>From ea15692b1116715240cbab5c4bbf194071be05b6 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 24 Oct 2014 22:44:17 +0200
Subject: [PATCH 1/6] BUILD: Install krb5_child as suid if running under
 non-privileged user

If sssd_be is running unprivileged, then krb5_child must be setuid to be
able to access the keytab and become arbitrary user.
---
 Makefile.am          | 2 ++
 contrib/sssd.spec.in | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index b39db21e64f97a7f951165c454b05fef32070b48..6d90d33122c4b6a67805e6eb887235fee44c6e06 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2853,8 +2853,10 @@ endif
 if SSSD_USER
 	chgrp $(SSSD_USER) $(sssdlibexecdir)/ldap_child
 	chgrp $(SSSD_USER) $(sssdlibexecdir)/selinux_child
+	chgrp $(SSSD_USER) $(sssdlibexecdir)/krb5_child
 	chmod 4750 $(sssdlibexecdir)/ldap_child
 	chmod 4750 $(sssdlibexecdir)/selinux_child
+	chmod 4750 $(sssdlibexecdir)/krb5_child
 endif
 
 install-data-hook:
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 5bfb16707c22dc65376581c88b8eb898949e726f..4734d124817cac860b7f6d9633b043df5aa591e8 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -646,7 +646,7 @@ rm -rf $RPM_BUILD_ROOT
 %doc COPYING
 %{_libdir}/%{name}/libsss_krb5_common.so
 %attr(4750,root,sssd) %{_libexecdir}/%{servicename}/ldap_child
-%{_libexecdir}/%{servicename}/krb5_child
+%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/krb5_child
 
 %files krb5 -f sssd_krb5.lang
 %defattr(-,root,root,-)
-- 
1.9.3