rpms / sssd

Clone
Source Code
GIT

Files

  1.   905b4de0e68274ed1d28be199df37121524b2919
  2.   SOURCES
  3.   0173-Open-the-PAC-socket-from-krb5_child-before-dropping-.patch
Blob Blame History Raw 
From 8e650486102cb0c60f54e43acecacffdf3858ada Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 20 Jan 2015 18:06:49 +0100
Subject: [PATCH 173/173] Open the PAC socket from krb5_child before dropping
 root

The PAC responder by default allows only connections from the root user.
This patch opens the socket to the PAC responder before the krb5_child
drops privileges so the connection seemingly comes from root.

https://fedorahosted.org/sssd/ticket/2559

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 858e750c3d4fe54e50616a1ed1e101469503c070)
---
 src/providers/krb5/krb5_child.c |  8 ++++++++
 src/sss_client/common.c         | 13 +++++++++++++
 src/sss_client/sss_cli.h        |  6 ++++++
 3 files changed, 27 insertions(+)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 39cd62846e3c58d65a87f670768cf699ae191f14..4c2f81fb122baa42e38e6f3d0ec5e2cf80ac5fa6 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -2305,6 +2305,14 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr,
         }
     }
 
+    if (kr->send_pac) {
+        ret = sss_pac_check_and_open();
+        if (ret != EOK) {
+            DEBUG(SSSDBG_MINOR_FAILURE, "Cannot open the PAC responder socket\n");
+            /* Not fatal */
+        }
+    }
+
     return 0;
 }
 
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 7c4bb7ab8769a72f943158366f358b108bfc3bdc..1b0fb1223f3509ef0b5aaf4a53851b868e12d6f0 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -749,6 +749,19 @@ enum nss_status sss_nss_make_request(enum sss_cli_command cmd,
     }
 }
 
+int sss_pac_check_and_open(void)
+{
+    enum sss_status ret;
+    int errnop;
+
+    ret = sss_cli_check_socket(&errnop, SSS_PAC_SOCKET_NAME);
+    if (ret != SSS_STATUS_SUCCESS) {
+        return EIO;
+    }
+
+    return EOK;
+}
+
 int sss_pac_make_request(enum sss_cli_command cmd,
                          struct sss_cli_req_data *rd,
                          uint8_t **repbuf, size_t *replen,
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 2d909311cf2fa508a187ee4a29a45eae681dc705..6286077fcf25aead1dfcba5c6483e4ff8ae63b9f 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -511,6 +511,12 @@ int sss_pam_make_request(enum sss_cli_command cmd,
                          int *errnop);
 void sss_pam_close_fd(void);
 
+/* Checks access to the PAC responder and opens the socket, if available.
+ * Required for processes like krb5_child that need to open the socket
+ * before dropping privs.
+ */
+int sss_pac_check_and_open(void);
+
 int sss_pac_make_request(enum sss_cli_command cmd,
                          struct sss_cli_req_data *rd,
                          uint8_t **repbuf, size_t *replen,
-- 
2.1.0

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation