diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-20 18:06:49 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-21 11:33:06 +0100 |
| commit | 8e650486102cb0c60f54e43acecacffdf3858ada (patch) | |
| tree | 0dcd87c213bbb381d412c862e29e574e7a1298db /src/sss_client | |
| parent | ac9d460c61bf3bdb3aed5d96541d7e5baf8d9648 (diff) | |
| download | sssd-8e650486102cb0c60f54e43acecacffdf3858ada.tar.gz sssd-8e650486102cb0c60f54e43acecacffdf3858ada.tar.xz sssd-8e650486102cb0c60f54e43acecacffdf3858ada.zip | |
Open the PAC socket from krb5_child before dropping root
The PAC responder by default allows only connections from the root user.
This patch opens the socket to the PAC responder before the krb5_child
drops privileges so the connection seemingly comes from root.
https://fedorahosted.org/sssd/ticket/2559
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 858e750c3d4fe54e50616a1ed1e101469503c070)
Diffstat (limited to 'src/sss_client')
| -rw-r--r-- | src/sss_client/common.c | 13 | ||||
| -rw-r--r-- | src/sss_client/sss_cli.h | 6 |
2 files changed, 19 insertions, 0 deletions
diff --git a/src/sss_client/common.c b/src/sss_client/common.c index 7c4bb7ab8..1b0fb1223 100644 --- a/src/sss_client/common.c +++ b/src/sss_client/common.c @@ -749,6 +749,19 @@ enum nss_status sss_nss_make_request(enum sss_cli_command cmd, } } +int sss_pac_check_and_open(void) +{ + enum sss_status ret; + int errnop; + + ret = sss_cli_check_socket(&errnop, SSS_PAC_SOCKET_NAME); + if (ret != SSS_STATUS_SUCCESS) { + return EIO; + } + + return EOK; +} + int sss_pac_make_request(enum sss_cli_command cmd, struct sss_cli_req_data *rd, uint8_t **repbuf, size_t *replen, diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h index 2d909311c..6286077fc 100644 --- a/src/sss_client/sss_cli.h +++ b/src/sss_client/sss_cli.h @@ -511,6 +511,12 @@ int sss_pam_make_request(enum sss_cli_command cmd, int *errnop); void sss_pam_close_fd(void); +/* Checks access to the PAC responder and opens the socket, if available. + * Required for processes like krb5_child that need to open the socket + * before dropping privs. + */ +int sss_pac_check_and_open(void); + int sss_pac_make_request(enum sss_cli_command cmd, struct sss_cli_req_data *rd, uint8_t **repbuf, size_t *replen, |