From edd6a6f65c1f1472632c263bdbd0946ff7fa8849 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Mon, 27 Oct 2014 16:14:51 +0100

Subject: [PATCH 92/92] BE: Become a regular user after initialization

Some parts of initialization (Kerberos ticket renewal, checking the

keytab for the right principal) still require the root privileges. Drop

privileges after initializing the back ends.

Related:

https://fedorahosted.org/sssd/ticket/2370

Reviewed-by: Sumit Bose <sbose@redhat.com>

---

 src/providers/data_provider_be.c | 13 +++++++++++++

 1 file changed, 13 insertions(+)

diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c

index 2716e4a8b38f3ff9a5b48a861ecc31f18f9fcbce..267f5f1d89cdfd0d8c69f90bc44b0f06f7e007ff 100644

--- a/src/providers/data_provider_be.c

+++ b/src/providers/data_provider_be.c

@@ -2886,6 +2886,19 @@ int main(int argc, const char *argv[])

         return 3;

     }

+    ret = chown_debug_file(NULL, uid, gid);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_MINOR_FAILURE,

+              "Cannot chown the debug files, debugging might not work!\n");

+    }

+

+    ret = become_user(uid, gid);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_FUNC_DATA,

+              "Cannot become user [%"SPRIuid"][%"SPRIgid"].\n", uid, gid);

+        return ret;

+    }

+

     DEBUG(SSSDBG_TRACE_FUNC, "Backend provider (%s) started!\n", be_domain);

     /* loop on main */

-- 

1.9.3