diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-20 18:06:49 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-21 11:25:49 +0100 |
commit | 858e750c3d4fe54e50616a1ed1e101469503c070 (patch) | |
tree | bcedf85c2277380983eb21251f375adea06d7f5f /src/providers/krb5 | |
parent | 7543052f562f157f7b17fdc46a6777d80c0cb3bd (diff) | |
download | sssd-858e750c3d4fe54e50616a1ed1e101469503c070.tar.gz sssd-858e750c3d4fe54e50616a1ed1e101469503c070.tar.xz sssd-858e750c3d4fe54e50616a1ed1e101469503c070.zip |
Open the PAC socket from krb5_child before dropping root
The PAC responder by default allows only connections from the root user.
This patch opens the socket to the PAC responder before the krb5_child
drops privileges so the connection seemingly comes from root.
https://fedorahosted.org/sssd/ticket/2559
Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/providers/krb5')
-rw-r--r-- | src/providers/krb5/krb5_child.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index ae395e5d3..8b3f10d82 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -2313,6 +2313,14 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr, } } + if (kr->send_pac) { + ret = sss_pac_check_and_open(); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot open the PAC responder socket\n"); + /* Not fatal */ + } + } + return 0; } |