From: Simo Sorce <simo@redhat.com>
To: jlayton@redhat.com
Cc: steved@redhat.com, linux-nfs@vger.kernel.org
Subject: [PATCH 1/2] Improve first attempt at acquiring GSS credentials
Date: Thu, 16 Jan 2014 23:11:58 -0500 [thread overview]
Message-ID: <1389931919-4801-2-git-send-email-simo@redhat.com> (raw)
In-Reply-To: <1389931919-4801-1-git-send-email-simo@redhat.com>
Since now rpc.gssd is swithing uid before attempting to acquire
credentials, we do not need to pass in the special uid-as-a-string name
to gssapi, because the process is already running under the user's
credentials.
By removing this code we can fix a class of false negatives where the
user name does not match the actual ccache credentials and the ccache
type used is not one of the only 2 supported explicitly by rpc.gssd by the
fallback trolling done later.
Signed-off-by: Simo Sorce <simo@redhat.com>
---
utils/gssd/krb5_util.c | 22 +---------------------
1 files changed, 1 insertions(+), 21 deletions(-)
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 697d1d2e79db0cc38160ea4772d3af3a9b7d6c21..cb64a52f3c9c6e6fdb90e007172ecd43f8e2f458 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -1382,28 +1382,9 @@ int
gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred)
{
OM_uint32 maj_stat, min_stat;
- gss_buffer_desc name_buf;
- gss_name_t name;
- char buf[11];
int ret;
- ret = snprintf(buf, 11, "%u", uid);
- if (ret < 1 || ret > 10) {
- return -1;
- }
- name_buf.value = buf;
- name_buf.length = ret + 1;
-
- maj_stat = gss_import_name(&min_stat, &name_buf,
- GSS_C_NT_STRING_UID_NAME, &name);
- if (maj_stat != GSS_S_COMPLETE) {
- if (get_verbosity() > 0)
- pgsserr("gss_import_name",
- maj_stat, min_stat, &krb5oid);
- return -1;
- }
-
- ret = gssd_acquire_krb5_cred(name, gss_cred);
+ ret = gssd_acquire_krb5_cred(GSS_C_NO_NAME, gss_cred);
/* force validation of cred to check for expiry */
if (ret == 0) {
@@ -1412,7 +1393,6 @@ gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred)
ret = -1;
}
- maj_stat = gss_release_name(&min_stat, &name);
return ret;
}
--
1.7.1
next prev parent reply other threads:[~2014-01-17 4:12 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-15 21:41 [PATCH] Fix crdential sourcing with new setuid behavior in rpc.gssd Simo Sorce
2014-01-16 15:47 ` Jeff Layton
2014-01-17 1:28 ` Simo Sorce
2014-01-17 1:49 ` Jeff Layton
2014-01-17 4:11 ` [PATCH 0/2] Fix credential " Simo Sorce
2014-01-17 4:11 ` Simo Sorce [this message]
2014-01-17 4:11 ` [PATCH 2/2] Remove unused parameter Simo Sorce
2014-01-17 11:54 ` [PATCH 0/2] Fix credential sourcing with new setuid behavior in rpc.gssd Jeff Layton
2014-01-17 16:56 ` Simo Sorce
2014-01-17 16:56 ` [PATCH 1/2] Improve first attempt at acquiring GSS credentials Simo Sorce
2014-01-17 16:56 ` [PATCH 2/2] Remove unused arguments Simo Sorce
2014-01-20 22:03 ` Steve Dickson
2014-01-20 22:03 ` [PATCH 1/2] Improve first attempt at acquiring GSS credentials Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1389931919-4801-2-git-send-email-simo@redhat.com \
--to=simo@redhat.com \
--cc=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.