From f28c0df2ba8d3ba4632e3fa5cb395635470d3639 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Fri, 24 Oct 2014 22:44:17 +0200

Subject: [PATCH 83/92] BUILD: Install krb5_child as suid if running under

 non-privileged user

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

If sssd_be is running unprivileged, then krb5_child must be setuid to be

able to access the keytab and become arbitrary user.

Related:

https://fedorahosted.org/sssd/ticket/2370

Reviewed-by: Sumit Bose <sbose@redhat.com>

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

---

 Makefile.am          | 2 ++

 contrib/sssd.spec.in | 2 +-

 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am

index b85341f5845c3cffab8a2c95b1be1d32517316e8..5f265dcefd16ce4efdde4d62f3cd5d02dbce255f 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -2872,6 +2872,8 @@ endif

 if SSSD_USER

 	chgrp $(SSSD_USER) $(sssdlibexecdir)/ldap_child

 	chmod 4750 $(sssdlibexecdir)/ldap_child

+	chgrp $(SSSD_USER) $(sssdlibexecdir)/krb5_child

+	chmod 4750 $(sssdlibexecdir)/krb5_child

 if BUILD_SEMANAGE

 	chgrp $(SSSD_USER) $(sssdlibexecdir)/selinux_child

 	chmod 4750 $(sssdlibexecdir)/selinux_child

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in

index 5bfb16707c22dc65376581c88b8eb898949e726f..4734d124817cac860b7f6d9633b043df5aa591e8 100644

--- a/contrib/sssd.spec.in

+++ b/contrib/sssd.spec.in

@@ -646,7 +646,7 @@ rm -rf $RPM_BUILD_ROOT

 %doc COPYING

 %{_libdir}/%{name}/libsss_krb5_common.so

 %attr(4750,root,sssd) %{_libexecdir}/%{servicename}/ldap_child

-%{_libexecdir}/%{servicename}/krb5_child

+%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/krb5_child

 %files krb5 -f sssd_krb5.lang

 %defattr(-,root,root,-)

-- 

1.9.3