Commit should say it all. We do not have any security issue (that I know off) with the current code, but I want to tighten up the privileges more given we do not need the additional capabilities in the krb5_child anyway.
Simo.
On Thu, Apr 04, 2013 at 12:24:05PM -0400, Simo Sorce wrote:
Commit should say it all. We do not have any security issue (that I know off) with the current code, but I want to tighten up the privileges more given we do not need the additional capabilities in the krb5_child anyway.
Simo.
-- Simo Sorce * Red Hat, Inc * New York
I can't login with this patch. I'm getting: (Fri Apr 5 12:21:07 2013) [[sssd[krb5_child[4130]]]] [become_user] (0x0020): setgroups failed [1][Operation not permitted].
SELinux is Permissive on this particular machine.
On (04/04/13 12:24), Simo Sorce wrote:
Commit should say it all. We do not have any security issue (that I know off) with the current code, but I want to tighten up the privileges more given we do not need the additional capabilities in the krb5_child anyway.
Simo.
-- Simo Sorce * Red Hat, Inc * New York
Nack
Patch make impossible user authentication.
sh-4.2$ su - usersssd02 Password: su: incorrect password
From krb5_child.log:
[become_user] (0x0200): Trying to become user [325600012][325600012]. [create_ccache_in_dir] (0x0200): Creating ccache at [DIR:/run/user/325600012/krb5cc] [become_user] (0x0200): Trying to become user [325600012][325600012]. [become_user] (0x0020): setgroups failed [1][Operation not permitted]. ^^^^^ The second call of function become_user fail with EPERM
[create_ccache_in_dir] (0x0020): become_user failed. [get_and_save_tgt] (0x0020): 1140: [1][Operation not permitted] [map_krb5_error] (0x0020): 1160: [1][Operation not permitted]
errno_t become_user(uid_t uid, gid_t gid) { int ret;
DEBUG(SSSDBG_FUNC_DATA, ("Trying to become user [%d][%d].\n", uid, gid));
ret = setgid(gid);
if (ret == -1) {
ret = errno;DEBUG(SSSDBG_CRIT_FAILURE,("setgid failed [%d][%s].\n", ret, strerror(ret)));return ret;}
ret = setuid(uid);
- /* drop supplmentary groups first */
- ret = setgroups(0, NULL); if (ret == -1) { ret = errno;
If errno is EPERM, than we should ignore this error and continue.
DEBUG(SSSDBG_CRIT_FAILURE,
("setuid failed [%d][%s].\n", ret, strerror(ret)));
("setgroups failed [%d][%s].\n", ret, strerror(ret))); return ret;
On Fri, 2013-04-05 at 12:26 +0200, Lukas Slebodnik wrote:
On (04/04/13 12:24), Simo Sorce wrote:
Commit should say it all. We do not have any security issue (that I know off) with the current code, but I want to tighten up the privileges more given we do not need the additional capabilities in the krb5_child anyway.
Simo.
-- Simo Sorce * Red Hat, Inc * New York
Nack
Patch make impossible user authentication.
sh-4.2$ su - usersssd02 Password: su: incorrect password
From krb5_child.log: [become_user] (0x0200): Trying to become user [325600012][325600012]. [create_ccache_in_dir] (0x0200): Creating ccache at [DIR:/run/user/325600012/krb5cc] [become_user] (0x0200): Trying to become user [325600012][325600012]. [become_user] (0x0020): setgroups failed [1][Operation not permitted]. ^^^^^ The second call of function become_user fail with EPERM
[create_ccache_in_dir] (0x0020): become_user failed. [get_and_save_tgt] (0x0020): 1140: [1][Operation not permitted] [map_krb5_error] (0x0020): 1160: [1][Operation not permitted]
errno_t become_user(uid_t uid, gid_t gid) { int ret;
DEBUG(SSSDBG_FUNC_DATA, ("Trying to become user [%d][%d].\n", uid, gid));
ret = setgid(gid);
if (ret == -1) {
ret = errno;DEBUG(SSSDBG_CRIT_FAILURE,("setgid failed [%d][%s].\n", ret, strerror(ret)));return ret;}
ret = setuid(uid);
- /* drop supplmentary groups first */
- ret = setgroups(0, NULL); if (ret == -1) { ret = errno;
If errno is EPERM, than we should ignore this error and continue.
