From a60f4bb6b321298eb4d1c1c33d1897049a83d357 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 24 Oct 2014 22:44:17 +0200
Subject: BUILD: Install krb5_child as suid if running under non-privileged
 user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If sssd_be is running unprivileged, then krb5_child must be setuid to be
able to access the keytab and become arbitrary user.

Related:
https://fedorahosted.org/sssd/ticket/2370

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
 Makefile.am | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'Makefile.am')

diff --git a/Makefile.am b/Makefile.am
index b85341f58..5f265dcef 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2872,6 +2872,8 @@ endif
 if SSSD_USER
 	chgrp $(SSSD_USER) $(sssdlibexecdir)/ldap_child
 	chmod 4750 $(sssdlibexecdir)/ldap_child
+	chgrp $(SSSD_USER) $(sssdlibexecdir)/krb5_child
+	chmod 4750 $(sssdlibexecdir)/krb5_child
 if BUILD_SEMANAGE
 	chgrp $(SSSD_USER) $(sssdlibexecdir)/selinux_child
 	chmod 4750 $(sssdlibexecdir)/selinux_child
-- 
cgit