Skip to content

Patched 'krb5_child' cap-set-id tests #8313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
alexey-tikhonov wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Patched 'krb5_child' cap-set-id tests #8313

alexey-tikhonov wants to merge 2 commits into from
+61 −27

Conversation

@alexey-tikhonov
Copy link
Member

@alexey-tikhonov alexey-tikhonov commented Dec 20, 2025

No description provided.

@alexey-tikhonov
KRB5: let 'krb5_child' tolerate missing cap-set-id
e8f7c10 
If CAP_SETUID and/or CAP_SETGID are missing, 'krb5_child' will
skip operation that require those capabilities, namely any manipulations
with user ccache.

:packaging:This update makes it possible to not grant CAP_SETUID and CAP_SETGID
to 'krb5_child' binary in a situation where it is not required to store acquired
TGT after user authentication. Taking into account that it is already possible
to avoid using CAP_DAC_READ_SEARCH if keytab is readable by SSSD service user,
and usage of 'selinux_child' isn't always required, this allows to build a setup
with completely privilege-less SSSD to serve certain use cases. In particular,
this might be used to build a container running SSSD on OCP with a restricted
profile.
@alexey-tikhonov
TMP/TEST: don't grant cap-set-id to 'krb5_child'
a4a7b3d
gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 20, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request modifies krb5_child to function correctly even when it lacks CAP_SETUID and CAP_SETGID capabilities. The changes involve removing these capabilities from Makefile.am and sssd.spec.in, and adding logic to krb5_child.c to detect their absence and skip operations that require them, such as updating the user's ccache. While the logic is generally sound, there's a minor logic issue in privileged_krb5_setup that could be simplified for better readability and to avoid redundant operations. Additionally, a new check in renew_tgt_child could be more robust.

@alexey-tikhonov alexey-tikhonov mentioned this pull request Dec 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Blocked

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alexey-tikhonov