| Message ID | 1389977800-10922-2-git-send-email-simo@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 17/01/14 11:56, Simo Sorce wrote: > Since now rpc.gssd is swithing uid before attempting to acquire > credentials, we do not need to pass in the special uid-as-a-string name > to gssapi, because the process is already running under the user's > credentials. > > By removing this code we can fix a class of false negatives where the > user name does not match the actual ccache credentials and the ccache > type used is not one of the only 2 supported explicitly by rpc.gssd by the > fallback trolling done later. > > Signed-off-by: Simo Sorce <simo@redhat.com> Committed... steved > --- > utils/gssd/krb5_util.c | 24 ++---------------------- > 1 files changed, 2 insertions(+), 22 deletions(-) > > diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c > index 697d1d2e79db0cc38160ea4772d3af3a9b7d6c21..230b909b14d244f832c0b5dd62e600cf8db4f80b 100644 > --- a/utils/gssd/krb5_util.c > +++ b/utils/gssd/krb5_util.c > @@ -1381,29 +1381,10 @@ gssd_acquire_krb5_cred(gss_name_t name, gss_cred_id_t *gss_cred) > int > gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred) > { > - OM_uint32 maj_stat, min_stat; > - gss_buffer_desc name_buf; > - gss_name_t name; > - char buf[11]; > + OM_uint32 min_stat; > int ret; > > - ret = snprintf(buf, 11, "%u", uid); > - if (ret < 1 || ret > 10) { > - return -1; > - } > - name_buf.value = buf; > - name_buf.length = ret + 1; > - > - maj_stat = gss_import_name(&min_stat, &name_buf, > - GSS_C_NT_STRING_UID_NAME, &name); > - if (maj_stat != GSS_S_COMPLETE) { > - if (get_verbosity() > 0) > - pgsserr("gss_import_name", > - maj_stat, min_stat, &krb5oid); > - return -1; > - } > - > - ret = gssd_acquire_krb5_cred(name, gss_cred); > + ret = gssd_acquire_krb5_cred(GSS_C_NO_NAME, gss_cred); > > /* force validation of cred to check for expiry */ > if (ret == 0) { > @@ -1412,7 +1393,6 @@ gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred) > ret = -1; > } > > - maj_stat = gss_release_name(&min_stat, &name); > return ret; > } > > -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index 697d1d2e79db0cc38160ea4772d3af3a9b7d6c21..230b909b14d244f832c0b5dd62e600cf8db4f80b 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -1381,29 +1381,10 @@ gssd_acquire_krb5_cred(gss_name_t name, gss_cred_id_t *gss_cred) int gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred) { - OM_uint32 maj_stat, min_stat; - gss_buffer_desc name_buf; - gss_name_t name; - char buf[11]; + OM_uint32 min_stat; int ret; - ret = snprintf(buf, 11, "%u", uid); - if (ret < 1 || ret > 10) { - return -1; - } - name_buf.value = buf; - name_buf.length = ret + 1; - - maj_stat = gss_import_name(&min_stat, &name_buf, - GSS_C_NT_STRING_UID_NAME, &name); - if (maj_stat != GSS_S_COMPLETE) { - if (get_verbosity() > 0) - pgsserr("gss_import_name", - maj_stat, min_stat, &krb5oid); - return -1; - } - - ret = gssd_acquire_krb5_cred(name, gss_cred); + ret = gssd_acquire_krb5_cred(GSS_C_NO_NAME, gss_cred); /* force validation of cred to check for expiry */ if (ret == 0) { @@ -1412,7 +1393,6 @@ gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred) ret = -1; } - maj_stat = gss_release_name(&min_stat, &name); return ret; }
Since now rpc.gssd is swithing uid before attempting to acquire credentials, we do not need to pass in the special uid-as-a-string name to gssapi, because the process is already running under the user's credentials. By removing this code we can fix a class of false negatives where the user name does not match the actual ccache credentials and the ccache type used is not one of the only 2 supported explicitly by rpc.gssd by the fallback trolling done later. Signed-off-by: Simo Sorce <simo@redhat.com> --- utils/gssd/krb5_util.c | 24 ++---------------------- 1 files changed, 2 insertions(+), 22 deletions(-)