From a60f4bb6b321298eb4d1c1c33d1897049a83d357 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 24 Oct 2014 22:44:17 +0200
Subject: BUILD: Install krb5_child as suid if running under non-privileged
 user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If sssd_be is running unprivileged, then krb5_child must be setuid to be
able to access the keytab and become arbitrary user.

Related:
https://fedorahosted.org/sssd/ticket/2370

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
 contrib/sssd.spec.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'contrib/sssd.spec.in')

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 5bfb16707..4734d1248 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -646,7 +646,7 @@ rm -rf $RPM_BUILD_ROOT
 %doc COPYING
 %{_libdir}/%{name}/libsss_krb5_common.so
 %attr(4750,root,sssd) %{_libexecdir}/%{servicename}/ldap_child
-%{_libexecdir}/%{servicename}/krb5_child
+%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/krb5_child
 
 %files krb5 -f sssd_krb5.lang
 %defattr(-,root,root,-)
-- 
cgit