diff options
| author | Lukas Slebodnik <lslebodn@redhat.com> | 2015-05-27 14:49:14 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-05-31 19:35:27 +0200 |
| commit | 1370bcccaed090f36d75e8a8cebb320ea1612b7e (patch) | |
| tree | bea3a3e65a994920561174ec2b45ba1479052e9c /Makefile.am | |
| parent | ee44aac95e42c3cb634876286a2aa4960ac69a2b (diff) | |
| download | sssd-1370bcccaed090f36d75e8a8cebb320ea1612b7e.tar.gz sssd-1370bcccaed090f36d75e8a8cebb320ea1612b7e.tar.xz sssd-1370bcccaed090f36d75e8a8cebb320ea1612b7e.zip | |
PROXY: proxy_child should work in non-root mode
According to design page[1], proxy_child should run
with root privileges in non-root mode however proxy_child
did not have setuid bit.
After setting setuid bit proxy_child will be executed with extra privileges.
The effective user ID will be 0 but effective group ID will be still
the same as egid of sssd_be. Therefore gid of private pipe for
proxy_child should be the same. Otherwise proxy_child will fail
due to wrong permissions of unix pipe (sbus_client_init -> check_file)
[1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD
Resolves:
https://fedorahosted.org/sssd/ticket/2655
Reviewed-by: Michal Židek <mzidek@redhat.com>
Diffstat (limited to 'Makefile.am')
| -rw-r--r-- | Makefile.am | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index 1970b812e..9927391fe 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3344,6 +3344,8 @@ if SSSD_USER chmod 4750 $(DESTDIR)$(sssdlibexecdir)/ldap_child -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/krb5_child chmod 4750 $(DESTDIR)$(sssdlibexecdir)/krb5_child + -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/proxy_child + chmod 4750 $(DESTDIR)$(sssdlibexecdir)/proxy_child if BUILD_SEMANAGE -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/selinux_child chmod 4750 $(DESTDIR)$(sssdlibexecdir)/selinux_child |