On (11/11/14 09:09), Lukas Slebodnik wrote:
On (10/11/14 17:12), Jakub Hrozek wrote:
>On Thu, Nov 06, 2014 at 10:21:17AM -0500, Simo Sorce wrote:
>> On Wed, 5 Nov 2014 18:36:06 +0100
>> Jakub Hrozek <jhrozek(a)redhat.com> wrote:
>>
>> > From 1afae1740eb9bf232c33dba77f643f88d0eeb7a3 Mon Sep 17 00:00:00 2001
>> > From: Jakub Hrozek <jhrozek(a)redhat.com>
>> > Date: Sat, 18 Oct 2014 22:03:13 +0200
>> > Subject: [PATCH 5/6] KRB5: Move all ccache operations to krb5_child.c
>> >
>> > The credential cache operations must be now performed by the
>> > krb5_child completely, because the sssd_be process might be running
>> > as the sssd user who doesn't have access to the ccaches.
>> >
>> > src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5
>> > until we fix Kerberos ticket renewal as non-root.
>> >
>> > Also includes a new error code that indicates that the back end should
>> > remove the old ccache attribute -- the child can't do that if it's
>> > running as the user.
>>
>> I think I see an ordering issue but I am not completely sure
>> (unfortunately I am looking only at the patches because git am fails to
>> bring them on a copy of the master tree).
>
>The patches depended on the SELinux changes that were since merged to
>master. The attached patchset should apply on master cleanly.
>
>>
>> The main reason ccache handling was done in 2 parts is that in some
>> cases we need to do some preparatory work as root.
>> For example creating a user directory for DIR: ccache and similar.
>> I think this patches moves things around and causes all these functions
>> to be run after krb5_child has already dropped root in
>> k5c_setup() though. If that's the case as it looks to me I think this
>> patchset will not work as well as it should.
>
>You're right, I admit I tested on RHEL and Fedora where we only use
>KEYRING: and FILE:/tmp/ where I didn't hit this issue. I was also
>confused by our removal of creating public ccache dir components -- now
>I realize we can still create user-owned directories under root-writably
>directories and DIR:/run/user/$UID is exactly this case.
>
>This means we need to examine the ccache as root in order to determine
>whether to re-create it...with the attached patches the DIR cache seems
>to work fine.
>
>>
>> I also see that you added ERR_CREDS_EXPIRED_CCACHE to delete the ccache
>> once the reply is returned to the backend. But I am afraid deleting a
>> ccache may also require root privs as the ccache is owned by the user
>> but the sssd backend is running as the sssd user. Or am I missing
>> another change that addresses this ?
>>
>> Also ERR_CREDS_EXPIRED_CCACHE seem not performing the same checks as
>> ERR_CREDS_EXPIRED, why (and why does it need to be different) ?
>
>No, the ERR_CREDS_EXPIRED_CCACHE semantics is different. The krb5_child
>is able to remove the old ccache from disk or from the kernel keyring,
>but in case the child dropped privileges to the user who is logging in,
>it cannot delete the ccache attribute from sysdb..so
>ERR_CREDS_EXPIRED_CCACHE is a way of telling sssd_be to remove this
>attribute istead.
>
>Thank you for the review. New patches are attached (and I just realized
>I didn't CC you in my reply to your other mail; sorry)
>From 7addb7d573a2ef06f60e0c026f4bd01423d073ea Mon Sep 17 00:00:00 2001
>From: Jakub Hrozek <jhrozek(a)redhat.com>
>Date: Fri, 24 Oct 2014 22:44:17 +0200
>Subject: [PATCH 1/6] BUILD: Install krb5_child as suid if running under
> non-privileged user
>
>If sssd_be is running unprivileged, then krb5_child must be setuid to be
>able to access the keytab and become arbitrary user.
>---
There is a crash in krb_child with refactoring patches.
