#2559 PAC responder is called after krb5_child switches to the user logging in
Closed: Fixed None Opened 4 years ago by jhrozek.

After the recent krb5_child changes, we copy the keytab into memory, then switch to the user logging in completely. But for trusted users, we also try to call the PAC responder and that fails, because only root is normally allowed to contact the PAC responder.


Idea: The PAC responder could spawn a private socket that only root can access. krb5_child would open this socket before dropping root and pass it on. PAC responder would perform no access checks on this socket.

The proper fix would be to refactor the PAC responder as outlined in the last comment of #2158. Closing.

resolution: => wontfix
status: new => closed

Sumit came up with an idea for a short term fix that allows to open the fd before dropping root.

resolution: wontfix =>
status: closed => reopened

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.4
owner: somebody => jhrozek
patch: 0 => 1
status: reopened => new

resolution: => fixed
status: new => closed

Fields changed

rhbz: => 0

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.12.4

2 years ago

Login to comment on this ticket.

Metadata