From: Steve Dickson <SteveD@redhat.com>
To: andros@netapp.com
Cc: jlayton@poochiereds.net, linux-nfs@vger.kernel.org
Subject: Re: [PATCH Version 2 0/4] GSSD: Do not fork when UID = 0
Date: Wed, 23 Sep 2015 17:19:49 -0400 [thread overview]
Message-ID: <56031775.8010304@RedHat.com> (raw)
In-Reply-To: <1443018616-1335-1-git-send-email-andros@netapp.com>
On 09/23/2015 10:30 AM, andros@netapp.com wrote:
> From: Andy Adamson <andros@netapp.com>
>
> Version 2:
> responded to comments.
> - removed some printerr from 0003
> - removed the SIGKILL call from 0004
>
> Version 1:
> Jeff Layton worked on this patch set with me.
>
> patch 0001 and 0002 clean up process_krb5_upcall() by moving the two cases into
> helper functions.
>
> patch 0003 is the heart of this patch set.
>
> commit f9cac65972da588d5218236de60a7be11247a8aa added the fork to
> process_krb5_upcall so that the child assumes the uid of the principal
> requesting service. This is good for the reasons listed in the commit.
>
> When machine credentials are used, a gssd_k5_kt_princ entry is added to
> a global list and used by future upcalls to note when valid machine credentials
> have been obtained. When a child process performs this task, the entry to the
> global list is lost upon exit, and all upcalls for machine credentials re-fetch
> a TGT, even when a valid TGT is in the machine kerberos credential cache.
>
> Since forking is not necessary when the principal has uid=0, solve the
> gssd_k5_kt_princ_list issue by only forking when the uid != 0.
>
> Please do more testing. Comments welcome.
>
> -->Andy
>
> Andy Adamson (4):
> GSSD: move process_krb5_upcall machine cred case to helper function
> GSSD: move process_krb5_updcall non machine cred case to helper
> function
> GSSD only fork when uid is not zeo
> GSSD: clean up machine credentials
Committed all four of them... with some minor changes
in the debug statements and bug fixed in the third one...
steved.
>
> utils/gssd/gssd.c | 11 ++-
> utils/gssd/gssd_proc.c | 239 ++++++++++++++++++++++++++++++-------------------
> 2 files changed, 150 insertions(+), 100 deletions(-)
>
prev parent reply other threads:[~2015-09-23 21:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-23 14:30 [PATCH Version 2 0/4] GSSD: Do not fork when UID = 0 andros
2015-09-23 14:30 ` [PATCH Version 2 1/4] GSSD: move process_krb5_upcall machine cred case to helper function andros
2015-09-23 14:30 ` [PATCH Version 2 2/4] GSSD: move process_krb5_updcall non " andros
2015-09-23 14:30 ` [PATCH Version 2 3/4] GSSD only fork when uid is not zeo andros
2015-09-23 14:30 ` [PATCH Version 2 4/4] GSSD: clean up machine credentials andros
2015-09-23 21:19 ` Steve Dickson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56031775.8010304@RedHat.com \
--to=steved@redhat.com \
--cc=andros@netapp.com \
--cc=jlayton@poochiereds.net \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.