diff options
| author | Simo Sorce <ssorce@redhat.com> | 2011-11-11 16:59:21 -0500 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-11-22 10:50:48 -0500 |
| commit | e369fc08906383e6d5c39832f31bb6600a33f887 (patch) | |
| tree | e9f3868b0656f971c94ae06871c621653596c885 | |
| parent | 98e0f08e3de3f8f035790adcd614cff6bf6dd34d (diff) | |
| download | sssd-e369fc08906383e6d5c39832f31bb6600a33f887.tar.gz sssd-e369fc08906383e6d5c39832f31bb6600a33f887.tar.xz sssd-e369fc08906383e6d5c39832f31bb6600a33f887.zip | |
Set more strict permissions on keyring
We want to confine access to the keyring to the current process
and not let root easily peek into the keyring contents.
| -rw-r--r-- | Makefile.am | 1 | ||||
| -rw-r--r-- | src/monitor/monitor.c | 27 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_delayed_online_authentication.c | 2 |
3 files changed, 29 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am index a423ace3..6f01cfbd 100644 --- a/Makefile.am +++ b/Makefile.am @@ -402,6 +402,7 @@ sssd_SOURCES = \ sssd_LDADD = \ $(SSSD_LIBS) \ $(LIBNL_LIBS) \ + $(KEYUTILS_LIBS) \ libsss_util.la sssd_nss_SOURCES = \ diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index 1b7f87a9..2db9d541 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -51,6 +51,10 @@ #include "sbus/sssd_dbus.h" #include "monitor/monitor_interfaces.h" +#ifdef USE_KEYRING +#include <keyutils.h> +#endif + /* ping time cannot be less then once every few seconds or the * monitor will get crazy hammering children with messages */ #define MONITOR_DEF_PING_TIME 10 @@ -2472,6 +2476,29 @@ int main(int argc, const char *argv[]) } } +#ifdef USE_KEYRING + /* Do this before all the forks, it sets the session key ring so all + * keys are private to the daemon and cannot be read by any other process + * tree */ + + /* make a new session */ + ret = keyctl_join_session_keyring(NULL); + if (ret == -1) { + sss_log(SSS_LOG_ALERT, + "Could not create private keyring session. " + "If you store password there they may be easily accessible " + "to the root user. (%d, %s)", errno, strerror(errno)); + } + + ret = keyctl_setperm(KEY_SPEC_SESSION_KEYRING, KEY_POS_ALL); + if (ret == -1) { + sss_log(SSS_LOG_ALERT, + "Could not set permissions on private keyring. " + "If you store password there they may be easily accessible " + "to the root user. (%d, %s)", errno, strerror(errno)); + } +#endif + /* Warn if nscd seems to be running */ ret = check_file(NSCD_SOCKET_PATH, -1, -1, -1, CHECK_SOCK, NULL, false); if (ret == EOK) { diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c index 02f09919..d5dea3bb 100644 --- a/src/providers/krb5/krb5_delayed_online_authentication.c +++ b/src/providers/krb5/krb5_delayed_online_authentication.c @@ -258,7 +258,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, #ifdef USE_KEYRING new_pd->key_serial = add_key("user", new_pd->user, new_pd->authtok, - new_pd->authtok_size, KEY_SPEC_THREAD_KEYRING); + new_pd->authtok_size, KEY_SPEC_SESSION_KEYRING); if (new_pd->key_serial == -1) { ret = errno; DEBUG(1, ("add_key fialed [%d][%s].\n", ret, strerror(ret))); |