From: Steve Dickson <SteveD@redhat.com>
To: Simo Sorce <simo@redhat.com>, jlayton@redhat.com
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH 1/2] Improve first attempt at acquiring GSS credentials
Date: Mon, 20 Jan 2014 17:03:12 -0500 [thread overview]
Message-ID: <52DD9D20.8040105@RedHat.com> (raw)
In-Reply-To: <1389977800-10922-2-git-send-email-simo@redhat.com>
On 17/01/14 11:56, Simo Sorce wrote:
> Since now rpc.gssd is swithing uid before attempting to acquire
> credentials, we do not need to pass in the special uid-as-a-string name
> to gssapi, because the process is already running under the user's
> credentials.
>
> By removing this code we can fix a class of false negatives where the
> user name does not match the actual ccache credentials and the ccache
> type used is not one of the only 2 supported explicitly by rpc.gssd by the
> fallback trolling done later.
>
> Signed-off-by: Simo Sorce <simo@redhat.com>
Committed...
steved
> ---
> utils/gssd/krb5_util.c | 24 ++----------------------
> 1 files changed, 2 insertions(+), 22 deletions(-)
>
> diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
> index 697d1d2e79db0cc38160ea4772d3af3a9b7d6c21..230b909b14d244f832c0b5dd62e600cf8db4f80b 100644
> --- a/utils/gssd/krb5_util.c
> +++ b/utils/gssd/krb5_util.c
> @@ -1381,29 +1381,10 @@ gssd_acquire_krb5_cred(gss_name_t name, gss_cred_id_t *gss_cred)
> int
> gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred)
> {
> - OM_uint32 maj_stat, min_stat;
> - gss_buffer_desc name_buf;
> - gss_name_t name;
> - char buf[11];
> + OM_uint32 min_stat;
> int ret;
>
> - ret = snprintf(buf, 11, "%u", uid);
> - if (ret < 1 || ret > 10) {
> - return -1;
> - }
> - name_buf.value = buf;
> - name_buf.length = ret + 1;
> -
> - maj_stat = gss_import_name(&min_stat, &name_buf,
> - GSS_C_NT_STRING_UID_NAME, &name);
> - if (maj_stat != GSS_S_COMPLETE) {
> - if (get_verbosity() > 0)
> - pgsserr("gss_import_name",
> - maj_stat, min_stat, &krb5oid);
> - return -1;
> - }
> -
> - ret = gssd_acquire_krb5_cred(name, gss_cred);
> + ret = gssd_acquire_krb5_cred(GSS_C_NO_NAME, gss_cred);
>
> /* force validation of cred to check for expiry */
> if (ret == 0) {
> @@ -1412,7 +1393,6 @@ gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred)
> ret = -1;
> }
>
> - maj_stat = gss_release_name(&min_stat, &name);
> return ret;
> }
>
>
prev parent reply other threads:[~2014-01-20 22:01 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-15 21:41 [PATCH] Fix crdential sourcing with new setuid behavior in rpc.gssd Simo Sorce
2014-01-16 15:47 ` Jeff Layton
2014-01-17 1:28 ` Simo Sorce
2014-01-17 1:49 ` Jeff Layton
2014-01-17 4:11 ` [PATCH 0/2] Fix credential " Simo Sorce
2014-01-17 4:11 ` [PATCH 1/2] Improve first attempt at acquiring GSS credentials Simo Sorce
2014-01-17 4:11 ` [PATCH 2/2] Remove unused parameter Simo Sorce
2014-01-17 11:54 ` [PATCH 0/2] Fix credential sourcing with new setuid behavior in rpc.gssd Jeff Layton
2014-01-17 16:56 ` Simo Sorce
2014-01-17 16:56 ` [PATCH 1/2] Improve first attempt at acquiring GSS credentials Simo Sorce
2014-01-17 16:56 ` [PATCH 2/2] Remove unused arguments Simo Sorce
2014-01-20 22:03 ` Steve Dickson
2014-01-20 22:03 ` Steve Dickson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52DD9D20.8040105@RedHat.com \
--to=steved@redhat.com \
--cc=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox