From f28c0df2ba8d3ba4632e3fa5cb395635470d3639 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 24 Oct 2014 22:44:17 +0200 Subject: [PATCH 83/92] BUILD: Install krb5_child as suid if running under non-privileged user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If sssd_be is running unprivileged, then krb5_child must be setuid to be able to access the keytab and become arbitrary user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose Reviewed-by: Lukáš Slebodník --- Makefile.am | 2 ++ contrib/sssd.spec.in | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index b85341f5845c3cffab8a2c95b1be1d32517316e8..5f265dcefd16ce4efdde4d62f3cd5d02dbce255f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2872,6 +2872,8 @@ endif if SSSD_USER chgrp $(SSSD_USER) $(sssdlibexecdir)/ldap_child chmod 4750 $(sssdlibexecdir)/ldap_child + chgrp $(SSSD_USER) $(sssdlibexecdir)/krb5_child + chmod 4750 $(sssdlibexecdir)/krb5_child if BUILD_SEMANAGE chgrp $(SSSD_USER) $(sssdlibexecdir)/selinux_child chmod 4750 $(sssdlibexecdir)/selinux_child diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 5bfb16707c22dc65376581c88b8eb898949e726f..4734d124817cac860b7f6d9633b043df5aa591e8 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -646,7 +646,7 @@ rm -rf $RPM_BUILD_ROOT %doc COPYING %{_libdir}/%{name}/libsss_krb5_common.so %attr(4750,root,sssd) %{_libexecdir}/%{servicename}/ldap_child -%{_libexecdir}/%{servicename}/krb5_child +%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/krb5_child %files krb5 -f sssd_krb5.lang %defattr(-,root,root,-) -- 1.9.3