e49e9f7 krb5_child: fix permissions during SC auth

1 file Authored by sbose 5 years ago, Committed by jhrozek 5 years ago,
    krb5_child: fix permissions during SC auth
    
    For PKINIT we might need access to the pcscd socket which by default is
    only allowed for authenticated users. Since PKINIT is part of the
    authentication and the user is not authenticated yet, we have to use
    different privileges and can only drop it only after the TGT is
    received. The fast_uid and fast_gid are the IDs the backend is running
    with. This can be either root or the 'sssd' user. Root is allowed by
    default and the 'sssd' user is allowed with the help of the
    sssd-pcsc.rules policy-kit rule. So those IDs are a suitable choice. We
    can only call switch_creds() because after the TGT is returned we have
    to switch to the IDs of the user to store the TGT.
    
    The final change to the IDs of the user is not only important for KCM
    type credential caches but for file based ccache types like FILE or DIR
    as well.
    
    Related to https://pagure.io/SSSD/sssd/issue/3903
    
    Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
    
        
file modified
+39 -25