Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

krb5_child: "DIR:" ccache directory created with bad mode 0600 due to umask #5436

Closed
olifre opened this issue Dec 15, 2020 · 1 comment
Closed

krb5_child: "DIR:" ccache directory created with bad mode 0600 due to umask #5436

olifre opened this issue Dec 15, 2020 · 1 comment
Assignees
@sumit-bose
Labels
Closed: Fixed Issue was closed as fixed.

Comments

@olifre
Copy link

olifre commented Dec 15, 2020

Using the DIR: ccache, e.g. via this in /etc/krb5.conf:

[libdefaults]
...
default_ccache_name = DIR:/tmp/krb5cc_%{uid}
...

the generated directory has bad permissions:

# ls -lad /tmp/krb5cc_424242/
drw------- 2 someuser examplegroup 4096 Dec 15 13:31 /tmp/krb5cc_424242/

This seems to be caused by a bad umask, and I can confirm the patch posted by @sumit-bose here:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/message/3VMR4P7LTWYP6BPPQQ4JC63FFFGXUTWQ/
fixes it.

I tested this with sssd-1.16.3 on Debian Buster (which does not have CONFIG_PERSISTENT_KEYRINGS configured in-kernel).
sumit-bose added a commit to sumit-bose/sssd that referenced this issue Dec 15, 2020
@sumit-bose
krb5_child: use proper umask for DIR type ccaches
ba216cd 
The current umask only had files in mind and hence only allowed read and
write permissions for the user. If the new directory must be created
for DIR type credentials caches the 'execute' permission is needed as
well so that the user can change into the directory. This patch changes
the umask to allow this if a DIR type credential cache is requested.

Resolves: SSSD#5436

:fixes: krb5_child uses proper umask for DIR type ccaches
@sumit-bose sumit-bose mentioned this issue Dec 15, 2020
Closed
sumit-bose added a commit to sumit-bose/sssd that referenced this issue Dec 18, 2020
@sumit-bose
krb5_child: use proper umask for DIR type ccaches
1bda87a 
The current umask only had files in mind and hence only allowed read and
write permissions for the user. If the new directory must be created
for DIR type credentials caches the 'execute' permission is needed as
well so that the user can change into the directory. This patch changes
the umask to allow this if a DIR type credential cache is requested.

Resolves: SSSD#5436

:fixes: krb5_child uses proper umask for DIR type ccaches
@pbrezina
Copy link
Member

Pushed PR: #5437

  • master
    • 6ca2994 - krb5_child: use proper umask for DIR type ccaches

@pbrezina pbrezina added the Closed: Fixed Issue was closed as fixed. label Jan 18, 2021
akuster pushed a commit to akuster/sssd that referenced this issue May 18, 2021
@sumit-bose @akuster
krb5_child: use proper umask for DIR type ccaches
240e65a 
The current umask only had files in mind and hence only allowed read and
write permissions for the user. If the new directory must be created
for DIR type credentials caches the 'execute' permission is needed as
well so that the user can change into the directory. This patch changes
the umask to allow this if a DIR type credential cache is requested.

Resolves: SSSD#5436

:fixes: krb5_child uses proper umask for DIR type ccaches

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sumit-bose sumit-bose

Labels
Closed: Fixed Issue was closed as fixed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

krb5_child: use proper umask for DIR type ccaches sumit-bose/sssd
3 participants
@olifre @sumit-bose @pbrezina