1) Currently http.keytab ( used by ipa-httpd and ipa-api through gssproxy ) has "apache" owner:
ls -la /var/lib/ipa/gssproxy/ total 4 drwx------. 2 root root 25 Nov 29 16:26 . drwxr-xr-x. 11 root root 183 Nov 29 16:27 .. -rw------- 1 apache apache 210 Nov 29 16:26 http.keytab
According to gssproxy docs the application should not have access to own keytab. This is a violation of privilege separation.
Gssproxy for HTTP was introduced at https://github.com/freeipa/freeipa/commit/d2f5fc304, access rights were correct. But was broken later at https://github.com/freeipa/freeipa/commit/af998c4d3. Actually fix is simple:
if owner is None: - owner = self.service_user + owner = self.keytab_user
Because by default keytab_user is service_user.
2) The second problem is related to a running gssproxy as a non-root. The "/var/lib/ipa/gssproxy" path currently belongs to root (hardcoded in the spec) with 0700, hence a non-privileged user has no any access to keytab. Permissions to ipa/gssproxy directory should be configurable during IPA installation to respect GSSPROXY_USER.
Login to comment on this ticket.