On Tue, Nov 11, 2014 at 09:39:40AM +0100, Lukas Slebodnik wrote:
> On (11/11/14 09:09), Lukas Slebodnik wrote:
> >On (10/11/14 17:12), Jakub Hrozek wrote:
> >>On Thu, Nov 06, 2014 at 10:21:17AM -0500, Simo Sorce wrote:
> >>> On Wed, 5 Nov 2014 18:36:06 +0100
> >>> Jakub Hrozek <jhro...@redhat.com> wrote:
> >>>
> >>> > From 1afae1740eb9bf232c33dba77f643f88d0eeb7a3 Mon Sep 17 00:00:00 2001
> >>> > From: Jakub Hrozek <jhro...@redhat.com>
> >>> > Date: Sat, 18 Oct 2014 22:03:13 +0200
> >>> > Subject: [PATCH 5/6] KRB5: Move all ccache operations to krb5_child.c
> >>> >
> >>> > The credential cache operations must be now performed by the
> >>> > krb5_child completely, because the sssd_be process might be running
> >>> > as the sssd user who doesn't have access to the ccaches.
> >>> >
> >>> > src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5
> >>> > until we fix Kerberos ticket renewal as non-root.
> >>> >
> >>> > Also includes a new error code that indicates that the back end should
> >>> > remove the old ccache attribute -- the child can't do that if it's
> >>> > running as the user.
> >>>
> >>> I think I see an ordering issue but I am not completely sure
> >>> (unfortunately I am looking only at the patches because git am fails to
> >>> bring them on a copy of the master tree).
> >>
> >>The patches depended on the SELinux changes that were since merged to
> >>master. The attached patchset should apply on master cleanly.
> >>
> >>>
> >>> The main reason ccache handling was done in 2 parts is that in some
> >>> cases we need to do some preparatory work as root.
> >>> For example creating a user directory for DIR: ccache and similar.
> >>> I think this patches moves things around and causes all these functions
> >>> to be run after krb5_child has already dropped root in
> >>> k5c_setup() though. If that's the case as it looks to me I think this
> >>> patchset will not work as well as it should.
> >>
> >>You're right, I admit I tested on RHEL and Fedora where we only use
> >>KEYRING: and FILE:/tmp/ where I didn't hit this issue. I was also
> >>confused by our removal of creating public ccache dir components -- now
> >>I realize we can still create user-owned directories under root-writably
> >>directories and DIR:/run/user/$UID is exactly this case.
> >>
> >>This means we need to examine the ccache as root in order to determine
> >>whether to re-create it...with the attached patches the DIR cache seems
> >>to work fine.
> >>
> >>>
> >>> I also see that you added ERR_CREDS_EXPIRED_CCACHE to delete the ccache
> >>> once the reply is returned to the backend. But I am afraid deleting a
> >>> ccache may also require root privs as the ccache is owned by the user
> >>> but the sssd backend is running as the sssd user. Or am I missing
> >>> another change that addresses this ?
> >>>
> >>> Also ERR_CREDS_EXPIRED_CCACHE seem not performing the same checks as
> >>> ERR_CREDS_EXPIRED, why (and why does it need to be different) ?
> >>
> >>No, the ERR_CREDS_EXPIRED_CCACHE semantics is different. The krb5_child
> >>is able to remove the old ccache from disk or from the kernel keyring,
> >>but in case the child dropped privileges to the user who is logging in,
> >>it cannot delete the ccache attribute from sysdb..so
> >>ERR_CREDS_EXPIRED_CCACHE is a way of telling sssd_be to remove this
> >>attribute istead.
> >>
> >>Thank you for the review. New patches are attached (and I just realized
> >>I didn't CC you in my reply to your other mail; sorry)
> >
> >>From 7addb7d573a2ef06f60e0c026f4bd01423d073ea Mon Sep 17 00:00:00 2001
> >>From: Jakub Hrozek <jhro...@redhat.com>
> >>Date: Fri, 24 Oct 2014 22:44:17 +0200
> >>Subject: [PATCH 1/6] BUILD: Install krb5_child as suid if running under
> >> non-privileged user
> >>
> >>If sssd_be is running unprivileged, then krb5_child must be setuid to be
> >>able to access the keytab and become arbitrary user.
> >>---
> >There is a crash in krb_child with refactoring patches.
