freeipa

Clone
Source Code
GIT

ee7dfc3 Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches

Authored and Committed by abbra 3 years ago
raw patch tree parent
2 files changed. 4 lines added. 3 lines removed.
init/tmpfilesd/ipa.conf.in
file modified
+2 -1
install/share/ipa.conf.template
file modified
+2 -2 
    Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches
    
    With commit c6644b8566f747fa80e2c1925b79bad9f8c92bd7 we default to
    create unique credential caches in /run/ipa/ccaches for every client
    that connects to IPA with a new session. On F34, mod_auth_gssapi process
    running as 'apache' cannot create the ccache in /run/ipa/ccaches because
    it has no access rights.
    
    The core of the problem is that we have two different paths to obtaining
    a ccache: one where 'apache' running httpd process creates it directly
    and one where an internal redirect from 'ipaapi' running httpd process
    is happening.
    
    Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write
    to '/run/ipa/ccaches'. This fixes the problem.
    
    Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd
    do so, mod_auth_gssapi will do redirects and fail.
    
    Fixes: https://pagure.io/freeipa/issue/8613
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
file modified
+2 -1
file modified
+2 -2
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.