On Fri, 2013-04-05 at 12:26 +0200, Lukas Slebodnik wrote:
On (04/04/13 12:24), Simo Sorce wrote:
Commit should say it all. We do not have any security issue (that I know off) with the current code, but I want to tighten up the privileges more given we do not need the additional capabilities in the krb5_child anyway.
Simo.
-- Simo Sorce * Red Hat, Inc * New York
Nack
Patch make impossible user authentication.
sh-4.2$ su - usersssd02 Password: su: incorrect password
From krb5_child.log: [become_user] (0x0200): Trying to become user [325600012][325600012]. [create_ccache_in_dir] (0x0200): Creating ccache at [DIR:/run/user/325600012/krb5cc] [become_user] (0x0200): Trying to become user [325600012][325600012]. [become_user] (0x0020): setgroups failed [1][Operation not permitted]. ^^^^^ The second call of function become_user fail with EPERM
[create_ccache_in_dir] (0x0020): become_user failed. [get_and_save_tgt] (0x0020): 1140: [1][Operation not permitted] [map_krb5_error] (0x0020): 1160: [1][Operation not permitted]
errno_t become_user(uid_t uid, gid_t gid) { int ret;
DEBUG(SSSDBG_FUNC_DATA, ("Trying to become user [%d][%d].\n", uid, gid));
ret = setgid(gid);
if (ret == -1) {
ret = errno;DEBUG(SSSDBG_CRIT_FAILURE,("setgid failed [%d][%s].\n", ret, strerror(ret)));return ret;}
ret = setuid(uid);
- /* drop supplmentary groups first */
- ret = setgroups(0, NULL); if (ret == -1) { ret = errno;
If errno is EPERM, than we should ignore this error and continue.
DEBUG(SSSDBG_CRIT_FAILURE,
("setuid failed [%d][%s].\n", ret, strerror(ret)));
("setgroups failed [%d][%s].\n", ret, strerror(ret))); return ret;
It is very odd that we get EPERM .. is this function beeing called twice ? Once as root before the fork, and then again in the code ?
Simo.