#2071 Ccache directory creation leads to unexpected results
Closed: Fixed None Opened 6 years ago by simo.

When krb5_ccachedir is not used in krb5_ccname_template through the %d expansion variable and krb5_ccname_template includes expansion variables like %U unexpected results are achieved.

For example, setting krb5_ccname_template to /run/user/%u/krb5cc for user 'test' leads to the creation of a directory 'test' in /run/user with permission 01777 and ownership of 1000:1000 (user test own uid and gid).

This is incorrect and can lead the unaware admin to create some directories with overly broad permissions when unintended.


Fields changed

owner: somebody => simo
status: new => assigned

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12 beta

Fields changed

rhbz: => 0

The patches have been acked, so moving to 1.11.2

milestone: SSSD 1.12 beta => SSSD 1.11.2

resolution: => fixed
status: assigned => closed

Fields changed

changelog: => The Kerberos provider is no longer able to create public directories when evaluating the krb5_ccachedir option. This is a backwards-incompatible change. Creating public directories is something the system administrator should perform in order for the directories to have the correct permissions and allow the authentication daemon to create user directories as private only.

Metadata Update from @simo:
- Issue assigned to simo
- Issue set to the milestone: SSSD 1.11.2

2 years ago

Login to comment on this ticket.

Metadata