KRB5: skip switch_creds() in PKINIT case

Since 'krb5_child' has lost set-id bit and is run under uid/gid of the backend, it was a no-op.
SSSD · Nov 18, 2024 · 7d59fca · 7d59fca
1 parent 1cd9a9c
commit 7d59fca
Showing 1 changed file with 8 additions and 12 deletions.
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
@@ -4289,24 +4289,20 @@ int main(int argc, const char *argv[])
     /* For PKINIT we might need access to the pcscd socket which by default
      * is only allowed for authenticated users. Since PKINIT is part of
      * the authentication and the user is not authenticated yet, we have
-     * to use different privileges and can only drop it only after the TGT is
-     * received. The fast_uid and fast_gid are the IDs the backend is running
-     * with. This can be either root or the 'sssd' user. Root is allowed by
-     * default and the 'sssd' user is allowed with the help of the
-     * sssd-pcsc.rules policy-kit rule. So those IDs are a suitable choice. We
-     * can only call switch_creds() because after the TGT is returned we have
-     * to switch to the IDs of the user to store the TGT.
+     * to use different privileges and can only drop it after the TGT is
+     * received. IDs the backend (and thus 'krb5_child) is running with are
+     * either root or the 'sssd' user. Root is allowed by default and
+     * the 'sssd' user is allowed with the help of the sssd-pcsc.rules
+     * policy-kit rule. So those IDs are a suitable choice and needs to
+     * be kept until TGT is obtained.
      * If we are offline we have to switch to the user's credentials directly
      * to make sure the empty ccache is created with the expected
      * ownership. */
-    if (IS_SC_AUTHTOK(kr->pd->authtok) && !offline) {
-        kerr = switch_creds(kr, kr->fast_uid, kr->fast_gid, 0, NULL,
-                            &kr->pcsc_saved_creds);
-    } else {
+    if (!IS_SC_AUTHTOK(kr->pd->authtok) || offline) {
         kerr = k5c_become_user(kr->uid, kr->gid, kr->posix_domain);
     }
     if (kerr != 0) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "k5c_become_user() failed.\n");
         ret = EFAULT;
         goto done;
     }