From e49e9f727e4960c8a0a2ed50488dac6e51ddf284 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 10 Dec 2018 17:44:13 +0100
Subject: [PATCH] krb5_child: fix permissions during SC auth

For PKINIT we might need access to the pcscd socket which by default is
only allowed for authenticated users. Since PKINIT is part of the
authentication and the user is not authenticated yet, we have to use
different privileges and can only drop it only after the TGT is
received. The fast_uid and fast_gid are the IDs the backend is running
with. This can be either root or the 'sssd' user. Root is allowed by
default and the 'sssd' user is allowed with the help of the
sssd-pcsc.rules policy-kit rule. So those IDs are a suitable choice. We
can only call switch_creds() because after the TGT is returned we have
to switch to the IDs of the user to store the TGT.

The final change to the IDs of the user is not only important for KCM
type credential caches but for file based ccache types like FILE or DIR
as well.

Related to https://pagure.io/SSSD/sssd/issue/3903

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/providers/krb5/krb5_child.c | 64 ++++++++++++++++++++-------------
 1 file changed, 39 insertions(+), 25 deletions(-)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index a578930a9..7ad411914 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -108,6 +108,7 @@ struct krb5_req {
 
     uid_t fast_uid;
     gid_t fast_gid;
+    struct sss_creds *pcsc_saved_creds;
 
     struct cli_opts *cli_opts;
 };
@@ -1746,6 +1747,22 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
         goto done;
     }
 
+    kerr = restore_creds(kr->pcsc_saved_creds);
+    if (kerr != 0)  {
+        DEBUG(SSSDBG_OP_FAILURE, "restore_creds failed.\n");
+    }
+    /* Make sure ccache is created and written as the user */
+    if (geteuid() != kr->uid || getegid() != kr->gid) {
+        kerr = k5c_become_user(kr->uid, kr->gid, kr->posix_domain);
+        if (kerr != 0) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
+            goto done;
+        }
+    }
+
+    DEBUG(SSSDBG_TRACE_INTERNAL,
+          "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid());
+
     /* If kr->ccname is cache collection (DIR:/...), we want to work
      * directly with file ccache (DIR::/...), but cache collection
      * should be returned back to back end.
@@ -2998,20 +3015,6 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline)
     krb5_error_code kerr;
     int parse_flags;
 
-    if (offline || (kr->fast_val == K5C_FAST_NEVER && kr->validate == false)) {
-        /* If krb5_child was started as setuid, but we don't need to
-         * perform either validation or FAST, just drop privileges to
-         * the user who is logging in. The same applies to the offline case.
-         */
-        kerr = k5c_become_user(kr->uid, kr->gid, kr->posix_domain);
-        if (kerr != 0) {
-            DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
-            return kerr;
-        }
-    }
-    DEBUG(SSSDBG_TRACE_INTERNAL,
-          "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid());
-
     /* Set the global error context */
     krb5_error_ctx = kr->ctx;
 
@@ -3205,8 +3208,8 @@ int main(int argc, const char *argv[])
     const char *opt_logger = NULL;
     errno_t ret;
     krb5_error_code kerr;
-    uid_t fast_uid;
-    gid_t fast_gid;
+    uid_t fast_uid = 0;
+    gid_t fast_gid = 0;
     struct cli_opts cli_opts = { 0 };
     int sss_creds_password = 0;
 
@@ -3320,20 +3323,31 @@ int main(int argc, const char *argv[])
         goto done;
     }
 
-    /* pkinit needs access to pcscd */
-    if ((sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_SC_PIN
-            && sss_authtok_get_type(kr->pd->authtok)
-                                        != SSS_AUTHTOK_TYPE_SC_KEYPAD)) {
+    /* For PKINIT we might need access to the pcscd socket which by default
+     * is only allowed for authenticated users. Since PKINIT is part of
+     * the authentication and the user is not authenticated yet, we have
+     * to use different privileges and can only drop it only after the TGT is
+     * received. The fast_uid and fast_gid are the IDs the backend is running
+     * with. This can be either root or the 'sssd' user. Root is allowed by
+     * default and the 'sssd' user is allowed with the help of the
+     * sssd-pcsc.rules policy-kit rule. So those IDs are a suitable choice. We
+     * can only call switch_creds() because after the TGT is returned we have
+     * to switch to the IDs of the user to store the TGT. */
+    if (IS_SC_AUTHTOK(kr->pd->authtok)) {
+        kerr = switch_creds(kr, kr->fast_uid, kr->fast_gid, 0, NULL,
+                            &kr->pcsc_saved_creds);
+    } else {
         kerr = k5c_become_user(kr->uid, kr->gid, kr->posix_domain);
-        if (kerr != 0) {
-            DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
-            ret = EFAULT;
-            goto done;
-        }
+    }
+    if (kerr != 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
+        ret = EFAULT;
+        goto done;
     }
 
     DEBUG(SSSDBG_TRACE_INTERNAL,
           "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid());
+
     try_open_krb5_conf();
 
     ret = k5c_setup(kr, offline);
-- 
2.19.1