rpms / sssd

Clone
Source Code
GIT

Files

  1.   905b4de0e68274ed1d28be199df37121524b2919
  2.   SOURCES
  3.   0125-krb5_child-become-user-earlier.patch
Blob Blame History Raw 
From 0c7f33bb6b16ef7dd27816489d9ec0b5c758c64f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 1 Dec 2014 17:36:56 +0100
Subject: [PATCH 125/128] krb5_child: become user earlier

The host keytab and the FAST credential cache are copied into memory
early at startup to allow to drop privileges earlier.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 Makefile.am                     |   1 +
 src/providers/krb5/krb5_child.c | 131 ++++++++++++++++++++++++++++------------
 2 files changed, 94 insertions(+), 38 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 3d16428856d6cb2e9e190b0df8895ab3f45db39c..6f6db56f5d6229b530cc6f18f66c42f22140bdeb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2531,6 +2531,7 @@ libsss_ad_la_LDFLAGS = \
 krb5_child_SOURCES = \
     src/providers/krb5/krb5_child.c \
     src/providers/krb5/krb5_ccache.c \
+    src/providers/krb5/krb5_keytab.c \
     src/providers/dp_pam_data_util.c \
     src/util/user_info_msg.c \
     src/util/sss_krb5.c \
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index d828dd550251d70851edcdc6b1eda6f5c051baf2..ce8a9235e1d64bccc91d367bc744cca2b32a40da 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -42,6 +42,12 @@
 
 #define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw"
 
+enum k5c_fast_opt {
+    K5C_FAST_NEVER,
+    K5C_FAST_TRY,
+    K5C_FAST_DEMAND,
+};
+
 struct krb5_req {
     krb5_context ctx;
     krb5_principal princ;
@@ -67,6 +73,7 @@ struct krb5_req {
     char *old_ccname;
     bool old_cc_valid;
     bool old_cc_active;
+    enum k5c_fast_opt fast_val;
 };
 
 static krb5_context krb5_error_ctx;
@@ -1839,6 +1846,7 @@ static int k5c_setup_fast(struct krb5_req *kr, bool demand)
     char *fast_principal;
     krb5_error_code kerr;
     char *tmp_str;
+    char *new_ccname;
 
     tmp_str = getenv(SSSD_KRB5_FAST_PRINCIPAL);
     if (tmp_str) {
@@ -1881,6 +1889,15 @@ static int k5c_setup_fast(struct krb5_req *kr, bool demand)
         return kerr;
     }
 
+    kerr = copy_ccache_into_memory(kr, kr->ctx, kr->fast_ccname, &new_ccname);
+    if (kerr != 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "copy_ccache_into_memory failed.\n");
+        return kerr;
+    }
+
+    talloc_free(kr->fast_ccname);
+    kr->fast_ccname = new_ccname;
+
     kerr = sss_krb5_get_init_creds_opt_set_fast_ccache_name(kr->ctx,
                                                             kr->options,
                                                             kr->fast_ccname);
@@ -1908,12 +1925,6 @@ static int k5c_setup_fast(struct krb5_req *kr, bool demand)
     return EOK;
 }
 
-enum k5c_fast_opt {
-    K5C_FAST_NEVER,
-    K5C_FAST_TRY,
-    K5C_FAST_DEMAND,
-};
-
 static errno_t check_use_fast(enum k5c_fast_opt *_fast_val)
 {
     char *use_fast_str;
@@ -2064,19 +2075,8 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline)
 {
     krb5_error_code kerr;
     int parse_flags;
-    enum k5c_fast_opt fast_val;
 
-    kerr = check_use_fast(&fast_val);
-    if (kerr != EOK) {
-        return kerr;
-    }
-
-    kerr = k5c_ccache_setup(kr, offline);
-    if (kerr != EOK) {
-        return kerr;
-    }
-
-    if (offline || (fast_val == K5C_FAST_NEVER && kr->validate == false)) {
+    if (offline || (kr->fast_val == K5C_FAST_NEVER && kr->validate == false)) {
         /* If krb5_child was started as setuid, but we don't need to
          * perform either validation or FAST, just drop privileges to
          * the user who is logging in. The same applies to the offline case
@@ -2097,12 +2097,6 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline)
               "Cannot read [%s] from environment.\n", SSSD_KRB5_REALM);
     }
 
