Skip Menu |
 

From: jaltman@mit.edu
Subject: SVN Commit
KFW integrated login was failing when the user is
not a power user or administrator. This was occurring
because the temporary file ccache was being created in
a directory the user could not read. While fixing this
it was noticed that the ACLs on the ccache were too broad.
Instead of applying a fix to the FILE: krb5_ccache
implementation it was decided that simply applying a new
set of ACLs (SYSTEM and "user" with no inheritance) to
the file immediately after the krb5_cc_initialize() call
would close the broadest security issues.

The file is initially created in the SYSTEM %TEMP% directory
with "SYSTEM" ACL only. Then it is moved to the user's %TEMP%
directory with "SYSTEM" and "user" ACLs. Finally, after
copying the credentials to the API: ccache, the file is deleted.


Commit By: jaltman



Revision: 18379
Changed Files:
U trunk/src/windows/kfwlogon/Makefile.in
U trunk/src/windows/kfwlogon/kfwcommon.c
U trunk/src/windows/kfwlogon/kfwcpcc.c
U trunk/src/windows/kfwlogon/kfwlogon.c
U trunk/src/windows/kfwlogon/kfwlogon.h
From: jaltman@mit.edu
Subject: SVN Commit
undo previous commit due to EOL issues


Commit By: jaltman



Revision: 18381
Changed Files:
U trunk/src/windows/kfwlogon/Makefile.in
U trunk/src/windows/kfwlogon/kfwcommon.c
U trunk/src/windows/kfwlogon/kfwcpcc.c
U trunk/src/windows/kfwlogon/kfwlogon.c
U trunk/src/windows/kfwlogon/kfwlogon.h
From: jaltman@mit.edu
Subject: SVN Commit
commit again without using patch to apply the diff


Commit By: jaltman



Revision: 18382
Changed Files:
U trunk/src/windows/kfwlogon/Makefile.in
U trunk/src/windows/kfwlogon/kfwcommon.c
U trunk/src/windows/kfwlogon/kfwcpcc.c
U trunk/src/windows/kfwlogon/kfwlogon.c
U trunk/src/windows/kfwlogon/kfwlogon.h
From: tlyu@mit.edu
Subject: SVN Commit
pull up r18382 from trunk

r18382@cathode-dark-space: jaltman | 2006-07-24 16:39:31 -0400
ticket: 4048

commit again without using patch to apply the diff




Commit By: tlyu



Revision: 18383
Changed Files:
_U branches/krb5-1-4/
U branches/krb5-1-4/src/windows/kfwlogon/Makefile.in
U branches/krb5-1-4/src/windows/kfwlogon/kfwcommon.c
U branches/krb5-1-4/src/windows/kfwlogon/kfwcpcc.c
U branches/krb5-1-4/src/windows/kfwlogon/kfwlogon.c
U branches/krb5-1-4/src/windows/kfwlogon/kfwlogon.h
From: tlyu@mit.edu
Subject: SVN Commit
revert previous

Commit By: tlyu



Revision: 18384
Changed Files:
_U branches/krb5-1-4/
U branches/krb5-1-4/src/windows/kfwlogon/Makefile.in
U branches/krb5-1-4/src/windows/kfwlogon/kfwcommon.c
U branches/krb5-1-4/src/windows/kfwlogon/kfwcpcc.c
U branches/krb5-1-4/src/windows/kfwlogon/kfwlogon.c
U branches/krb5-1-4/src/windows/kfwlogon/kfwlogon.h
From: tlyu@mit.edu
Subject: SVN Commit
Download (untitled) / with headers
text/plain 1.4KiB
pull up r18379 from trunk in order to get correct commit log

r18379@cathode-dark-space: jaltman | 2006-07-24 02:58:23 -0400
ticket: new
subject: Windows Integrated Login Fixes for KFW 3.1
tags: pullup
component: windows

KFW integrated login was failing when the user is
not a power user or administrator. This was occurring
because the temporary file ccache was being created in
a directory the user could not read. While fixing this
it was noticed that the ACLs on the ccache were too broad.
Instead of applying a fix to the FILE: krb5_ccache
implementation it was decided that simply applying a new
set of ACLs (SYSTEM and "user" with no inheritance) to
the file immediately after the krb5_cc_initialize() call
would close the broadest security issues.

The file is initially created in the SYSTEM %TEMP% directory
with "SYSTEM" ACL only. Then it is moved to the user's %TEMP%
directory with "SYSTEM" and "user" ACLs. Finally, after
copying the credentials to the API: ccache, the file is deleted.




Commit By: tlyu



Revision: 18385
Changed Files:
_U branches/krb5-1-4/
U branches/krb5-1-4/src/windows/kfwlogon/Makefile.in
U branches/krb5-1-4/src/windows/kfwlogon/kfwcommon.c
U branches/krb5-1-4/src/windows/kfwlogon/kfwcpcc.c
U branches/krb5-1-4/src/windows/kfwlogon/kfwlogon.c
U branches/krb5-1-4/src/windows/kfwlogon/kfwlogon.h
From: tlyu@mit.edu
Subject: SVN Commit
Download (untitled) / with headers
text/plain 1.3KiB
pull up r18379 from trunk

r18379@cathode-dark-space: jaltman | 2006-07-24 02:58:23 -0400
ticket: new
subject: Windows Integrated Login Fixes for KFW 3.1
tags: pullup
component: windows

KFW integrated login was failing when the user is
not a power user or administrator. This was occurring
because the temporary file ccache was being created in
a directory the user could not read. While fixing this
it was noticed that the ACLs on the ccache were too broad.
Instead of applying a fix to the FILE: krb5_ccache
implementation it was decided that simply applying a new
set of ACLs (SYSTEM and "user" with no inheritance) to
the file immediately after the krb5_cc_initialize() call
would close the broadest security issues.

The file is initially created in the SYSTEM %TEMP% directory
with "SYSTEM" ACL only. Then it is moved to the user's %TEMP%
directory with "SYSTEM" and "user" ACLs. Finally, after
copying the credentials to the API: ccache, the file is deleted.




Commit By: tlyu



Revision: 18386
Changed Files:
_U branches/krb5-1-5/
U branches/krb5-1-5/src/windows/kfwlogon/Makefile.in
U branches/krb5-1-5/src/windows/kfwlogon/kfwcommon.c
U branches/krb5-1-5/src/windows/kfwlogon/kfwcpcc.c
U branches/krb5-1-5/src/windows/kfwlogon/kfwlogon.c
U branches/krb5-1-5/src/windows/kfwlogon/kfwlogon.h