diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2014-10-24 22:44:17 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-11-18 20:33:11 +0100 |
commit | a60f4bb6b321298eb4d1c1c33d1897049a83d357 (patch) | |
tree | fff0154ba9fed8ae3bc3feca4351c12e59df797e | |
parent | 38429c99bf5af14c2d6bae6ddcf70974fdd103cc (diff) | |
download | sssd-a60f4bb6b321298eb4d1c1c33d1897049a83d357.tar.gz sssd-a60f4bb6b321298eb4d1c1c33d1897049a83d357.tar.xz sssd-a60f4bb6b321298eb4d1c1c33d1897049a83d357.zip |
BUILD: Install krb5_child as suid if running under non-privileged user
If sssd_be is running unprivileged, then krb5_child must be setuid to be
able to access the keytab and become arbitrary user.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-rw-r--r-- | Makefile.am | 2 | ||||
-rw-r--r-- | contrib/sssd.spec.in | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am index b85341f58..5f265dcef 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2872,6 +2872,8 @@ endif if SSSD_USER chgrp $(SSSD_USER) $(sssdlibexecdir)/ldap_child chmod 4750 $(sssdlibexecdir)/ldap_child + chgrp $(SSSD_USER) $(sssdlibexecdir)/krb5_child + chmod 4750 $(sssdlibexecdir)/krb5_child if BUILD_SEMANAGE chgrp $(SSSD_USER) $(sssdlibexecdir)/selinux_child chmod 4750 $(sssdlibexecdir)/selinux_child diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 5bfb16707..4734d1248 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -646,7 +646,7 @@ rm -rf $RPM_BUILD_ROOT %doc COPYING %{_libdir}/%{name}/libsss_krb5_common.so %attr(4750,root,sssd) %{_libexecdir}/%{servicename}/ldap_child -%{_libexecdir}/%{servicename}/krb5_child +%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/krb5_child %files krb5 -f sssd_krb5.lang %defattr(-,root,root,-) |