dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Source Code
GIT

Blame SOURCES/0173-Open-the-PAC-socket-from-krb5_child-before-dropping-.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s
  1.   e543c9d626dd9ae2c4419f0d768897dc2bae585a
  2.   SOURCES
  3.   0173-Open-the-PAC-socket-from-krb5_child-before-dropping-.patch
Blob History Raw
905b4d 
From 8e650486102cb0c60f54e43acecacffdf3858ada Mon Sep 17 00:00:00 2001
905b4d 
From: Jakub Hrozek <jhrozek@redhat.com>
905b4d 
Date: Tue, 20 Jan 2015 18:06:49 +0100
905b4d 
Subject: [PATCH 173/173] Open the PAC socket from krb5_child before dropping
905b4d 
 root
905b4d
905b4d 
The PAC responder by default allows only connections from the root user.
905b4d 
This patch opens the socket to the PAC responder before the krb5_child
905b4d 
drops privileges so the connection seemingly comes from root.
905b4d
905b4d 
https://fedorahosted.org/sssd/ticket/2559
905b4d
905b4d 
Reviewed-by: Sumit Bose <sbose@redhat.com>
905b4d 
(cherry picked from commit 858e750c3d4fe54e50616a1ed1e101469503c070)
905b4d 
---
905b4d 
 src/providers/krb5/krb5_child.c |  8 ++++++++
905b4d 
 src/sss_client/common.c         | 13 +++++++++++++
905b4d 
 src/sss_client/sss_cli.h        |  6 ++++++
905b4d 
 3 files changed, 27 insertions(+)
905b4d
905b4d 
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
905b4d 
index 39cd62846e3c58d65a87f670768cf699ae191f14..4c2f81fb122baa42e38e6f3d0ec5e2cf80ac5fa6 100644
905b4d 
--- a/src/providers/krb5/krb5_child.c
905b4d 
+++ b/src/providers/krb5/krb5_child.c
905b4d 
@@ -2305,6 +2305,14 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr,
905b4d 
         }
905b4d 
     }
905b4d
905b4d 
+    if (kr->send_pac) {
905b4d 
+        ret = sss_pac_check_and_open();
905b4d 
+        if (ret != EOK) {
905b4d 
+            DEBUG(SSSDBG_MINOR_FAILURE, "Cannot open the PAC responder socket\n");
905b4d 
+            /* Not fatal */
905b4d 
+        }
905b4d 
+    }
905b4d 
+
905b4d 
     return 0;
905b4d 
 }
905b4d
905b4d 
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
905b4d 
index 7c4bb7ab8769a72f943158366f358b108bfc3bdc..1b0fb1223f3509ef0b5aaf4a53851b868e12d6f0 100644
905b4d 
--- a/src/sss_client/common.c
905b4d 
+++ b/src/sss_client/common.c
905b4d 
@@ -749,6 +749,19 @@ enum nss_status sss_nss_make_request(enum sss_cli_command cmd,
905b4d 
     }
905b4d 
 }
905b4d
905b4d 
+int sss_pac_check_and_open(void)
905b4d 
+{
905b4d 
+    enum sss_status ret;
905b4d 
+    int errnop;
905b4d 
+
905b4d 
+    ret = sss_cli_check_socket(&errnop, SSS_PAC_SOCKET_NAME);
905b4d 
+    if (ret != SSS_STATUS_SUCCESS) {
905b4d 
+        return EIO;
905b4d 
+    }
905b4d 
+
905b4d 
+    return EOK;
905b4d 
+}
905b4d 
+
905b4d 
 int sss_pac_make_request(enum sss_cli_command cmd,
905b4d 
                          struct sss_cli_req_data *rd,
905b4d 
                          uint8_t **repbuf, size_t *replen,
905b4d 
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
905b4d 
index 2d909311cf2fa508a187ee4a29a45eae681dc705..6286077fcf25aead1dfcba5c6483e4ff8ae63b9f 100644
905b4d 
--- a/src/sss_client/sss_cli.h
905b4d 
+++ b/src/sss_client/sss_cli.h
905b4d 
@@ -511,6 +511,12 @@ int sss_pam_make_request(enum sss_cli_command cmd,
905b4d 
                          int *errnop);
905b4d 
 void sss_pam_close_fd(void);
905b4d
905b4d 
+/* Checks access to the PAC responder and opens the socket, if available.
905b4d 
+ * Required for processes like krb5_child that need to open the socket
905b4d 
+ * before dropping privs.
905b4d 
+ */
905b4d 
+int sss_pac_check_and_open(void);
905b4d 
+
905b4d 
 int sss_pac_make_request(enum sss_cli_command cmd,
905b4d 
                          struct sss_cli_req_data *rd,
905b4d 
                          uint8_t **repbuf, size_t *replen,
905b4d 
--
905b4d 
2.1.0
905b4d

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation