PAM: don't set PR_SET_DUMPABLE

to avoid leaking host keytab accidentially. Take a note that this is rather a general precaution than a fix of a real threat since normally those coredumps wouldn't be accessible to non-privileged user anyway. This is an addition to #7755 Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Pavel Březina <[email protected]> (cherry picked from commit 85784e7)
SSSD · Jan 16, 2025 · 6d63a05 · 6d63a05
1 parent 31160a3
commit 6d63a05
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 15 deletions.
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
@@ -712,6 +712,14 @@
                                 leaking plain text passwords. See man page
                                 prctl:PR_SET_DUMPABLE for details.
                             </para>
+                            <para>
+                                Take a note that this setting has no effect
+                                for 'ldap_child', 'krb5_child' and 'sssd_pam'
+                                as those privileged binaries can have a copy
+                                of a host keytab data in a memory and their
+                                behavior in this regards is governed by
+                                /proc/sys/fs/suid_dumpable system setting.
+                            </para>
                             <para>
                                 Default: true
                             </para>

diff --git a/src/util/server.c b/src/util/server.c
@@ -729,21 +729,30 @@ int server_setup(const char *name, bool is_responder,
         }
     }
 
-    ret = confdb_get_bool(ctx->confdb_ctx,
-                          CONFDB_MONITOR_CONF_ENTRY,
-                          CONFDB_MONITOR_DUMPABLE,
-                          true, /* default value */
-                          &dumpable);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to determine "CONFDB_MONITOR_DUMPABLE"\n");
-        return ret;
-    }
-    ret = prctl(PR_SET_DUMPABLE, dumpable ? 1 : 0);
-    if (ret != 0) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set PR_SET_DUMPABLE\n");
-        return ret;
-    } else if (!dumpable) {
-        DEBUG(SSSDBG_IMPORTANT_INFO, "Core dumps are disabled!\n");
+    /* Don't touch PR_SET_DUMPABLE for sssd_pam as it
+     * handles host keytab.
+     * Rely on system settings instead: this flag "is reset to the
+     * current value contained in the file /proc/sys/fs/suid_dumpable"
+     * when "the process executes a program that has file capabilities".
+     */
+    if (strcmp(name, "pam") != 0) {
+        ret = confdb_get_bool(ctx->confdb_ctx,
+                              CONFDB_MONITOR_CONF_ENTRY,
+                              CONFDB_MONITOR_DUMPABLE,
+                              true, /* default value */
+                              &dumpable);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_FATAL_FAILURE,
+                  "Failed to determine "CONFDB_MONITOR_DUMPABLE"\n");
+            return ret;
+        }
+        ret = prctl(PR_SET_DUMPABLE, dumpable ? 1 : 0);
+        if (ret != 0) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set PR_SET_DUMPABLE\n");
+            return ret;
+        } else if (!dumpable) {
+            DEBUG(SSSDBG_IMPORTANT_INFO, "Core dumps are disabled!\n");
+        }
     }
 
     sss_chain_id_setup(ctx->event_ctx);