DEBUG(SSSDBG_CRIT_FAILURE,
("setuid failed [%d][%s].\n", ret, strerror(ret)));
("setgroups failed [%d][%s].\n", ret, strerror(ret))); return ret;
It is very odd that we get EPERM .. is this function beeing called twice ? Once as root before the fork, and then again in the code ?
Simo.
On (05/04/13 08:47), Simo Sorce wrote:
On Fri, 2013-04-05 at 12:26 +0200, Lukas Slebodnik wrote:
On (04/04/13 12:24), Simo Sorce wrote:
Commit should say it all. We do not have any security issue (that I know off) with the current code, but I want to tighten up the privileges more given we do not need the additional capabilities in the krb5_child anyway.
Simo.
-- Simo Sorce * Red Hat, Inc * New York
Nack
Patch make impossible user authentication.
sh-4.2$ su - usersssd02 Password: su: incorrect password
From krb5_child.log: [become_user] (0x0200): Trying to become user [325600012][325600012]. [create_ccache_in_dir] (0x0200): Creating ccache at [DIR:/run/user/325600012/krb5cc] [become_user] (0x0200): Trying to become user [325600012][325600012]. [become_user] (0x0020): setgroups failed [1][Operation not permitted]. ^^^^^ The second call of function become_user fail with EPERM
[create_ccache_in_dir] (0x0020): become_user failed. [get_and_save_tgt] (0x0020): 1140: [1][Operation not permitted] [map_krb5_error] (0x0020): 1160: [1][Operation not permitted]
errno_t become_user(uid_t uid, gid_t gid) { int ret;
DEBUG(SSSDBG_FUNC_DATA, ("Trying to become user [%d][%d].\n", uid, gid));
ret = setgid(gid);
if (ret == -1) {
ret = errno;DEBUG(SSSDBG_CRIT_FAILURE,("setgid failed [%d][%s].\n", ret, strerror(ret)));return ret;}
ret = setuid(uid);
- /* drop supplmentary groups first */
- ret = setgroups(0, NULL); if (ret == -1) { ret = errno;
If errno is EPERM, than we should ignore this error and continue.
DEBUG(SSSDBG_CRIT_FAILURE,
("setuid failed [%d][%s].\n", ret, strerror(ret)));
("setgroups failed [%d][%s].\n", ret, strerror(ret))); return ret;It is very odd that we get EPERM .. is this function beeing called twice ? Once as root before the fork, and then again in the code ?
Simo.
Yes twice.
1st call: -------------------------------------------- #0 become_user (uid=325600012, gid=325600012) at src/providers/krb5/krb5_become_user.c:29 #1 0x00000000004101dd in get_and_save_tgt (kr=kr@entry=0x227f090, password=<optimized out>) at src/providers/krb5/krb5_child.c:1128 #2 0x0000000000407972 in tgt_req_child (kr=0x227f090) at src/providers/krb5/krb5_child.c:1337 #3 main (argc=<optimized out>, argv=<optimized out>) at src/providers/krb5/krb5_child.c:2126
2nd call: -------------------------------------------- #0 become_user (uid=uid@entry=325600012, gid=gid@entry=325600012) at src/providers/krb5/krb5_become_user.c:29 #1 0x000000000040b569 in create_ccache_in_dir (uid=uid@entry=325600012, gid=gid@entry=325600012, ctx=ctx@entry=0x2280010, princ=princ@entry=0x2287760, ccname=ccname@entry=0x227f280 "DIR:/run/user/325600012/krb5cc", creds=creds@entry=0x22807a0) at src/providers/krb5/krb5_child.c:659 #2 0x000000000040eb7c in create_ccache (uid=325600012, gid=325600012, ctx=0x2280010, princ=0x2287760, ccname=0x227f280 "DIR:/run/user/325600012/krb5cc", creds=0x22807a0) at src/providers/krb5/krb5_child.c:732 #3 0x000000000041020a in get_and_save_tgt (kr=kr@entry=0x227f090, password=<optimized out>) at src/providers/krb5/krb5_child.c:1136 #4 0x0000000000407972 in tgt_req_child (kr=0x227f090) at src/providers/krb5/krb5_child.c:1337 #5 main (argc=<optimized out>, argv=<optimized out>) at src/providers/krb5/krb5_child.c:2126
On Fri, 2013-04-05 at 15:02 +0200, Lukas Slebodnik wrote:
On (05/04/13 08:47), Simo Sorce wrote:
On Fri, 2013-04-05 at 12:26 +0200, Lukas Slebodnik wrote:
On (04/04/13 12:24), Simo Sorce wrote:
Commit should say it all. We do not have any security issue (that I know off) with the current code, but I want to tighten up the privileges more given we do not need the additional capabilities in the krb5_child anyway.
