LDAP: Drop privileges after kinit in ldap_child

After ldap_child initializes privileges using root-owned keytab, it
drops privileges to the SSSD user, minimizing the amount of code that
runs as root.

1 files changed, 7 insertions, 1 deletions

diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c
index 448c5af10..e5d46b9b7 100644
--- a/src/providers/ldap/sdap_child_helpers.c
+++ b/src/providers/ldap/sdap_child_helpers.c
@@ -152,7 +152,7 @@ static errno_t create_tgt_req_send_buffer(TALLOC_CTX *mem_ctx,
         return ENOMEM;
     }
 
-    buf->size = 4 * sizeof(uint32_t);
+    buf->size = 6 * sizeof(uint32_t);
     if (realm_str) {
         buf->size += strlen(realm_str);
     }
@@ -201,6 +201,12 @@ static errno_t create_tgt_req_send_buffer(TALLOC_CTX *mem_ctx,
     /* lifetime */
     SAFEALIGN_SET_UINT32(&buf->data[rp], lifetime, &rp);
 
+    /* UID and GID to drop privileges to, if needed. The ldap_child process runs as
+     * setuid if the back end runs unprivileged as it needs to access the keytab
+     */
+    SAFEALIGN_SET_UINT32(&buf->data[rp], geteuid(), &rp);
+    SAFEALIGN_SET_UINT32(&buf->data[rp], getegid(), &rp);
+
     *io_buf = buf;
     return EOK;
 }