diff options
| author | Lukas Slebodnik <lslebodn@redhat.com> | 2015-05-27 14:49:14 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-05-31 19:40:22 +0200 |
| commit | d3ff187769601118d500b5bdd8ad6b7b733bdddb (patch) | |
| tree | febf02a72ff570b52aaa9d7d36f12bda978cf057 /contrib | |
| parent | 44f35a0f32785bf460b5d05424f5e9a15f4f4028 (diff) | |
| download | sssd-d3ff187769601118d500b5bdd8ad6b7b733bdddb.tar.gz sssd-d3ff187769601118d500b5bdd8ad6b7b733bdddb.tar.xz sssd-d3ff187769601118d500b5bdd8ad6b7b733bdddb.zip | |
PROXY: proxy_child should work in non-root mode
According to design page[1], proxy_child should run
with root privileges in non-root mode however proxy_child
did not have setuid bit.
After setting setuid bit proxy_child will be executed with extra privileges.
The effective user ID will be 0 but effective group ID will be still
the same as egid of sssd_be. Therefore gid of private pipe for
proxy_child should be the same. Otherwise proxy_child will fail
due to wrong permissions of unix pipe (sbus_client_init -> check_file)
[1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD
Resolves:
https://fedorahosted.org/sssd/ticket/2655
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 1370bcccaed090f36d75e8a8cebb320ea1612b7e)
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/sssd.spec.in | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 35de44493..2600438f3 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -680,7 +680,7 @@ rm -rf $RPM_BUILD_ROOT %files proxy %defattr(-,root,root,-) %doc COPYING -%{_libexecdir}/%{servicename}/proxy_child +%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/proxy_child %{_libdir}/%{name}/libsss_proxy.so %files dbus |