1) Currently http.keytab ( used by ipa-httpd and ipa-api through gssproxy ) has "apache" owner:
ls -la /var/lib/ipa/gssproxy/
drwx------. 2 root root 25 Nov 29 16:26 .
drwxr-xr-x. 11 root root 183 Nov 29 16:27 ..
-rw------- 1 apache apache 210 Nov 29 16:26 http.keytab
According to gssproxy docs the application should not have access to own keytab.
This is a violation of privilege separation.
Gssproxy for HTTP was introduced at https://github.com/freeipa/freeipa/commit/d2f5fc304, access rights were correct.
But was broken later at https://github.com/freeipa/freeipa/commit/af998c4d3.
Actually fix is simple:
if owner is None:
- owner = self.service_user
+ owner = self.keytab_user
Because by default keytab_user is service_user.
2) The second problem is related to a running gssproxy as a non-root.
The "/var/lib/ipa/gssproxy" path currently belongs to root (hardcoded in the spec) with 0700, hence a non-privileged user has no any access to keytab.
Permissions to ipa/gssproxy directory should be configurable during IPA installation to respect GSSPROXY_USER.
to comment on this ticket.