Learn more about these different git repos.
Other Git URLs
Currently the whole provider initialization (which is the function sssm_$provider_init) is run privileged and the sssd_be process only drops root afterwards.
In order to reduce the amount of code that runs privileged further, we could add a new initialization function (ssm_$provider_privileged_init) that would perform the part of initialization that requires root, such as checking the keytab or starting the ccache renewal, then sssd_be would drop privs and continue.
If it turns out the only the mentioned Kerberos related tasks require root privileges I would suggest to add those to the krb5_child and call it during the init process. Since the krb5_child is already install with SUID bit it can do the tasks even if the provider itself already runs as unprivileged user.
If I remember correctly, the Kerberos provider had to check the ccaches of all users who had a saved ccache in the sysdb and add them for renewal. I'm not sure checking the ccache check can be done w/o root privileges.
Moving this check to krb5_child would be a possibility, but then we'd have to come up with a 'protocol' that would transfer the ccaches to check from the child to the back end so that the back end can watch for renewal times and start the renewal task before the ticket times out.
Fields changed
milestone: NEEDS_TRIAGE => SSSD Deferred
rhbz: => 0
We don't really need this I think, we solved the separation of privileges better in the providers themselves.
review: 0 => 1 sensitive: => 0
resolution: => wontfix status: new => closed
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD Patches welcome
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3546
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.