summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2011-11-11 16:59:21 -0500
committerStephen Gallagher <sgallagh@redhat.com>2011-11-22 10:50:48 -0500
commite369fc08906383e6d5c39832f31bb6600a33f887 (patch)
treee9f3868b0656f971c94ae06871c621653596c885
parent98e0f08e3de3f8f035790adcd614cff6bf6dd34d (diff)
downloadsssd-e369fc08906383e6d5c39832f31bb6600a33f887.tar.gz
sssd-e369fc08906383e6d5c39832f31bb6600a33f887.tar.bz2
sssd-e369fc08906383e6d5c39832f31bb6600a33f887.zip
Set more strict permissions on keyring
We want to confine access to the keyring to the current process and not let root easily peek into the keyring contents.
-rw-r--r--Makefile.am1
-rw-r--r--src/monitor/monitor.c27
-rw-r--r--src/providers/krb5/krb5_delayed_online_authentication.c2
3 files changed, 29 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am
index a423ace3..6f01cfbd 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -402,6 +402,7 @@ sssd_SOURCES = \
sssd_LDADD = \
$(SSSD_LIBS) \
$(LIBNL_LIBS) \
+ $(KEYUTILS_LIBS) \
libsss_util.la
sssd_nss_SOURCES = \
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 1b7f87a9..2db9d541 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -51,6 +51,10 @@
#include "sbus/sssd_dbus.h"
#include "monitor/monitor_interfaces.h"
+#ifdef USE_KEYRING
+#include <keyutils.h>
+#endif
+
/* ping time cannot be less then once every few seconds or the
* monitor will get crazy hammering children with messages */
#define MONITOR_DEF_PING_TIME 10
@@ -2472,6 +2476,29 @@ int main(int argc, const char *argv[])
}
}
+#ifdef USE_KEYRING
+ /* Do this before all the forks, it sets the session key ring so all
+ * keys are private to the daemon and cannot be read by any other process
+ * tree */
+
+ /* make a new session */
+ ret = keyctl_join_session_keyring(NULL);
+ if (ret == -1) {
+ sss_log(SSS_LOG_ALERT,
+ "Could not create private keyring session. "
+ "If you store password there they may be easily accessible "
+ "to the root user. (%d, %s)", errno, strerror(errno));
+ }
+
+ ret = keyctl_setperm(KEY_SPEC_SESSION_KEYRING, KEY_POS_ALL);
+ if (ret == -1) {
+ sss_log(SSS_LOG_ALERT,
+ "Could not set permissions on private keyring. "
+ "If you store password there they may be easily accessible "
+ "to the root user. (%d, %s)", errno, strerror(errno));
+ }
+#endif
+
/* Warn if nscd seems to be running */
ret = check_file(NSCD_SOCKET_PATH, -1, -1, -1, CHECK_SOCK, NULL, false);
if (ret == EOK) {
diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c
index 02f09919..d5dea3bb 100644
--- a/src/providers/krb5/krb5_delayed_online_authentication.c
+++ b/src/providers/krb5/krb5_delayed_online_authentication.c
@@ -258,7 +258,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
#ifdef USE_KEYRING
new_pd->key_serial = add_key("user", new_pd->user, new_pd->authtok,
- new_pd->authtok_size, KEY_SPEC_THREAD_KEYRING);
+ new_pd->authtok_size, KEY_SPEC_SESSION_KEYRING);
if (new_pd->key_serial == -1) {
ret = errno;
DEBUG(1, ("add_key fialed [%d][%s].\n", ret, strerror(ret)));