KRB5: don't require effective CAP_DAC_READ_SEARCH

Reviewed-by: Pavel Březina <[email protected]> Reviewed-by: Scott Poore <[email protected]> Reviewed-by: Sumit Bose <[email protected]>
SSSD · Dec 5, 2024 · 19dd643 · 19dd643
1 parent 947f791
commit 19dd643
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -103,8 +103,9 @@ condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectory
 # Capabilities usage by binaries:
 #   - 'ldap_child': read keytab (dac_read_search)
 #   - 'krb5_child':
-#         - store TGT for a given user (set*id)
+#         - check old ccache / pre-check ccache path (dac_read_search, set*id)
 #         - read keytab (dac_read_search)
+#         - store TGT for a given user (set*id)
 #   - 'selinux_child': currently chown, dac_override, set*id  --  to be narrowed
 #   - 'sssd_pam': read keytab in gss ops (dac_read_search)
 capabilities = CapabilityBoundingSet= CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID CAP_DAC_READ_SEARCH

diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c
@@ -109,7 +109,9 @@ errno_t sss_krb5_precheck_ccache(const char *ccname, uid_t uid, gid_t gid)
         *end = '\0';
     } while (*(end+1) == '\0');
 
+    sss_set_cap_effective(CAP_DAC_READ_SEARCH, true);
     ret = stat(ccdirname, &parent_stat);
+    sss_set_cap_effective(CAP_DAC_READ_SEARCH, false);
     if (ret != 0) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot stat() [%s]\n", ccdirname);
         ret = EINVAL;
@@ -335,7 +337,9 @@ static errno_t sss_low_level_path_check(const char *ccname)
         return EOK;
     }
 
+    sss_set_cap_effective(CAP_DAC_READ_SEARCH, true);
     ret = stat(filename, &buf);
+    sss_set_cap_effective(CAP_DAC_READ_SEARCH, false);
     if (ret == -1) return errno;
     return EOK;
 }
@@ -353,11 +357,13 @@ errno_t sss_krb5_cc_verify_ccache(const char *ccname, uid_t uid, gid_t gid,
     krb5_error_code kerr;
     errno_t ret;
 
-    /* first of all verify if the old ccache file/dir exists as we may be
+    /* First of all verify if the old ccache file/dir exists as we may be
      * trying to verify if an old ccache exists at all. If no file/dir
      * exists bail out immediately otherwise a following krb5_cc_resolve()
      * call may actually create paths and files we do not want to have
-     * around */
+     * around.
+     * This relies on CAP_DAC_READ_SEARCH.
+     */
     ret = sss_low_level_path_check(ccname);
     if (ret) {
         return ret;

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
@@ -4018,8 +4018,10 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr,
             (kr->fast_val == K5C_FAST_NEVER && kr->validate == false))) {
         /* A Keytab is not used if fast with anonymous pkinit is used (and validate is false)*/
         if (!(kr->cli_opts->fast_use_anonymous_pkinit == true && kr->validate == false)) {
+            sss_set_cap_effective(CAP_DAC_READ_SEARCH, true);
             kerr = copy_keytab_into_memory(kr, kr->ctx, kr->keytab, &mem_keytab,
                                            NULL);
+            sss_set_cap_effective(CAP_DAC_READ_SEARCH, false);
             if (kerr != 0) {
                 DEBUG(SSSDBG_OP_FAILURE, "copy_keytab_into_memory failed.\n");
                 return kerr;