sssd.git - sssd with jhrozek's patches

diff options

author	Jakub Hrozek <jhrozek@redhat.com>	2014-10-13 21:13:38 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2014-11-18 20:33:22 +0100
commit	476b78b3f66abc7a0f805154ea1a29f54628224a (patch)
tree	12d5c13e1bdd0389927c57fe0bf5c655de822ccb /Makefile.am
parent	a60f4bb6b321298eb4d1c1c33d1897049a83d357 (diff)
download	sssd-476b78b3f66abc7a0f805154ea1a29f54628224a.tar.gz sssd-476b78b3f66abc7a0f805154ea1a29f54628224a.tar.xz sssd-476b78b3f66abc7a0f805154ea1a29f54628224a.zip

KRB5: Drop privileges in the child, not the back end

In future patches, sssd_be will be running as a non-privileged user, who will execute the setuid krb5_child. In this case, the child will start as root and drop the privileges as soon as possible. However, we need to also remove the privilege drop in sssd_be, because if we dropped to the user who is authenticating, we wouldn't be even allowed to execute krb5_child. The krb5_child permissions should be 4750, owned by root.sssd, to make sure only root and sssd can execute the child and if executed by sssd, the child will run as root. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Diffstat (limited to 'Makefile.am')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: