Add /run/ipa to the list of directories to check permissions/ownership on #232
Assignees
Comments
rcritten
added a commit
to rcritten/freeipa-healthcheck
that referenced
this issue
Jun 15, 2022
/run/ipa/ccaches is the main target, to ensure it retains the right owner/group/permissions for privilege separation to work by setting setuid and setgid so the underlying ccaches are only readable by the ipaapi user/group. Fixes: freeipa#232 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten
added a commit
that referenced
this issue
Jul 6, 2022
/run/ipa/ccaches is the main target, to ensure it retains the right owner/group/permissions for privilege separation to work by setting setuid and setgid so the underlying ccaches are only readable by the ipaapi user/group. Fixes: #232 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The directory /run/ipa/ccaches is used to store ccaches which are used for sessions. This is part of the IPA privilege separation.
If the directory permissions are incorrect then mod_auth_gssapi cannot update the ccache and a Negotiation error will be returned which is difficult to diagnose outside of strace (where EACCES will be thrown trying to write).
These directories are created by systemd tmpfiles. If this check can integrate that it will be more flexible but at a minimum the directories should be added for verification.
The text was updated successfully, but these errors were encountered: