gssd picking wrong creds

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* gssd picking wrong creds
@ 2010-07-04  3:30 Doug Nazar
  2010-07-19 15:10 ` Steve Dickson
  0 siblings, 1 reply; 2+ messages in thread
From: Doug Nazar @ 2010-07-04  3:30 UTC (permalink / raw)
  To: linux-nfs

[-- Attachment #1: Type: text/plain, Size: 282 bytes --]

  I'm running rpc.gssd with the the -n option. Noticed that with the new 
version it's now creating the machine cache file which is also owned by 
root so when it scans the cache files it matches the root user and then 
depending on the timestamp it can grab the wrong file.

Doug


[-- Attachment #2: nfs-utils-ignore-machine-cred.diff --]
[-- Type: text/plain, Size: 978 bytes --]

commit 891bf46cd23dbbb24188456aad29ac0ead2bc31f
Author: Doug Nazar <nazard.michi@gmail.com>
Date:   Sat Jul 3 23:12:27 2010 -0400

    When not using machine credentials for root, if the machine
    credential cache file is newer than the root credential file
    the wrong file will get picked. Ignore the machine file in this
    case.

diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index dccbeb6..d23654f 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -224,6 +224,13 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, struct dirent **d)
 				free(namelist[i]);
 				continue;
 			}
+			if (uid == 0 && !root_uses_machine_creds && 
+				strstr(namelist[i]->d_name, "_machine_")) {
+				printerr(3, "CC file '%s' not available to root\n",
+					 statname);
+				free(namelist[i]);
+				continue;
+			}
 			if (!query_krb5_ccache(buf, &princname, &realm)) {
 				printerr(3, "CC file '%s' is expired or corrupt\n",
 					 statname);

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: gssd picking wrong creds
  2010-07-04  3:30 gssd picking wrong creds Doug Nazar
@ 2010-07-19 15:10 ` Steve Dickson
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Dickson @ 2010-07-19 15:10 UTC (permalink / raw)
  To: Doug Nazar; +Cc: linux-nfs



On 07/03/2010 11:30 PM, Doug Nazar wrote:
>  I'm running rpc.gssd with the the -n option. Noticed that with the new
> version it's now creating the machine cache file which is also owned by
> root so when it scans the cache files it matches the root user and then
> depending on the timestamp it can grab the wrong file.
> 
> Doug
> 
> 
> nfs-utils-ignore-machine-cred.diff
> 

Committed...

steved.

> 
> commit 891bf46cd23dbbb24188456aad29ac0ead2bc31f
> Author: Doug Nazar <nazard.michi@gmail.com>
> Date:   Sat Jul 3 23:12:27 2010 -0400
> 
>     When not using machine credentials for root, if the machine
>     credential cache file is newer than the root credential file
>     the wrong file will get picked. Ignore the machine file in this
>     case.
> 
> diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
> index dccbeb6..d23654f 100644
> --- a/utils/gssd/krb5_util.c
> +++ b/utils/gssd/krb5_util.c
> @@ -224,6 +224,13 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, struct dirent **d)
>  				free(namelist[i]);
>  				continue;
>  			}
> +			if (uid == 0 && !root_uses_machine_creds && 
> +				strstr(namelist[i]->d_name, "_machine_")) {
> +				printerr(3, "CC file '%s' not available to root\n",
> +					 statname);
> +				free(namelist[i]);
> +				continue;
> +			}
>  			if (!query_krb5_ccache(buf, &princname, &realm)) {
>  				printerr(3, "CC file '%s' is expired or corrupt\n",
>  					 statname);

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2010-07-19 15:10 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-04  3:30 gssd picking wrong creds Doug Nazar
2010-07-19 15:10 ` Steve Dickson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).