#0 sss_krb5_precreate_ccache (ccname=0x0, uid=2003, gid=2003) at
src/providers/krb5/krb5_ccache.c:222
222 if (ccname[0] == '/') {
(gdb) p ccname
$1 = 0x0
(gdb) bt full
#0 sss_krb5_precreate_ccache (ccname=0x0, uid=2003, gid=2003) at
src/providers/krb5/krb5_ccache.c:222
tmp_ctx = 0x0
filename = <value optimized out>
ccdirname = <value optimized out>
end = <value optimized out>
ret = <value optimized out>
__FUNCTION__ = "sss_krb5_precreate_ccache"
#1 0x0000000000405adc in k5c_precreate_ccache (kr=0x785450, offline=0) at
src/providers/krb5/krb5_child.c:1993
ret = <value optimized out>
#2 k5c_setup (kr=0x785450, offline=0) at src/providers/krb5/krb5_child.c:2042
kerr = <value optimized out>
parse_flags = <value optimized out>
fast_val = K5C_FAST_NEVER
__FUNCTION__ = "k5c_setup"
#3 0x0000000000408a86 in main (argc=5, argv=<value optimized out>) at
src/providers/krb5/krb5_child.c:2246
kr = 0x785450
offline = 0
opt = <value optimized out>
pc = <value optimized out>
debug_fd = 18
ret = <value optimized out>
long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg =
0x617980, val = 0, descrip = 0x4121e9 "Help options:", argDescrip = 0x0}, {
longName = 0x4121f7 "debug-level", shortName = 100 'd',
argInfo = 2, arg = 0x617a40, val = 0, descrip = 0x4121c8 "Debug level",
argDescrip = 0x0}, {
longName = 0x412203 "debug-timestamps", shortName = 0
'\000', argInfo = 2, arg = 0x617960, val = 0, descrip = 0x4121d4 "Add debug
timestamps", argDescrip = 0x0}, {
longName = 0x412214 "debug-microseconds", shortName = 0
'\000', argInfo = 2, arg = 0x617a50, val = 0, descrip = 0x412e18 "Show
timestamps with microseconds",
argDescrip = 0x0}, {longName = 0x412227 "debug-fd", shortName = 0
'\000', argInfo = 2, arg = 0x7fff7a3bed08, val = 0,
descrip = 0x412e40 "An open file descriptor for the debug logs",
argDescrip = 0x0}, {longName = 0x412230 "debug-to-stderr", shortName = 0
'\000', argInfo = 1073741824,
arg = 0x617a58, val = 0, descrip = 0x412e70 "Send the debug output to
stderr directly.", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000',
argInfo = 0, arg = 0x0,
val = 0, descrip = 0x0, argDescrip = 0x0}}
__FUNCTION__ = "main"
and here is related part from krb5_child log.
[sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_2004_XXXXXX]
[sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed:
[-1765328243][Can't find client principal testuser4(a)EXAMPLE.COM in cache collection]
[create_ccache] (0x4000): Initializing ccache of type [FILE]
[switch_creds] (0x0200): Switch user to [2004][2004].
[switch_creds] (0x0200): Already user [2004].
[sss_krb5_check_ccache_princ] (0x2000): Searching for [testuser4(a)EXAMPLE.COM] in cache of
type [FILE]
[switch_creds] (0x0200): Switch user to [2004][2004].
[switch_creds] (0x0200): Already user [2004].
[sss_open_ccache_as_user] (0x0400): ccache (null) is missing or empty
[get_and_save_tgt] (0x0080): Failed to remove old ccache file [(null)], please remove it
manually.
[k5c_send_data] (0x0200): Received error code 0
[pack_response_packet] (0x2000): response packet size: [122]
[k5c_send_data] (0x4000): Response sent.
[main] (0x0400): krb5_child completed successfully
[main] (0x0400): krb5_child started.
[unpack_buffer] (0x1000): total buffer size: [66]
[unpack_buffer] (0x0100): cmd [243] uid [2004] gid [2004] validate [false] enterprise
principal [false] offline [false] UPN [testuser4(a)EXAMPLE.COM]
[unpack_buffer] (0x0100): user: [testuser4]
[check_use_fast] (0x0100): Not using FAST.
[k5c_precreate_ccache] (0x4000): Recreating ccache
LS