From: Simo Sorce <ssorce-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
cwseys-JAjqph6Yjy/rea2nFwT0Kw@public.gmane.org,
samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org
Subject: Re: [cifs-utils PATCH 7/8] cifs.upcall: unset $KRB5CCNAME when creating new credcache from keytab
Date: Fri, 24 Feb 2017 09:38:50 -0500 [thread overview]
Message-ID: <1487947130.1893.127.camel@redhat.com> (raw)
In-Reply-To: <20170224142750.4151-8-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
On Fri, 2017-02-24 at 09:27 -0500, Jeff Layton wrote:
> We don't want to trust $KRB5CCNAME when creating or updating a new
> credcache since we could be operating under the wrong credentials.
> Always create new credcaches in the default location instead.
>
> Reported-by: Chad William Seys <cwseys-JAjqph6Yjy/rea2nFwT0Kw@public.gmane.org>
> Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
> ---
> cifs.upcall.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/cifs.upcall.c b/cifs.upcall.c
> index 15e1e0f91c22..0c89d7cf40d7 100644
> --- a/cifs.upcall.c
> +++ b/cifs.upcall.c
> @@ -379,6 +379,12 @@ init_cc_from_keytab(const char *keytab_name, const char *user)
>
> memset((char *) &my_creds, 0, sizeof(my_creds));
>
> + /*
> + * Unset the environment variable, if any. If we're creating our own
> + * credcache here, stick it in the default location.
> + */
> + unsetenv(ENV_NAME);
> +
> if (keytab_name)
> ret = krb5_kt_resolve(context, keytab_name, &keytab);
> else
How long do you need these credentials around for ?
I wonder if using a memory ccache would work here.
Simo.
next prev parent reply other threads:[~2017-02-24 14:38 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-24 14:27 [cifs-utils PATCH 0/8] cifs-utils: fix problems with credcaches with overridden process creds Jeff Layton
[not found] ` <20170224142750.4151-1-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2017-02-24 14:27 ` [cifs-utils PATCH 1/8] data_blob: remove need for replace.h Jeff Layton
2017-02-24 14:27 ` [cifs-utils PATCH 2/8] spengo.c/asn1.c: " Jeff Layton
2017-02-24 14:27 ` [cifs-utils PATCH 3/8] cifs.upcall: " Jeff Layton
2017-02-24 14:27 ` [cifs-utils PATCH 4/8] replace.h: remove it Jeff Layton
2017-02-24 14:27 ` [cifs-utils PATCH 5/8] treewide: Eliminate SAFE_FREE Jeff Layton
2017-02-24 14:27 ` [cifs-utils PATCH 6/8] data_blob: Eliminate _PUBLIC_ Jeff Layton
2017-02-24 14:27 ` [cifs-utils PATCH 7/8] cifs.upcall: unset $KRB5CCNAME when creating new credcache from keytab Jeff Layton
[not found] ` <20170224142750.4151-8-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2017-02-24 14:38 ` Simo Sorce [this message]
[not found] ` <1487947130.1893.127.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-02-24 14:54 ` Jeff Layton
2017-02-24 14:27 ` [cifs-utils PATCH 8/8] cifs.upcall: don't do env scraping when uid is 0 Jeff Layton
2017-02-24 15:53 ` [cifs-utils PATCH 9/8] cifs.upcall: use a MEMORY: ccache when instantiating from a keytab Jeff Layton
2017-02-28 18:31 ` [cifs-utils PATCH 0/8] cifs-utils: fix problems with credcaches with overridden process creds Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1487947130.1893.127.camel@redhat.com \
--to=ssorce-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=cwseys-JAjqph6Yjy/rea2nFwT0Kw@public.gmane.org \
--cc=jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org \
--cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.