mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches
With commit c6644b8566
we default to
create unique credential caches in /run/ipa/ccaches for every client
that connects to IPA with a new session. On F34, mod_auth_gssapi process
running as 'apache' cannot create the ccache in /run/ipa/ccaches because
it has no access rights.
The core of the problem is that we have two different paths to obtaining
a ccache: one where 'apache' running httpd process creates it directly
and one where an internal redirect from 'ipaapi' running httpd process
is happening.
Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write
to '/run/ipa/ccaches'. This fixes the problem.
Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd
do so, mod_auth_gssapi will do redirects and fail.
Fixes: https://pagure.io/freeipa/issue/8613
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
parent
800bafe0a8
commit
ee7dfc3d29
@ -1,2 +1,3 @@
|
||||
d /run/ipa 0711 root root
|
||||
d /run/ipa/ccaches 0770 ipaapi ipaapi
|
||||
d /run/ipa/ccaches 6770 ipaapi ipaapi
|
||||
a+ /run/ipa/ccaches - - - - g:apache:rwx
|
||||
|
@ -75,7 +75,7 @@ WSGIScriptReloading Off
|
||||
|
||||
GssapiImpersonate On
|
||||
GssapiDelegCcacheDir $IPA_CCACHES
|
||||
GssapiDelegCcachePerms mode:0660 gid:ipaapi
|
||||
GssapiDelegCcachePerms mode:0660
|
||||
GssapiDelegCcacheUnique On
|
||||
GssapiUseS4U2Proxy on
|
||||
GssapiAllowedMech krb5
|
||||
@ -117,7 +117,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
|
||||
<Location "/ipa/session/login_x509">
|
||||
AuthType none
|
||||
GssapiDelegCcacheDir $IPA_CCACHES
|
||||
GssapiDelegCcachePerms mode:0660 gid:ipaapi
|
||||
GssapiDelegCcachePerms mode:0660
|
||||
GssapiDelegCcacheUnique On
|
||||
SSLVerifyClient require
|
||||
SSLUserName SSL_CLIENT_CERT
|
||||
|
Loading…
Reference in New Issue
Block a user