From: Steve Dickson <SteveD@redhat.com>
To: Jeff Layton <jlayton@redhat.com>
Cc: ssorce@redhat.com, linux-nfs@vger.kernel.org
Subject: Re: [PATCH v3 0/2] gssd: allow gssd to work with KEYRING: credcaches
Date: Wed, 16 Oct 2013 08:22:35 -0400 [thread overview]
Message-ID: <525E850B.5090700@RedHat.com> (raw)
In-Reply-To: <20131015093419.789e4d2a@tlielax.poochiereds.net>
On 15/10/13 09:34, Jeff Layton wrote:
> On Wed, 9 Oct 2013 16:21:54 -0400
> Jeff Layton <jlayton@redhat.com> wrote:
>
>> Changes since original set:
>> v3:
>> - have parent check to see if child was signalled and log a warning if so
>> - drop supplimentary groups and change gid before acquiring creds. Keep
>> suid and sgid as well to hamper ptrace.
>>
>> v2:
>> - fix bisectability. The original set added includes in the wrong
>> place in patch #1 and then fixed it in patch #2. The final result
>> of this set is the same but should bisect cleanly.
>>
>> This patchset fixes up gssd to work with KEYRING: style credcaches. At
>> the same time, it also fixes gssd not to need to trawl through likely
>> credcache locations by allowing GSSAPI to find them in the intended
>> fashion.
>>
>> The basic idea is to have gssd fork() after reading off the pipe, but
>> before handling the upcall and to do a more thorough job of changing
>> credentials.
>>
>> Jeff Layton (2):
>> gssd: have process_krb5_upcall fork before handling upcall
>> gssd: do a more thorough change of identity after forking
>>
>> utils/gssd/gssd_proc.c | 106 +++++++++++++++++++++++++++++++++++++++++--------
>> 1 file changed, 89 insertions(+), 17 deletions(-)
>>
>
> I had asked Steve to hold off on applying these until now. While they
> work as expected for the most part, they break a the case where gssd is
> set up to use gssproxy to get credentials. Older versions of gssproxy
> relied on the caller having and euid of 0. Simo now has a set of fixes
> queued up for gssproxy to address the problem, so the way should now be
> clear to merge this set into nfs-utils.
>
> One thing we will probably want to do for Fedora at least is to add a
> "Conflicts:" with older versions of gssproxy. That should ensure that
> people relying on gssd + gssproxy won't get any surprises when updating.
>
> Steve, sound reasonable?
I'll queue them up...
steved.
>
prev parent reply other threads:[~2013-10-16 12:21 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-09 20:21 [PATCH v3 0/2] gssd: allow gssd to work with KEYRING: credcaches Jeff Layton
2013-10-09 20:21 ` [PATCH v3 1/2] gssd: have process_krb5_upcall fork before handling upcall Jeff Layton
2013-10-21 17:30 ` Steve Dickson
2013-10-09 20:21 ` [PATCH v3 2/2] gssd: do a more thorough change of identity after forking Jeff Layton
2013-10-21 17:30 ` Steve Dickson
2013-10-15 13:34 ` [PATCH v3 0/2] gssd: allow gssd to work with KEYRING: credcaches Jeff Layton
2013-10-16 12:22 ` Steve Dickson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=525E850B.5090700@RedHat.com \
--to=steved@redhat.com \
--cc=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=ssorce@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.