Clarify root permissions for KCM

[3XX0]

Is root supposed to be allowed to create arbitrary ccache without the need to setuid?
I'm asking because https://docs.pagure.org/sssd.sssd/design_pages/kcm.html seems to suggest that it is possible

KRB5CCNAME=KCM:foobar kinit
must not work unless done as root

However, when I try it I get the following

Name foobar is malformed [1432158296]: Credential cache name not allowed

And the code doesn't appear to make an exception for UID 0.

[alexey-tikhonov]

Well, despite

sssd/src/responder/kcm/kcmsrv_ccache.c

Line 162 in 7c6bc58

if (uid == 0 && gid == 0) {

it doesn't work for me even for "list ccaches" case - KRB5CCNAME=KCM:1000 klist -A:

[kcm] [accept_fd_handler] (0x0400): [CID#46] Client [cmd klist][uid 0][0x5618ff4a4390][15] connected!
[kcm] [kcm_cmd_send] (0x0400): [CID#46] KCM operation GET_PRINCIPAL
[kcm] [kcm_op_get_principal_send] (0x1000): [CID#46] Requested principal 1000
[kcm] [ccdb_secdb_getbyname_send] (0x2000): [CID#46] Getting ccache by name
[kcm] [local_db_dn] (0x2000): [CID#46] Local path for [persistent/0/ccache/] is [cn=ccache,cn=0,cn=persistent,cn=kcm]
[kcm] [sss_sec_new_req] (0x1000): [CID#46] Local DB path is persistent/0/ccache/
[kcm] [secdb_container_url_req] (0x2000): [CID#46] Created request for URL persistent/0/ccache/
[kcm] [sss_sec_list] (0x0400): [CID#46] Listing keys at [persistent/0/ccache/]
[kcm] [sss_sec_list] (0x2000): [CID#46] Searching at [cn=ccache,cn=0,cn=persistent,cn=kcm] with scope=subtree
[kcm] [sss_sec_list] (0x1000): [CID#46] No secrets found
[kcm] [key_by_name] (0x0080): [CID#46] The container was not found
[kcm] [kcm_ccdb_getbyname_done] (0x1000): [CID#46] No cache found by name

I don't know if it never worked or was broken later. Neither I know what was the rationale to make (plan) an exception for 'uid == 0'.
What's your use case? Why 'sudo -u foobar kinit' doesn't work for you?

[3XX0]

Um interessting, so yeah maybe it was intended and got broken at some point.
My use case is a little more involved since I'm accessing it programatically through libkrb5 and got surprised it didn't work. I can always do the setuid dance, I just wanted to avoid it if I didn't have to.

[alexey-tikhonov]

Neither I know what was the rationale to make (plan) an exception for 'uid == 0'.

@sumit-bose , @pbrezina , do you know (remember)?

[sumit-bose]

Hi,

iirc there was a long discussion with MIT Kerberos upstream about this and in the end it was agreed that over the KCM interface root should only see its own tickets and not be able to access others.

HTH

bye,
Sumit

[alexey-tikhonov]

Ok, then we should remove those traces from doc page and the code.

[Trevinlc1997]

Just wanted to comment and say of today, the documentation still claims "The KCM server keeps track of each credential caches's owner and performs access check control based on the UID and GID of the KCM client. The root user has access to all credential caches."

Hopefully that can be removed from sssd-kcm as that caused confusion if I had my KCM configured improperly.