From 9073ba1670fc0a3def494b1bf8c1294f18014409 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 9 Jan 2025 18:35:24 +0100
Subject: [PATCH] PAM: don't set PR_SET_DUMPABLE

to avoid leaking host keytab accidentially.

Take a note that this is rather a general precaution than a fix of a real threat
since normally those coredumps wouldn't be accessible to non-privileged user anyway.

This is an addition to https://github.com/SSSD/sssd/pull/7755
---
 src/man/sssd.conf.5.xml |  8 ++++++++
 src/util/server.c       | 39 ++++++++++++++++++++++++---------------
 2 files changed, 32 insertions(+), 15 deletions(-)

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index a8414774775..d37aa6e5f01 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -712,6 +712,14 @@
                                 leaking plain text passwords. See man page
                                 prctl:PR_SET_DUMPABLE for details.
                             </para>
+                            <para>
+                                Take a note that this setting has no effect
+                                for 'ldap_child', 'krb5_child' and 'sssd_pam'
+                                as those privileged binaries can have a copy
+                                of a host keytab data in a memory and their
+                                behavior in this regards is governed by
+                                /proc/sys/fs/suid_dumpable system setting.
+                            </para>
                             <para>
                                 Default: true
                             </para>
diff --git a/src/util/server.c b/src/util/server.c
index 8a01126d2ae..43eb4e668a3 100644
--- a/src/util/server.c
+++ b/src/util/server.c
@@ -729,21 +729,30 @@ int server_setup(const char *name, bool is_responder,
         }
     }
 
-    ret = confdb_get_bool(ctx->confdb_ctx,
-                          CONFDB_MONITOR_CONF_ENTRY,
-                          CONFDB_MONITOR_DUMPABLE,
-                          true, /* default value */
-                          &dumpable);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to determine "CONFDB_MONITOR_DUMPABLE"\n");
-        return ret;
-    }
-    ret = prctl(PR_SET_DUMPABLE, dumpable ? 1 : 0);
-    if (ret != 0) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set PR_SET_DUMPABLE\n");
-        return ret;
-    } else if (!dumpable) {
-        DEBUG(SSSDBG_IMPORTANT_INFO, "Core dumps are disabled!\n");
+    /* Don't touch PR_SET_DUMPABLE for sssd_pam as it
+     * handles host keytab.
+     * Rely on system settings instead: this flag "is reset to the
+     * current value contained in the file /proc/sys/fs/suid_dumpable"
+     * when "the process executes a program that has file capabilities".
+     */
+    if (strcmp(name, "pam") != 0) {
+        ret = confdb_get_bool(ctx->confdb_ctx,
+                              CONFDB_MONITOR_CONF_ENTRY,
+                              CONFDB_MONITOR_DUMPABLE,
+                              true, /* default value */
+                              &dumpable);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_FATAL_FAILURE,
+                  "Failed to determine "CONFDB_MONITOR_DUMPABLE"\n");
+            return ret;
+        }
+        ret = prctl(PR_SET_DUMPABLE, dumpable ? 1 : 0);
+        if (ret != 0) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set PR_SET_DUMPABLE\n");
+            return ret;
+        } else if (!dumpable) {
+            DEBUG(SSSDBG_IMPORTANT_INFO, "Core dumps are disabled!\n");
+        }
     }
 
     sss_chain_id_setup(ctx->event_ctx);