> >
> >#0 sss_krb5_precreate_ccache (ccname=0x0, uid=2003, gid=2003) at
> >src/providers/krb5/krb5_ccache.c:222
> >222 if (ccname[0] == '/') {
> >(gdb) p ccname
> >$1 = 0x0
> >
> >(gdb) bt full
> >#0 sss_krb5_precreate_ccache (ccname=0x0, uid=2003, gid=2003) at
> >src/providers/krb5/krb5_ccache.c:222
> > tmp_ctx = 0x0
> > filename = <value optimized out>
> > ccdirname = <value optimized out>
> > end = <value optimized out>
> > ret = <value optimized out>
> > __FUNCTION__ = "sss_krb5_precreate_ccache"
> >#1 0x0000000000405adc in k5c_precreate_ccache (kr=0x785450, offline=0) at
> >src/providers/krb5/krb5_child.c:1993
> > ret = <value optimized out>
> >#2 k5c_setup (kr=0x785450, offline=0) at
> >src/providers/krb5/krb5_child.c:2042
> > kerr = <value optimized out>
> > parse_flags = <value optimized out>
> > fast_val = K5C_FAST_NEVER
> > __FUNCTION__ = "k5c_setup"
> >#3 0x0000000000408a86 in main (argc=5, argv=<value optimized out>) at
> >src/providers/krb5/krb5_child.c:2246
> > kr = 0x785450
> > offline = 0
> > opt = <value optimized out>
> > pc = <value optimized out>
> > debug_fd = 18
> > ret = <value optimized out>
> > long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4,
> > arg = 0x617980, val = 0, descrip = 0x4121e9 "Help options:", argDescrip =
> > 0x0}, {
> > longName = 0x4121f7 "debug-level", shortName = 100 'd', argInfo
> > = 2, arg = 0x617a40, val = 0, descrip = 0x4121c8 "Debug level", argDescrip
> > = 0x0}, {
> > longName = 0x412203 "debug-timestamps", shortName = 0 '\000',
> > argInfo = 2, arg = 0x617960, val = 0, descrip = 0x4121d4 "Add debug
> > timestamps", argDescrip = 0x0}, {
> > longName = 0x412214 "debug-microseconds", shortName = 0 '\000',
> > argInfo = 2, arg = 0x617a50, val = 0, descrip = 0x412e18 "Show timestamps
> > with microseconds",
> > argDescrip = 0x0}, {longName = 0x412227 "debug-fd", shortName =
> > 0 '\000', argInfo = 2, arg = 0x7fff7a3bed08, val = 0,
> > descrip = 0x412e40 "An open file descriptor for the debug logs",
> > argDescrip = 0x0}, {longName = 0x412230 "debug-to-stderr", shortName = 0
> > '\000', argInfo = 1073741824,
> > arg = 0x617a58, val = 0, descrip = 0x412e70 "Send the debug
> > output to stderr directly.", argDescrip = 0x0}, {longName = 0x0, shortName
> > = 0 '\000', argInfo = 0, arg = 0x0,
> > val = 0, descrip = 0x0, argDescrip = 0x0}}
> > __FUNCTION__ = "main"
> >
> and here is related part from krb5_child log.
>
> [sss_get_ccache_name_for_principal] (0x4000): Location:
> [FILE:/tmp/krb5cc_2004_XXXXXX]
> [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed:
> [-1765328243][Can't find client principal testus...@example.com in cache
> collection]
> [create_ccache] (0x4000): Initializing ccache of type [FILE]
> [switch_creds] (0x0200): Switch user to [2004][2004].
> [switch_creds] (0x0200): Already user [2004].
> [sss_krb5_check_ccache_princ] (0x2000): Searching for [testus...@example.com]
> in cache of type [FILE]
> [switch_creds] (0x0200): Switch user to [2004][2004].
> [switch_creds] (0x0200): Already user [2004].
> [sss_open_ccache_as_user] (0x0400): ccache (null) is missing or empty
> [get_and_save_tgt] (0x0080): Failed to remove old ccache file [(null)],
> please remove it manually.
> [k5c_send_data] (0x0200): Received error code 0
> [pack_response_packet] (0x2000): response packet size: [122]
> [k5c_send_data] (0x4000): Response sent.
> [main] (0x0400): krb5_child completed successfully
>
>
> [main] (0x0400): krb5_child started.
> [unpack_buffer] (0x1000): total buffer size: [66]
> [unpack_buffer] (0x0100): cmd [243] uid [2004] gid [2004] validate [false]
> enterprise principal [false] offline [false] UPN [testus...@example.com]
> [unpack_buffer] (0x0100): user: [testuser4]
> [check_use_fast] (0x0100): Not using FAST.
> [k5c_precreate_ccache] (0x4000): Recreating ccache
>
Can you give me access to a host that reproduces this crash? ccname
should never be NULL with the new patches ...
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
