From 8e650486102cb0c60f54e43acecacffdf3858ada Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 20 Jan 2015 18:06:49 +0100 Subject: Open the PAC socket from krb5_child before dropping root The PAC responder by default allows only connections from the root user. This patch opens the socket to the PAC responder before the krb5_child drops privileges so the connection seemingly comes from root. https://fedorahosted.org/sssd/ticket/2559 Reviewed-by: Sumit Bose (cherry picked from commit 858e750c3d4fe54e50616a1ed1e101469503c070) --- src/providers/krb5/krb5_child.c | 8 ++++++++ src/sss_client/common.c | 13 +++++++++++++ src/sss_client/sss_cli.h | 6 ++++++ 3 files changed, 27 insertions(+) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 39cd62846..4c2f81fb1 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -2305,6 +2305,14 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr, } } + if (kr->send_pac) { + ret = sss_pac_check_and_open(); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot open the PAC responder socket\n"); + /* Not fatal */ + } + } + return 0; } diff --git a/src/sss_client/common.c b/src/sss_client/common.c index 7c4bb7ab8..1b0fb1223 100644 --- a/src/sss_client/common.c +++ b/src/sss_client/common.c @@ -749,6 +749,19 @@ enum nss_status sss_nss_make_request(enum sss_cli_command cmd, } } +int sss_pac_check_and_open(void) +{ + enum sss_status ret; + int errnop; + + ret = sss_cli_check_socket(&errnop, SSS_PAC_SOCKET_NAME); + if (ret != SSS_STATUS_SUCCESS) { + return EIO; + } + + return EOK; +} + int sss_pac_make_request(enum sss_cli_command cmd, struct sss_cli_req_data *rd, uint8_t **repbuf, size_t *replen, diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h index 2d909311c..6286077fc 100644 --- a/src/sss_client/sss_cli.h +++ b/src/sss_client/sss_cli.h @@ -511,6 +511,12 @@ int sss_pam_make_request(enum sss_cli_command cmd, int *errnop); void sss_pam_close_fd(void); +/* Checks access to the PAC responder and opens the socket, if available. + * Required for processes like krb5_child that need to open the socket + * before dropping privs. + */ +int sss_pac_check_and_open(void); + int sss_pac_make_request(enum sss_cli_command cmd, struct sss_cli_req_data *rd, uint8_t **repbuf, size_t *replen, -- cgit