@@ -4289,24 +4289,20 @@ int main(int argc, const char *argv[])
42894289 /* For PKINIT we might need access to the pcscd socket which by default
42904290 * is only allowed for authenticated users. Since PKINIT is part of
42914291 * the authentication and the user is not authenticated yet, we have
4292- * to use different privileges and can only drop it only after the TGT is
4293- * received. The fast_uid and fast_gid are the IDs the backend is running
4294- * with. This can be either root or the 'sssd' user. Root is allowed by
4295- * default and the 'sssd' user is allowed with the help of the
4296- * sssd-pcsc.rules policy-kit rule. So those IDs are a suitable choice. We
4297- * can only call switch_creds() because after the TGT is returned we have
4298- * to switch to the IDs of the user to store the TGT.
4292+ * to use different privileges and can only drop it after the TGT is
4293+ * received. IDs the backend (and thus 'krb5_child) is running with are
4294+ * either root or the 'sssd' user. Root is allowed by default and
4295+ * the 'sssd' user is allowed with the help of the sssd-pcsc.rules
4296+ * policy-kit rule. So those IDs are a suitable choice and needs to
4297+ * be kept until TGT is obtained.
42994298 * If we are offline we have to switch to the user's credentials directly
43004299 * to make sure the empty ccache is created with the expected
43014300 * ownership. */
4302- if (IS_SC_AUTHTOK (kr -> pd -> authtok ) && !offline ) {
4303- kerr = switch_creds (kr , kr -> fast_uid , kr -> fast_gid , 0 , NULL ,
4304- & kr -> pcsc_saved_creds );
4305- } else {
4301+ if (!IS_SC_AUTHTOK (kr -> pd -> authtok ) || offline ) {
43064302 kerr = k5c_become_user (kr -> uid , kr -> gid , kr -> posix_domain );
43074303 }
43084304 if (kerr != 0 ) {
4309- DEBUG (SSSDBG_CRIT_FAILURE , "become_user failed.\n" );
4305+ DEBUG (SSSDBG_CRIT_FAILURE , "k5c_become_user() failed.\n" );
43104306 ret = EFAULT ;
43114307 goto done ;
43124308 }
0 commit comments