From: Jeff Layton <jlayton@redhat.com>
To: steved@redhat.com
Cc: linux-nfs@vger.kernel.org
Subject: [PATCH 0/2] gssd: allow it to work with KEYRING: credcaches
Date: Thu, 3 Oct 2013 14:42:09 -0400 [thread overview]
Message-ID: <1380825731-3314-1-git-send-email-jlayton@redhat.com> (raw)
This set is comprised of a couple of patches that fix gssd so that it
works with KEYRING: style credcaches. It turns out that gssd already
tries to query GSSAPI to find the best credcache to use and only falls
back to trawling through likely locations for credcaches if that fails.
The problem is that the initial call into GSSAPI for this almost always
fails, so it ends up falling back to trawling in the common case. This
patch corrects this by making a number of changes:
1) credentials are switched sooner during the upcall and don't switch back
2) credentials are switched using setuid() instead of setfsuid(). The
GSSAPI libs depend on the *real* uid being correct.
3) the daemon now forks before doing any credential switching to ensure
that unprivileged users can't do anything nefarious to it while it's
running under a different uid.
With this set of changes, and a bleeding-edge version of the krb5 and
keyutils libs, I can now successfully use KEYRING: style credcaches.
Jeff Layton (2):
gssd: have process_krb5_upcall fork before handling upcall
gssd: switch real uid instead of just fsuid when looking for user
creds
utils/gssd/gssd_proc.c | 47 ++++++++++++++++++++++++++++++-----------------
1 file changed, 30 insertions(+), 17 deletions(-)
--
1.8.3.1
next reply other threads:[~2013-10-03 18:42 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-03 18:42 Jeff Layton [this message]
2013-10-03 18:42 ` [PATCH 1/2] gssd: have process_krb5_upcall fork before handling upcall Jeff Layton
2013-10-03 18:56 ` Jeff Layton
2013-10-03 18:42 ` [PATCH 2/2] gssd: switch real uid instead of just fsuid when looking for user creds Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1380825731-3314-1-git-send-email-jlayton@redhat.com \
--to=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).