Skip to content

krb5_child: fix ccache replacement on concurrent logins#8342

Closed
ikerexxe wants to merge 2 commits intoSSSD:masterfrom
ikerexxe:fix-kerberos-ccache
Closed

krb5_child: fix ccache replacement on concurrent logins#8342
ikerexxe wants to merge 2 commits intoSSSD:masterfrom
ikerexxe:fix-kerberos-ccache

Conversation

@ikerexxe
Copy link
Contributor

@ikerexxe ikerexxe commented Jan 9, 2026

When session keep-alive was extended to all authentication methods,
the ccache setup logic was no longer executed during SSS_PAM_AUTHENTICATE
for kept-alive processes. This caused concurrent logins with the same
user to create new random ccache filenames instead of reusing existing
ones, resulting in ccache replacement.

This restores the ccache reuse functionality that prevents concurrent
logins from overwriting each other's credential caches.

Fixes: 4cb99a2 (2025-12-04; "krb5_child: advertise authentication methods")
Resolves: #8331

@ikerexxe
krb5_child: refactor privilege management into separate function
836e705 
Extract the privilege management and user identity setup logic from
`privileged_krb5_setup()` into a new `k5c_drop_to_user()` function. In
addition, refactor it to make it idempotent.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
krb5_child: fix ccache replacement on concurrent logins
f6416fe 
When session keep-alive was extended to all authentication methods,
the ccache setup logic was no longer executed during SSS_PAM_AUTHENTICATE
for kept-alive processes. This caused concurrent logins with the same
user to create new random ccache filenames instead of reusing existing
ones, resulting in ccache replacement.

This restores the ccache reuse functionality that prevents concurrent
logins from overwriting each other's credential caches.

Fixes: 4cb99a2 (2025-12-04; "krb5_child: advertise authentication methods")
Resolves: SSSD#8331
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 9, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request aims to fix an issue with ccache replacement during concurrent logins by restoring ccache setup logic for keep-alive processes. The refactoring of the privilege dropping logic is a good improvement. However, I've identified a critical security vulnerability in the implementation. The effective privileges are not dropped before performing ccache operations, which could lead to ccache files being created with root ownership. My review includes a specific comment and a code suggestion to address this vulnerability.

@alexey-tikhonov alexey-tikhonov added the no-backport This should go to target branch only. label Jan 9, 2026
@alexey-tikhonov alexey-tikhonov self-assigned this Jan 9, 2026
@alexey-tikhonov alexey-tikhonov self-requested a review January 9, 2026 08:54
@ikerexxe ikerexxe marked this pull request as ready for review January 9, 2026 09:10
@ikerexxe ikerexxe requested a review from sumit-bose January 9, 2026 09:10
@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Jan 9, 2026
edited
Loading

Imo, this won't work.

sss_krb5_auth_methods_request() -> k5c_ccache_setup() -> k5c_precheck_ccache() -> sss_krb5_precheck_ccache() -> sss_set_cap_effective(CAP_DAC_READ_SEARCH, true);

All capabilities are already dropped at this point.

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Jan 13, 2026

Superseded by #8344

@alexey-tikhonov alexey-tikhonov added superseded This PR is superseded in favor if a different one and removed Waiting for review labels Jan 13, 2026
@ikerexxe ikerexxe closed this Jan 13, 2026
@ikerexxe ikerexxe deleted the fix-kerberos-ccache branch January 13, 2026 11:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexey-tikhonov alexey-tikhonov Awaiting requested review from alexey-tikhonov

@sumit-bose sumit-bose Awaiting requested review from sumit-bose

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@sumit-bose sumit-bose

@alexey-tikhonov alexey-tikhonov

Labels

no-backport This should go to target branch only. superseded This PR is superseded in favor if a different one

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

kerberos ccache filename is replaced on every concurrent login with the same user

3 participants

@ikerexxe @alexey-tikhonov @sumit-bose