diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2014-11-28 13:04:42 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-12-03 11:02:44 +0100 |
commit | 543d1652e0185abadd5d8b45c718a3db96cd2828 (patch) | |
tree | bb17cc89e2e8d8ddc36b6049cf89922aeca61b99 /src/providers/krb5/krb5_child_handler.c | |
parent | b4f87b42b18888c396e44e7359f7aafb092221bf (diff) | |
download | sssd-543d1652e0185abadd5d8b45c718a3db96cd2828.tar.gz sssd-543d1652e0185abadd5d8b45c718a3db96cd2828.tar.xz sssd-543d1652e0185abadd5d8b45c718a3db96cd2828.zip |
KRB5: Create the fast ccache in a child process
Related:
https://fedorahosted.org/sssd/ticket/2503
In order to avoid calling Kerberos library calls as root, the krb5_child
forks itself and recreates the FAST ccache as the SSSD user.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/providers/krb5/krb5_child_handler.c')
-rw-r--r-- | src/providers/krb5/krb5_child_handler.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 9bb61f654..1454d220f 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -278,6 +278,14 @@ static errno_t fork_child(struct tevent_req *req) errno_t err; struct handle_child_state *state = tevent_req_data(req, struct handle_child_state); + const char *k5c_extra_args[3]; + + k5c_extra_args[0] = talloc_asprintf(state, "--fast-ccache-uid=%"SPRIuid, getuid()); + k5c_extra_args[1] = talloc_asprintf(state, "--fast-ccache-gid=%"SPRIgid, getgid()); + k5c_extra_args[2] = NULL; + if (k5c_extra_args[0] == NULL || k5c_extra_args[1] == NULL) { + return ENOMEM; + } ret = pipe(pipefd_from_child); if (ret == -1) { @@ -300,7 +308,7 @@ static errno_t fork_child(struct tevent_req *req) err = exec_child(state, pipefd_to_child, pipefd_from_child, KRB5_CHILD, state->kr->krb5_ctx->child_debug_fd, - NULL); + k5c_extra_args); if (err != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec KRB5 child: [%d][%s].\n", err, strerror(err)); |