Simo.
-- Simo Sorce * Red Hat, Inc * New York
Nack
Patch make impossible user authentication.
sh-4.2$ su - usersssd02 Password: su: incorrect password
From krb5_child.log: [become_user] (0x0200): Trying to become user [325600012][325600012]. [create_ccache_in_dir] (0x0200): Creating ccache at [DIR:/run/user/325600012/krb5cc] [become_user] (0x0200): Trying to become user [325600012][325600012]. [become_user] (0x0020): setgroups failed [1][Operation not permitted]. ^^^^^ The second call of function become_user fail with EPERM
[create_ccache_in_dir] (0x0020): become_user failed. [get_and_save_tgt] (0x0020): 1140: [1][Operation not permitted] [map_krb5_error] (0x0020): 1160: [1][Operation not permitted]
errno_t become_user(uid_t uid, gid_t gid) { int ret;
DEBUG(SSSDBG_FUNC_DATA, ("Trying to become user [%d][%d].\n", uid, gid));
ret = setgid(gid);
if (ret == -1) {
ret = errno;DEBUG(SSSDBG_CRIT_FAILURE,("setgid failed [%d][%s].\n", ret, strerror(ret)));return ret;}
ret = setuid(uid);
- /* drop supplmentary groups first */
- ret = setgroups(0, NULL); if (ret == -1) { ret = errno;
If errno is EPERM, than we should ignore this error and continue.
DEBUG(SSSDBG_CRIT_FAILURE,
("setuid failed [%d][%s].\n", ret, strerror(ret)));
("setgroups failed [%d][%s].\n", ret, strerror(ret))); return ret;It is very odd that we get EPERM .. is this function beeing called twice ? Once as root before the fork, and then again in the code ?
Simo.
Yes twice.
1st call:
#0 become_user (uid=325600012, gid=325600012) at src/providers/krb5/krb5_become_user.c:29 #1 0x00000000004101dd in get_and_save_tgt (kr=kr@entry=0x227f090, password=<optimized out>) at src/providers/krb5/krb5_child.c:1128 #2 0x0000000000407972 in tgt_req_child (kr=0x227f090) at src/providers/krb5/krb5_child.c:1337 #3 main (argc=<optimized out>, argv=<optimized out>) at src/providers/krb5/krb5_child.c:2126
2nd call:
#0 become_user (uid=uid@entry=325600012, gid=gid@entry=325600012) at src/providers/krb5/krb5_become_user.c:29 #1 0x000000000040b569 in create_ccache_in_dir (uid=uid@entry=325600012, gid=gid@entry=325600012, ctx=ctx@entry=0x2280010, princ=princ@entry=0x2287760, ccname=ccname@entry=0x227f280 "DIR:/run/user/325600012/krb5cc", creds=creds@entry=0x22807a0) at src/providers/krb5/krb5_child.c:659 #2 0x000000000040eb7c in create_ccache (uid=325600012, gid=325600012, ctx=0x2280010, princ=0x2287760, ccname=0x227f280 "DIR:/run/user/325600012/krb5cc", creds=0x22807a0) at src/providers/krb5/krb5_child.c:732 #3 0x000000000041020a in get_and_save_tgt (kr=kr@entry=0x227f090, password=<optimized out>) at src/providers/krb5/krb5_child.c:1136 #4 0x0000000000407972 in tgt_req_child (kr=0x227f090) at src/providers/krb5/krb5_child.c:1337 #5 main (argc=<optimized out>, argv=<optimized out>) at src/providers/krb5/krb5_child.c:2126
Ok, attached augmented patch should handle this case too.
Thanks for testing.
Simo.
On (05/04/13 09:27), Simo Sorce wrote:
On Fri, 2013-04-05 at 15:02 +0200, Lukas Slebodnik wrote:
On (05/04/13 08:47), Simo Sorce wrote:
On Fri, 2013-04-05 at 12:26 +0200, Lukas Slebodnik wrote:
On (04/04/13 12:24), Simo Sorce wrote:
Commit should say it all. We do not have any security issue (that I know off) with the current code, but I want to tighten up the privileges more given we do not need the additional capabilities in the krb5_child anyway.
Simo.
-- Simo Sorce * Red Hat, Inc * New York
Nack
Patch make impossible user authentication.
sh-4.2$ su - usersssd02 Password: su: incorrect password
From krb5_child.log: [become_user] (0x0200): Trying to become user [325600012][325600012]. [create_ccache_in_dir] (0x0200): Creating ccache at [DIR:/run/user/325600012/krb5cc] [become_user] (0x0200): Trying to become user [325600012][325600012]. [become_user] (0x0020): setgroups failed [1][Operation not permitted]. ^^^^^ The second call of function become_user fail with EPERM
[create_ccache_in_dir] (0x0020): become_user failed. [get_and_save_tgt] (0x0020): 1140: [1][Operation not permitted] [map_krb5_error] (0x0020): 1160: [1][Operation not permitted]
errno_t become_user(uid_t uid, gid_t gid) { int ret;
DEBUG(SSSDBG_FUNC_DATA, ("Trying to become user [%d][%d].\n", uid, gid));
ret = setgid(gid);
if (ret == -1) {
ret = errno;DEBUG(SSSDBG_CRIT_FAILURE,("setgid failed [%d][%s].\n", ret, strerror(ret)));return ret;}
ret = setuid(uid);
- /* drop supplmentary groups first */
- ret = setgroups(0, NULL); if (ret == -1) { ret = errno;
If errno is EPERM, than we should ignore this error and continue.
DEBUG(SSSDBG_CRIT_FAILURE,
("setuid failed [%d][%s].\n", ret, strerror(ret)));
("setgroups failed [%d][%s].\n", ret, strerror(ret))); return ret;It is very odd that we get EPERM .. is this function beeing called twice ? Once as root before the fork, and then again in the code ?
Simo.
Yes twice.
1st call:
#0 become_user (uid=325600012, gid=325600012) at src/providers/krb5/krb5_become_user.c:29 #1 0x00000000004101dd in get_and_save_tgt (kr=kr@entry=0x227f090, password=<optimized out>) at src/providers/krb5/krb5_child.c:1128 #2 0x0000000000407972 in tgt_req_child (kr=0x227f090) at src/providers/krb5/krb5_child.c:1337 #3 main (argc=<optimized out>, argv=<optimized out>) at src/providers/krb5/krb5_child.c:2126
2nd call:
#0 become_user (uid=uid@entry=325600012, gid=gid@entry=325600012) at src/providers/krb5/krb5_become_user.c:29 #1 0x000000000040b569 in create_ccache_in_dir (uid=uid@entry=325600012, gid=gid@entry=325600012, ctx=ctx@entry=0x2280010, princ=princ@entry=0x2287760, ccname=ccname@entry=0x227f280 "DIR:/run/user/325600012/krb5cc", creds=creds@entry=0x22807a0) at src/providers/krb5/krb5_child.c:659 #2 0x000000000040eb7c in create_ccache (uid=325600012, gid=325600012, ctx=0x2280010, princ=0x2287760, ccname=0x227f280 "DIR:/run/user/325600012/krb5cc", creds=0x22807a0) at src/providers/krb5/krb5_child.c:732 #3 0x000000000041020a in get_and_save_tgt (kr=kr@entry=0x227f090, password=<optimized out>) at src/providers/krb5/krb5_child.c:1136 #4 0x0000000000407972 in tgt_req_child (kr=0x227f090) at src/providers/krb5/krb5_child.c:1337 #5 main (argc=<optimized out>, argv=<optimized out>) at src/providers/krb5/krb5_child.c:2126
Ok, attached augmented patch should handle this case too.
Thanks for testing.
Simo.
