Skip to content

[autobackport: sssd-2-9] KCM: root can't access arbitrary KCM cache#8311

Merged
ikerexxe merged 1 commit intoSSSD:sssd-2-9from
sssd-bot:SSSD-sssd-backport-pr8301-to-sssd-2-9
Dec 19, 2025
Merged

[autobackport: sssd-2-9] KCM: root can't access arbitrary KCM cache#8311
ikerexxe merged 1 commit intoSSSD:sssd-2-9from
sssd-bot:SSSD-sssd-backport-pr8301-to-sssd-2-9

Conversation

@sssd-bot
Copy link
Contributor

@sssd-bot sssd-bot commented Dec 19, 2025

This is an automatic backport of PR#8301 KCM: root can't access arbitrary KCM cache to branch sssd-2-9, created by @alexey-tikhonov.

Please make sure this backport is correct.

Note

The commits were cherry-picked without conflicts.

You can push changes to this pull request

git remote add sssd-bot git@github.com:sssd-bot/sssd.git
git fetch sssd-bot refs/heads/SSSD-sssd-backport-pr8301-to-sssd-2-9
git checkout SSSD-sssd-backport-pr8301-to-sssd-2-9
git push sssd-bot SSSD-sssd-backport-pr8301-to-sssd-2-9 --force

Original commits
87e72fd - KCM: root can't access arbitrary KCM cache

Backported commits

  • 0023b1d - KCM: root can't access arbitrary KCM cache

Original Pull Request Body

so remove confusing traces suggesting otherwise

See: #7274 (comment)

Resolves: #7274

gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 19, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly removes the special handling for the root user, preventing it from accessing arbitrary Kerberos credential caches in KCM. The changes are consistent across the implementation, documentation, and code comments. The core logic change in kcmsrv_ccache.c removes the privileged access, and the corresponding updates in sssd-kcm.8.xml and kcmsrv_ccache.h accurately reflect this new, more secure behavior. The changes are correct and well-executed.

@alexey-tikhonov alexey-tikhonov added the no-backport This should go to target branch only. label Dec 19, 2025
@alexey-tikhonov @sssd-bot
KCM: root can't access arbitrary KCM cache
6eb3980 
so remove confusing traces suggesting otherwise

See: SSSD#7274 (comment)

Resolves: SSSD#7274
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit 87e72fd)
@sssd-bot
Copy link
Contributor Author

sssd-bot commented Dec 19, 2025

The pull request was accepted by @ikerexxe with the following PR CI status:

🟢 CodeQL (success)
🟢 rpm-build:centos-stream-9-x86_64:upstream (success)
🟢 Build / make-distcheck (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-9) (success)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.

@sssd-bot sssd-bot force-pushed the SSSD-sssd-backport-pr8301-to-sssd-2-9 branch from 0023b1d to 6eb3980 Compare December 19, 2025 13:30
@ikerexxe ikerexxe merged commit 1e858ce into SSSD:sssd-2-9 Dec 19, 2025
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ikerexxe ikerexxe ikerexxe approved these changes

@justin-stephenson justin-stephenson justin-stephenson approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@ikerexxe ikerexxe

@justin-stephenson justin-stephenson

Labels

Accepted no-backport This should go to target branch only.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sssd-bot @ikerexxe @justin-stephenson @alexey-tikhonov