diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2014-10-19 19:15:52 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-11-05 19:55:05 +0100 |
commit | 936940720b1b0e701a2317abc4c2d05a78338f33 (patch) | |
tree | b7958988dedffefe1b1aba53b989cb51f1f23746 /src/providers/ldap/sdap_child_helpers.c | |
parent | 5eef3da14cb34e4cb6356f0b291c066db946f936 (diff) | |
download | sssd-936940720b1b0e701a2317abc4c2d05a78338f33.tar.gz sssd-936940720b1b0e701a2317abc4c2d05a78338f33.tar.xz sssd-936940720b1b0e701a2317abc4c2d05a78338f33.zip |
LDAP: Drop privileges after kinit in ldap_child
After ldap_child initializes privileges using root-owned keytab, it
drops privileges to the SSSD user, minimizing the amount of code that
runs as root.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Diffstat (limited to 'src/providers/ldap/sdap_child_helpers.c')
-rw-r--r-- | src/providers/ldap/sdap_child_helpers.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c index 448c5af10..e5d46b9b7 100644 --- a/src/providers/ldap/sdap_child_helpers.c +++ b/src/providers/ldap/sdap_child_helpers.c @@ -152,7 +152,7 @@ static errno_t create_tgt_req_send_buffer(TALLOC_CTX *mem_ctx, return ENOMEM; } - buf->size = 4 * sizeof(uint32_t); + buf->size = 6 * sizeof(uint32_t); if (realm_str) { buf->size += strlen(realm_str); } @@ -201,6 +201,12 @@ static errno_t create_tgt_req_send_buffer(TALLOC_CTX *mem_ctx, /* lifetime */ SAFEALIGN_SET_UINT32(&buf->data[rp], lifetime, &rp); + /* UID and GID to drop privileges to, if needed. The ldap_child process runs as + * setuid if the back end runs unprivileged as it needs to access the keytab + */ + SAFEALIGN_SET_UINT32(&buf->data[rp], geteuid(), &rp); + SAFEALIGN_SET_UINT32(&buf->data[rp], getegid(), &rp); + *io_buf = buf; return EOK; } |