Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches

With commit c6644b8566 we default to
create unique credential caches in /run/ipa/ccaches for every client
that connects to IPA with a new session. On F34, mod_auth_gssapi process
running as 'apache' cannot create the ccache in /run/ipa/ccaches because
it has no access rights.

The core of the problem is that we have two different paths to obtaining
a ccache: one where 'apache' running httpd process creates it directly
and one where an internal redirect from 'ipaapi' running httpd process
is happening.

Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write
to '/run/ipa/ccaches'. This fixes the problem.

Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd
do so, mod_auth_gssapi will do redirects and fail.

Fixes: https://pagure.io/freeipa/issue/8613

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Alexander Bokovoy 2020-12-09 11:15:20 +02:00
parent 800bafe0a8
commit ee7dfc3d29
2 changed files with 4 additions and 3 deletions

View File

@ -1,2 +1,3 @@
d /run/ipa 0711 root root
d /run/ipa/ccaches 0770 ipaapi ipaapi
d /run/ipa/ccaches 6770 ipaapi ipaapi
a+ /run/ipa/ccaches - - - - g:apache:rwx

View File

@ -75,7 +75,7 @@ WSGIScriptReloading Off
GssapiImpersonate On
GssapiDelegCcacheDir $IPA_CCACHES
GssapiDelegCcachePerms mode:0660 gid:ipaapi
GssapiDelegCcachePerms mode:0660
GssapiDelegCcacheUnique On
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
@ -117,7 +117,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
<Location "/ipa/session/login_x509">
AuthType none
GssapiDelegCcacheDir $IPA_CCACHES
GssapiDelegCcachePerms mode:0660 gid:ipaapi
GssapiDelegCcachePerms mode:0660
GssapiDelegCcacheUnique On
SSLVerifyClient require
SSLUserName SSL_CLIENT_CERT