I think I see an ordering issue but I am not completely sure > >>> (unfortunately I am looking only at the patches because git am fails to > >>> bring them on a copy of the master tree). > >> > >>The patches depended on the SELinux changes that were since merged to > >>master. The attached patchset should apply on master cleanly. > >> > >>> > >>> The main reason ccache handling was done in 2 parts is that in some > >>> cases we need to do some preparatory work as root. > >>> For example creating a user directory for DIR: ccache and similar. > >>> I think this patches moves things around and causes all these functions > >>> to be run after krb5_child has already dropped root in > >>> k5c_setup() though. If that's the case as it looks to me I think this > >>> patchset will not work as well as it should. > >> > >>You're right, I admit I tested on RHEL and Fedora where we only use > >>KEYRING: and FILE:/tmp/ where I didn't hit this issue. I was also > >>confused by our removal of creating public ccache dir components -- now > >>I realize we can still create user-owned directories under root-writably > >>directories and DIR:/run/user/$UID is exactly this case. > >> > >>This means we need to examine the ccache as root in order to determine > >>whether to re-create it...with the attached patches the DIR cache seems > >>to work fine. > >> > >>> > >>> I also see that you added ERR_CREDS_EXPIRED_CCACHE to delete the ccache > >>> once the reply is returned to the backend. But I am afraid deleting a > >>> ccache may also require root privs as the ccache is owned by the user > >>> but the sssd backend is running as the sssd user. Or am I missing > >>> another change that addresses this ? > >>> > >>> Also ERR_CREDS_EXPIRED_CCACHE seem not performing the same checks as > >>> ERR_CREDS_EXPIRED, why (and why does it need to be different) ? > >> > >>No, the ERR_CREDS_EXPIRED_CCACHE semantics is different. The krb5_child > >>is able to remove the old ccache from disk or from the kernel keyring, > >>but in case the child dropped privileges to the user who is logging in, > >>it cannot delete the ccache attribute from sysdb..so > >>ERR_CREDS_EXPIRED_CCACHE is a way of telling sssd_be to remove this > >>attribute istead. > >> > >>Thank you for the review. New patches are attached (and I just realized > >>I didn't CC you in my reply to your other mail; sorry) > > > >>From 7addb7d573a2ef06f60e0c026f4bd01423d073ea Mon Sep 17 00:00:00 2001 > >>From: Jakub Hrozek <jhro...@redhat.com> > >>Date: Fri, 24 Oct 2014 22:44:17 +0200 > >>Subject: [PATCH 1/6] BUILD: Install krb5_child as suid if running under > >> non-privileged user > >> > >>If sssd_be is running unprivileged, then krb5_child must be setuid to be > >>able to access the keytab and become arbitrary user. > >>--- > >There is a crash in krb_child with refactoring patches. > > > >#0 sss_krb5_precreate_ccache (ccname=0x0, uid=2003, gid=2003) at > >src/providers/krb5/krb5_ccache.c:222 > >222 if (ccname[0] == '/') { > >(gdb) p ccname > >$1 = 0x0 > > > >(gdb) bt full > >#0 sss_krb5_precreate_ccache (ccname=0x0, uid=2003, gid=2003) at > >src/providers/krb5/krb5_ccache.c:222 > > tmp_ctx = 0x0 > > filename = <value optimized out> > > ccdirname = <value optimized out> > > end = <value optimized out> > > ret = <value optimized out> > > __FUNCTION__ = "sss_krb5_precreate_ccache" > >#1 0x0000000000405adc in k5c_precreate_ccache (kr=0x785450, offline=0) at > >src/providers/krb5/krb5_child.c:1993 > > ret = <value optimized out> > >#2 k5c_setup (kr=0x785450, offline=0) at > >src/providers/krb5/krb5_child.c:2042 > > kerr = <value optimized out> > > parse_flags = <value optimized out> > > fast_val = K5C_FAST_NEVER > > __FUNCTION__ = "k5c_setup" > >#3 0x0000000000408a86 in main (argc=5, argv=<value optimized out>) at > >src/providers/krb5/krb5_child.c:2246 > > kr = 0x785450 > > offline = 0 > > opt = <value optimized out> > > pc = <value optimized out> > > debug_fd = 18 > > ret = <value optimized out> > > long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, > > arg = 0x617980, val = 0, descrip = 0x4121e9 "Help options:", argDescrip = > > 0x0}, { > > longName = 0x4121f7 "debug-level", shortName = 100 'd', argInfo > > = 2, arg = 0x617a40, val = 0, descrip = 0x4121c8 "Debug level", argDescrip > > = 0x0}, { > > longName = 0x412203 "debug-timestamps", shortName = 0 '\000', > > argInfo = 2, arg = 0x617960, val = 0, descrip = 0x4121d4 "Add debug > > timestamps", argDescrip = 0x0}, { > > longName = 0x412214 "debug-microseconds", shortName = 0 '\000', > > argInfo = 2, arg = 0x617a50, val = 0, descrip = 0x412e18 "Show timestamps > > with microseconds", > > argDescrip = 0x0}, {longName = 0x412227 "debug-fd", shortName = > > 0 '\000', argInfo = 2, arg = 0x7fff7a3bed08, val = 0, > > descrip = 0x412e40 "An open file descriptor for the debug logs", > > argDescrip = 0x0}, {longName = 0x412230 "debug-to-stderr", shortName = 0 > > '\000', argInfo = 1073741824, > > arg = 0x617a58, val = 0, descrip = 0x412e70 "Send the debug > > output to stderr directly.", argDescrip = 0x0}, {longName = 0x0, shortName > > = 0 '\000', argInfo = 0, arg = 0x0, > > val = 0, descrip = 0x0, argDescrip = 0x0}} > > __FUNCTION__ = "main" > > > and here is related part from krb5_child log. > > [sss_get_ccache_name_for_principal] (0x4000): Location: > [FILE:/tmp/krb5cc_2004_XXXXXX] > [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: > [-1765328243][Can't find client principal testus...@example.com in cache > collection] > [create_ccache] (0x4000): Initializing ccache of type [FILE] > [switch_creds] (0x0200): Switch user to [2004][2004]. > [switch_creds] (0x0200): Already user [2004]. > [sss_krb5_check_ccache_princ] (0x2000): Searching for [testus...@example.com] > in cache of type [FILE] > [switch_creds] (0x0200): Switch user to [2004][2004]. > [switch_creds] (0x0200): Already user [2004]. > [sss_open_ccache_as_user] (0x0400): ccache (null) is missing or empty > [get_and_save_tgt] (0x0080): Failed to remove old ccache file [(null)], > please remove it manually. > [k5c_send_data] (0x0200): Received error code 0 > [pack_response_packet] (0x2000): response packet size: [122] > [k5c_send_data] (0x4000): Response sent. > [main] (0x0400): krb5_child completed successfully > > > [main] (0x0400): krb5_child started. > [unpack_buffer] (0x1000): total buffer size: [66] > [unpack_buffer] (0x0100): cmd [243] uid [2004] gid [2004] validate [false] > enterprise principal [false] offline [false] UPN [testus...@example.com] > [unpack_buffer] (0x0100): user: [testuser4] > [check_use_fast] (0x0100): Not using FAST. > [k5c_precreate_ccache] (0x4000): Recreating ccache >
Can you give me access to a host that reproduces this crash? ccname should never be NULL with the new patches ... _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel