| Message ID | 20170224142750.4151-8-jlayton@samba.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Fri, 2017-02-24 at 09:27 -0500, Jeff Layton wrote: > We don't want to trust $KRB5CCNAME when creating or updating a new > credcache since we could be operating under the wrong credentials. > Always create new credcaches in the default location instead. > > Reported-by: Chad William Seys <cwseys@physics.wisc.edu> > Signed-off-by: Jeff Layton <jlayton@samba.org> > --- > cifs.upcall.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/cifs.upcall.c b/cifs.upcall.c > index 15e1e0f91c22..0c89d7cf40d7 100644 > --- a/cifs.upcall.c > +++ b/cifs.upcall.c > @@ -379,6 +379,12 @@ init_cc_from_keytab(const char *keytab_name, const char *user) > > memset((char *) &my_creds, 0, sizeof(my_creds)); > > + /* > + * Unset the environment variable, if any. If we're creating our own > + * credcache here, stick it in the default location. > + */ > + unsetenv(ENV_NAME); > + > if (keytab_name) > ret = krb5_kt_resolve(context, keytab_name, &keytab); > else How long do you need these credentials around for ? I wonder if using a memory ccache would work here. Simo. -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, 2017-02-24 at 09:38 -0500, Simo Sorce wrote: > On Fri, 2017-02-24 at 09:27 -0500, Jeff Layton wrote: > > We don't want to trust $KRB5CCNAME when creating or updating a new > > credcache since we could be operating under the wrong credentials. > > Always create new credcaches in the default location instead. > > > > Reported-by: Chad William Seys <cwseys@physics.wisc.edu> > > Signed-off-by: Jeff Layton <jlayton@samba.org> > > --- > > cifs.upcall.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/cifs.upcall.c b/cifs.upcall.c > > index 15e1e0f91c22..0c89d7cf40d7 100644 > > --- a/cifs.upcall.c > > +++ b/cifs.upcall.c > > @@ -379,6 +379,12 @@ init_cc_from_keytab(const char *keytab_name, const char *user) > > > > memset((char *) &my_creds, 0, sizeof(my_creds)); > > > > + /* > > + * Unset the environment variable, if any. If we're creating our own > > + * credcache here, stick it in the default location. > > + */ > > + unsetenv(ENV_NAME); > > + > > if (keytab_name) > > ret = krb5_kt_resolve(context, keytab_name, &keytab); > > else > > How long do you need these credentials around for ? > I wonder if using a memory ccache would work here. > > Only for as long as the upcall program lasts. A memory cache sounds like a good idea, actually. Let me ponder that... -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/cifs.upcall.c b/cifs.upcall.c index 15e1e0f91c22..0c89d7cf40d7 100644 --- a/cifs.upcall.c +++ b/cifs.upcall.c @@ -379,6 +379,12 @@ init_cc_from_keytab(const char *keytab_name, const char *user) memset((char *) &my_creds, 0, sizeof(my_creds)); + /* + * Unset the environment variable, if any. If we're creating our own + * credcache here, stick it in the default location. + */ + unsetenv(ENV_NAME); + if (keytab_name) ret = krb5_kt_resolve(context, keytab_name, &keytab); else
We don't want to trust $KRB5CCNAME when creating or updating a new credcache since we could be operating under the wrong credentials. Always create new credcaches in the default location instead. Reported-by: Chad William Seys <cwseys@physics.wisc.edu> Signed-off-by: Jeff Layton <jlayton@samba.org> --- cifs.upcall.c | 6 ++++++ 1 file changed, 6 insertions(+)