diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2014-10-13 21:13:38 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-10-30 16:36:50 +0100 |
| commit | 54ddaca98815177a5185e929c3ffe007c977be35 (patch) | |
| tree | a297536c8b0caa0e82c0f669e15fe4887f4a944c /src/providers/krb5/krb5_utils.c | |
| parent | 25a2d146599efde8f155cf8edf169bf852c58b0e (diff) | |
| download | sssd-54ddaca98815177a5185e929c3ffe007c977be35.tar.gz sssd-54ddaca98815177a5185e929c3ffe007c977be35.tar.xz sssd-54ddaca98815177a5185e929c3ffe007c977be35.zip | |
KRB5: Drop privileges in the child, not the back end
In future patches, sssd_be will be running as a non-privileged user, who
will execute the setuid krb5_child. In this case, the child will start
as root and drop the privileges as soon as possible.
However, we need to also remove the privilege drop in sssd_be, because
if we dropped to the user who is authenticating, we wouldn't be even
allowed to execute krb5_child. The krb5_child permissions should be
4750, owned by root.sssd, to make sure only root and sssd can execute
the child and if executed by sssd, the child will run as root.
Diffstat (limited to 'src/providers/krb5/krb5_utils.c')
0 files changed, 0 insertions, 0 deletions