-    kerr = krb5_init_context(&kr->ctx);
-    if (kerr != 0) {
-        KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
-        return kerr;
-    }
-
     /* Set the global error context */
     krb5_error_ctx = kr->ctx;
 
@@ -2145,12 +2139,6 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline)
         return ENOMEM;
     }
 
-    kerr = sss_krb5_get_init_creds_opt_alloc(kr->ctx, &kr->options);
-    if (kerr != 0) {
-        KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
-        return kerr;
-    }
-
 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER
     kerr = krb5_get_init_creds_opt_set_responder(kr->ctx, kr->options,
                                                  sss_krb5_responder, kr);
@@ -2175,14 +2163,6 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline)
 
     if (!offline) {
         set_canonicalize_option(kr->options);
-
-        if (fast_val != K5C_FAST_NEVER) {
-            kerr = k5c_setup_fast(kr, fast_val == K5C_FAST_DEMAND);
-            if (kerr != EOK) {
-                DEBUG(SSSDBG_OP_FAILURE, "Cannot set up FAST\n");
-                return kerr;
-            }
-        }
     }
 
 /* TODO: set options, e.g.
@@ -2199,6 +2179,63 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline)
     return kerr;
 }
 
+static krb5_error_code privileged_krb5_setup(struct krb5_req *kr,
+                                             uint32_t offline)
+{
+    krb5_error_code kerr;
+    int ret;
+    char *mem_keytab;
+
+    kerr = krb5_init_context(&kr->ctx);
+    if (kerr != 0) {
+        KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+        return kerr;
+    }
+
+    kerr = sss_krb5_get_init_creds_opt_alloc(kr->ctx, &kr->options);
+    if (kerr != 0) {
+        KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+        return kerr;
+    }
+
+    ret = check_use_fast(&kr->fast_val);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "check_use_fast failed.\n");
+        return ret;;
+    }
+
+    /* For ccache types FILE: and DIR: we might need to create some directory
+     * components as root */
+    ret = k5c_ccache_setup(kr, offline);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "k5c_ccache_setup failed.\n");
+        return ret;
+    }
+
+    if (!(offline ||
+            (kr->fast_val == K5C_FAST_NEVER && kr->validate == false))) {
+        kerr = copy_keytab_into_memory(kr, kr->ctx, kr->keytab, &mem_keytab,
+                                       NULL);
+        if (kerr != 0) {
+            DEBUG(SSSDBG_OP_FAILURE, "copy_keytab_into_memory failed.\n");
+            return kerr;
+        }
+
+        talloc_free(kr->keytab);
+        kr->keytab = mem_keytab;
+
+        if (kr->fast_val != K5C_FAST_NEVER) {
+            kerr = k5c_setup_fast(kr, kr->fast_val == K5C_FAST_DEMAND);
+            if (kerr != EOK) {
+                DEBUG(SSSDBG_OP_FAILURE, "Cannot set up FAST\n");
+                return kerr;
+            }
+        }
+    }
+
+    return 0;
+}
+
 int main(int argc, const char *argv[])
 {
     struct krb5_req *kr = NULL;
@@ -2207,6 +2244,7 @@ int main(int argc, const char *argv[])
     poptContext pc;
     int debug_fd = -1;
     errno_t ret;
+    krb5_error_code kerr;
 
     struct poptOption long_options[] = {
         POPT_AUTOHELP
@@ -2274,6 +2312,23 @@ int main(int argc, const char *argv[])
 
     close(STDIN_FILENO);
 
+    kerr = privileged_krb5_setup(kr, offline);
+    if (kerr != 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "privileged_krb5_setup failed.\n");
+        ret = EFAULT;
+        goto done;
+    }
+
+    kerr = become_user(kr->uid, kr->gid);
+    if (kerr != 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
+        ret = EFAULT;
+        goto done;
+    }
+
+    DEBUG(SSSDBG_TRACE_INTERNAL,
+          "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid());
+
     ret = k5c_setup(kr, offline);
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE, "krb5_child_setup failed.\n");
-- 
1.9.3

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation