Control: retitle -1 pam_sss messes up existing /var/log/sssd/p11_child.log permissions Control: reassign -1 libpam-sss 2.6.1-1 Control: severity -1 important
Turns out this is both much simpler to reproduce and also much more severe -- one doesn't actually need all the certificate setup and FindByValidCertificate() stuff -- that's just one of the "natural" ways (aside from direct smart card login through PAM on the console) how /var/log/sssd/p11_child.log would be created. However, it is entirely sufficient to simply create an empty file, and then doing any login with pam_sss being active (i.e. having sssd running with a trivial config). Updated and simplified reproducer attached. The gist is - touch /var/log/sssd/p11_child.log - log into the machine → /var/log/sssd/p11_child.log permissions broken Thanks, Martin
repr2.sh
Description: Bourne shell script