-- Simo Sorce * Red Hat, Inc * New York
Ack
LS
On Fri, Apr 05, 2013 at 04:19:11PM +0200, Lukas Slebodnik wrote:
On (05/04/13 09:27), Simo Sorce wrote:
On Fri, 2013-04-05 at 15:02 +0200, Lukas Slebodnik wrote:
On (05/04/13 08:47), Simo Sorce wrote:
On Fri, 2013-04-05 at 12:26 +0200, Lukas Slebodnik wrote:
On (04/04/13 12:24), Simo Sorce wrote:
Commit should say it all. We do not have any security issue (that I know off) with the current code, but I want to tighten up the privileges more given we do not need the additional capabilities in the krb5_child anyway.
Simo.
-- Simo Sorce * Red Hat, Inc * New York
Nack
Patch make impossible user authentication.
sh-4.2$ su - usersssd02 Password: su: incorrect password
From krb5_child.log: [become_user] (0x0200): Trying to become user [325600012][325600012]. [create_ccache_in_dir] (0x0200): Creating ccache at [DIR:/run/user/325600012/krb5cc] [become_user] (0x0200): Trying to become user [325600012][325600012]. [become_user] (0x0020): setgroups failed [1][Operation not permitted]. ^^^^^ The second call of function become_user fail with EPERM
[create_ccache_in_dir] (0x0020): become_user failed. [get_and_save_tgt] (0x0020): 1140: [1][Operation not permitted] [map_krb5_error] (0x0020): 1160: [1][Operation not permitted]
errno_t become_user(uid_t uid, gid_t gid) { int ret;
DEBUG(SSSDBG_FUNC_DATA, ("Trying to become user [%d][%d].\n", uid, gid));
ret = setgid(gid);
if (ret == -1) {
ret = errno;DEBUG(SSSDBG_CRIT_FAILURE,("setgid failed [%d][%s].\n", ret, strerror(ret)));return ret;}
ret = setuid(uid);
- /* drop supplmentary groups first */
- ret = setgroups(0, NULL); if (ret == -1) { ret = errno;
If errno is EPERM, than we should ignore this error and continue.
DEBUG(SSSDBG_CRIT_FAILURE,
("setuid failed [%d][%s].\n", ret, strerror(ret)));
("setgroups failed [%d][%s].\n", ret, strerror(ret))); return ret;It is very odd that we get EPERM .. is this function beeing called twice ? Once as root before the fork, and then again in the code ?
Simo.
Yes twice.
1st call:
#0 become_user (uid=325600012, gid=325600012) at src/providers/krb5/krb5_become_user.c:29 #1 0x00000000004101dd in get_and_save_tgt (kr=kr@entry=0x227f090, password=<optimized out>) at src/providers/krb5/krb5_child.c:1128 #2 0x0000000000407972 in tgt_req_child (kr=0x227f090) at src/providers/krb5/krb5_child.c:1337 #3 main (argc=<optimized out>, argv=<optimized out>) at src/providers/krb5/krb5_child.c:2126
2nd call:
#0 become_user (uid=uid@entry=325600012, gid=gid@entry=325600012) at src/providers/krb5/krb5_become_user.c:29 #1 0x000000000040b569 in create_ccache_in_dir (uid=uid@entry=325600012, gid=gid@entry=325600012, ctx=ctx@entry=0x2280010, princ=princ@entry=0x2287760, ccname=ccname@entry=0x227f280 "DIR:/run/user/325600012/krb5cc", creds=creds@entry=0x22807a0) at src/providers/krb5/krb5_child.c:659 #2 0x000000000040eb7c in create_ccache (uid=325600012, gid=325600012, ctx=0x2280010, princ=0x2287760, ccname=0x227f280 "DIR:/run/user/325600012/krb5cc", creds=0x22807a0) at src/providers/krb5/krb5_child.c:732 #3 0x000000000041020a in get_and_save_tgt (kr=kr@entry=0x227f090, password=<optimized out>) at src/providers/krb5/krb5_child.c:1136 #4 0x0000000000407972 in tgt_req_child (kr=0x227f090) at src/providers/krb5/krb5_child.c:1337 #5 main (argc=<optimized out>, argv=<optimized out>) at src/providers/krb5/krb5_child.c:2126
Ok, attached augmented patch should handle this case too.
Thanks for testing.
Simo.
-- Simo Sorce * Red Hat, Inc * New York
Ack
LS
Pushed to master.
sssd-devel@lists.fedorahosted.org
-
Jakub Hrozek -
Lukas Slebodnik -
Simo Sorce