BUILD: Install krb5_child as suid if running under non-privileged user

If sssd_be is running unprivileged, then krb5_child must be setuid to be able to access the keytab and become arbitrary user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <[email protected]> Reviewed-by: Lukáš Slebodník <[email protected]>
SSSD · Nov 18, 2014 · a60f4bb · a60f4bb
1 parent 38429c9
commit a60f4bb
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/Makefile.am b/Makefile.am
@@ -2872,6 +2872,8 @@ endif
 if SSSD_USER
 	chgrp $(SSSD_USER) $(sssdlibexecdir)/ldap_child
 	chmod 4750 $(sssdlibexecdir)/ldap_child
+	chgrp $(SSSD_USER) $(sssdlibexecdir)/krb5_child
+	chmod 4750 $(sssdlibexecdir)/krb5_child
 if BUILD_SEMANAGE
 	chgrp $(SSSD_USER) $(sssdlibexecdir)/selinux_child
 	chmod 4750 $(sssdlibexecdir)/selinux_child

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
@@ -646,7 +646,7 @@ rm -rf $RPM_BUILD_ROOT
 %doc COPYING
 %{_libdir}/%{name}/libsss_krb5_common.so
 %attr(4750,root,sssd) %{_libexecdir}/%{servicename}/ldap_child
-%{_libexecdir}/%{servicename}/krb5_child
+%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/krb5_child
 
 %files krb5 -f sssd_krb5.lang
 %defattr(-,root,root,-)