URL: https://github.com/SSSD/sssd/pull/5787 Author: sumit-bose Title: #5787: krb5: fix ccache ownership for offline Smartcard authentication Action: opened
PR body: """ During Smartcard authentication/PKINIT the krb5_child process is running as privileged user for some time to make sure pcscd allows access to the Smartcard. If SSSD is offline those privileges are currently not dropped before creating an empty ccache and as a result file based ccaches might have a wrong ownership. With the patch the privileges are dropped is SSSD is offline and the ccache is created with the expected ownership. Resolves: https://github.com/SSSD/sssd/issues/5785 :fixes: ccache files are created with the right ownership during offline Smartcard authentication """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5787/head:pr5787 git checkout pr5787
From 9075925a362e77bebba895724312a0093d2997b5 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Thu, 16 Sep 2021 11:38:47 +0200 Subject: [PATCH] krb5: fix ccache ownership for offline Smartcard authentication During Smartcard authentication/PKINIT the krb5_child process is running as privileged user for some time to make sure pcscd allows access to the Smartcard. If SSSD is offline those privileges are currently not dropped before creating an empty ccache and as a result file based ccaches might have a wrong ownership. With the patch the privileges are dropped is SSSD is offline and the ccache is created with the expected ownership. Resolves: https://github.com/SSSD/sssd/issues/5785 :fixes: ccache files are created with the right ownership during offline Smartcard authentication --- src/providers/krb5/krb5_child.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 4e55d9a374..70e93e3198 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -3430,8 +3430,11 @@ int main(int argc, const char *argv[]) * default and the 'sssd' user is allowed with the help of the * sssd-pcsc.rules policy-kit rule. So those IDs are a suitable choice. We * can only call switch_creds() because after the TGT is returned we have - * to switch to the IDs of the user to store the TGT. */ - if (IS_SC_AUTHTOK(kr->pd->authtok)) { + * to switch to the IDs of the user to store the TGT. + * If we are offline we have to switch to the user's credentials directly + * to make sure the empty ccache is created with the expected + * ownership. */ + if (IS_SC_AUTHTOK(kr->pd->authtok) && !offline) { kerr = switch_creds(kr, kr->fast_uid, kr->fast_gid, 0, NULL, &kr->pcsc_saved_creds); } else {
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure