diff options
author | Simo Sorce <ssorce@redhat.com> | 2011-11-11 16:59:21 -0500 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-11-22 10:50:48 -0500 |
commit | e369fc08906383e6d5c39832f31bb6600a33f887 (patch) | |
tree | e9f3868b0656f971c94ae06871c621653596c885 /src | |
parent | 98e0f08e3de3f8f035790adcd614cff6bf6dd34d (diff) | |
download | sssd-e369fc08906383e6d5c39832f31bb6600a33f887.tar.gz sssd-e369fc08906383e6d5c39832f31bb6600a33f887.tar.bz2 sssd-e369fc08906383e6d5c39832f31bb6600a33f887.zip |
Set more strict permissions on keyring
We want to confine access to the keyring to the current process
and not let root easily peek into the keyring contents.
Diffstat (limited to 'src')
-rw-r--r-- | src/monitor/monitor.c | 27 | ||||
-rw-r--r-- | src/providers/krb5/krb5_delayed_online_authentication.c | 2 |
2 files changed, 28 insertions, 1 deletions
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index 1b7f87a9..2db9d541 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -51,6 +51,10 @@ #include "sbus/sssd_dbus.h" #include "monitor/monitor_interfaces.h" +#ifdef USE_KEYRING +#include <keyutils.h> +#endif + /* ping time cannot be less then once every few seconds or the * monitor will get crazy hammering children with messages */ #define MONITOR_DEF_PING_TIME 10 @@ -2472,6 +2476,29 @@ int main(int argc, const char *argv[]) } } +#ifdef USE_KEYRING + /* Do this before all the forks, it sets the session key ring so all + * keys are private to the daemon and cannot be read by any other process + * tree */ + + /* make a new session */ + ret = keyctl_join_session_keyring(NULL); + if (ret == -1) { + sss_log(SSS_LOG_ALERT, + "Could not create private keyring session. " + "If you store password there they may be easily accessible " + "to the root user. (%d, %s)", errno, strerror(errno)); + } + + ret = keyctl_setperm(KEY_SPEC_SESSION_KEYRING, KEY_POS_ALL); + if (ret == -1) { + sss_log(SSS_LOG_ALERT, + "Could not set permissions on private keyring. " + "If you store password there they may be easily accessible " + "to the root user. (%d, %s)", errno, strerror(errno)); + } +#endif + /* Warn if nscd seems to be running */ ret = check_file(NSCD_SOCKET_PATH, -1, -1, -1, CHECK_SOCK, NULL, false); if (ret == EOK) { diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c index 02f09919..d5dea3bb 100644 --- a/src/providers/krb5/krb5_delayed_online_authentication.c +++ b/src/providers/krb5/krb5_delayed_online_authentication.c @@ -258,7 +258,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, #ifdef USE_KEYRING new_pd->key_serial = add_key("user", new_pd->user, new_pd->authtok, - new_pd->authtok_size, KEY_SPEC_THREAD_KEYRING); + new_pd->authtok_size, KEY_SPEC_SESSION_KEYRING); if (new_pd->key_serial == -1) { ret = errno; DEBUG(1, ("add_key fialed [%d][%s].\n", ret, strerror(ret))); |