#7798 [gssproxy] gssproxy's non-privileged user
Opened 5 months ago by slev. Modified 5 months ago

1) Currently http.keytab ( used by ipa-httpd and ipa-api through gssproxy ) has "apache" owner:

ls -la /var/lib/ipa/gssproxy/
total 4
drwx------.  2 root   root    25 Nov 29 16:26 .
drwxr-xr-x. 11 root   root   183 Nov 29 16:27 ..
-rw-------   1 apache apache 210 Nov 29 16:26 http.keytab

According to gssproxy docs the application should not have access to own keytab.
This is a violation of privilege separation.

Gssproxy for HTTP was introduced at https://github.com/freeipa/freeipa/commit/d2f5fc304, access rights were correct.
But was broken later at https://github.com/freeipa/freeipa/commit/af998c4d3.
Actually fix is simple:

         if owner is None:
-            owner = self.service_user
+            owner = self.keytab_user

Because by default keytab_user is service_user.

2) The second problem is related to a running gssproxy as a non-root.
The "/var/lib/ipa/gssproxy" path currently belongs to root (hardcoded in the spec) with 0700, hence a non-privileged user has no any access to keytab.
Permissions to ipa/gssproxy directory should be configurable during IPA installation to respect GSSPROXY_USER.

Login to comment on this ticket.