476b78b KRB5: Drop privileges in the child, not the back end

Authored and Committed by jhrozek 6 years ago
    KRB5: Drop privileges in the child, not the back end
    
    In future patches, sssd_be will be running as a non-privileged user, who
    will execute the setuid krb5_child. In this case, the child will start
    as root and drop the privileges as soon as possible.
    
    However, we need to also remove the privilege drop in sssd_be, because
    if we dropped to the user who is authenticating, we wouldn't be even
    allowed to execute krb5_child. The krb5_child permissions should be
    4750, owned by root.sssd, to make sure only root and sssd can execute
    the child and if executed by sssd, the child will run as root.
    
    Related:
    https://fedorahosted.org/sssd/ticket/2370
    
    Reviewed-by: Sumit Bose <sbose@redhat.com>
    Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
    
        
file modified
+56 -13