Skip Menu |
 

Download (untitled) / with headers
text/plain 4.6KiB
From krb5-bugs-incoming-bounces@PCH.mit.edu Thu Oct 17 19:08:15 2013
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id 700155BAD7;
Thu, 17 Oct 2013 19:08:15 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id r9HN8DWs007177;
Thu, 17 Oct 2013 19:08:13 -0400
Received: from mailhub-dmz-1.mit.edu (mailhub-dmz-1.mit.edu [18.9.21.41])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id r9HMjWJp004381
for <krb5-bugs-incoming@PCH.mit.edu>; Thu, 17 Oct 2013 18:45:32 -0400
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu
[18.7.68.36])
by mailhub-dmz-1.mit.edu (8.13.8/8.9.2) with ESMTP id r9HMjSi1029025
for <krb5-bugs@mit.edu>; Thu, 17 Oct 2013 18:45:31 -0400
X-AuditID: 12074424-b7f528e0000009aa-a7-5260688a6daf
Authentication-Results: symauth.service.identifier; spf=pass; senderid=pass
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP
id 4D.B6.02474.A8860625; Thu, 17 Oct 2013 18:45:31 -0400 (EDT)
Received: from int-mx01.intmail.prod.int.phx2.redhat.com
(int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r9HMjTvl002724
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Thu, 17 Oct 2013 18:45:29 -0400
Received: from blade.bos.redhat.com ([10.18.57.10])
by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id r9HMjSDG010373
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Thu, 17 Oct 2013 18:45:29 -0400
Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1])
by blade.bos.redhat.com (8.14.7/8.14.5) with ESMTP id r9HMjSCP022296
for <krb5-bugs@mit.edu>; Thu, 17 Oct 2013 18:45:28 -0400
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.7/8.14.7/Submit) id r9HMjRWx022295;
Thu, 17 Oct 2013 18:45:27 -0400
Date: Thu, 17 Oct 2013 18:45:27 -0400
Message-Id: <201310172245.r9HMjRWx022295@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: ksu assumes the invoking user's using a FILE: ccache
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpgleJIrShJLcpLzFFi42K52LJdRrc7IyHIYPl1WYuGh8fZHRg9ms4c
ZQ5gjOKySUnNySxLLdK3S+DKOHT2OmvBAs6KF20hDYz72bsYOTkkBEwkDnbeYQOxGQW8Jd5c
PQ4VF5O4cG89UJyLQ0jgBKPE1Lt3mSGcTUwSP+bdZIdw+pkkXqzZCdYiJHCSUeLWdEaIRBuj
RG/LakaQBIuAqsSzDb/BdvAK2ElMejCLBcQWERCVePn3GJDNwSEsYCvRuyERJMwGtPrGvFOs
EDOlJNovTQdrZRZgkfjzZgMLxHniEju2n4Y6VVvicPMi1gmMggsYGVYxyqbkVunmJmbmFKcm
6xYnJ+blpRbpmuvlZpbopaaUbmIEBpkQu4vKDsbmQ0qHGAU4GJV4eA98iw8SYk0sK67MPcQo
ycGkJMq7NS4hSIgvKT+lMiOxOCO+qDQntfgQowQHs5IIb6swUI43JbGyKrUoHyYlzcGiJM57
i8M+SEggPbEkNTs1tSC1CCbLxMF+iFGDg0Ogd83qC4xSLHn5ealKEryl6UCTBItS01Mr0jJz
SpDVc4IILpCVPEArBUAKeYsLEnOLM9Mhik4xKkqJ8zqAJARAEhmleXADYAnjEqOslDAvIwMD
gxAP0DXAQECVf8UoDgwAYd4okCk8mXklcNNfAS1mAlosPDEOZHFJIkJKqoFRMek4/7oKu1db
Tk08I31ewfGat/XFF9d1HXIO77x3rOh5bS/DbJ+vCbta2Fg3tG7d9dbkW4q07GGBmK0O0XlS
3g/vTYvVeyngLc3frsLF472jMun5sTJHZgeuPRk6P4rbPXcJWFv1aWX4eyis71myzFD1nXf9
9Ni9B3V9mrQlU299mN2j7aXEUpyRaKjFXFScCACgTtd7EwMAAA==
X-Mailman-Approved-At: Thu, 17 Oct 2013 19:08:11 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin@redhat.com
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu


Show quoted text
>Submitter-Id: net
>Originator:
>Organization:
>Confidential: no
>Synopsis: ksu assumes the invoking user's using a FILE: ccache
>Severity: non-critical
>Priority: low
>Category: krb5-clients
>Class: sw-bug
>Release: 1.11.3
>Environment:

System: Linux blade.bos.redhat.com 3.11.2-301.fc20.x86_64 #1 SMP Fri Sep 27 19:45:03 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

Show quoted text
>Description:
We've been testing with default_ccache_name set to DIR: and KEYRING:
types, and it appears that ksu isn't able to read creds from them.
Show quoted text
>How-To-Repeat:
Add your test principal name to root's .k5login
Set KRB5CCNAME to point to a DIR: ccache collection
Use kinit to get credentials and store them in the collection
Attempt to ksu - ksu will fail to read current creds and will go on to
attempt to fetch new ones.
Show quoted text
>Fix:
The code uses stat() on the residual name in several places, but it's
the failure of the check at ccache.c:80 that appears to cause it to
ignore my ccache. Skipping the stat() call, and always attempting to
read the cache, seems to make ksu do the right thing, but I haven't
really thought about any other implications.
From: ghudson@mit.edu
Subject: git commit

In ksu, don't stat() not-on-disk ccache residuals

Don't assume that ccache residual names are filenames which we can
stat() usefully. Instead, use helper functions to call the library
routines to try to read the default principal name from caches, and
use whether or not that succeeds as an indication of whether or not
there's a ccache in a given location.

https://github.com/krb5/krb5/commit/9ebae7cb434b9b177c0af85c67a6d6267f46bc68
Author: Nalin Dahyabhai <nalin@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 9ebae7cb434b9b177c0af85c67a6d6267f46bc68
Branch: master
src/clients/ksu/ccache.c | 60 +++++++++++++++++++-------------
src/clients/ksu/heuristic.c | 13 +------
src/clients/ksu/ksu.h | 8 +++-
src/clients/ksu/main.c | 79 +++++++++----------------------------------
4 files changed, 60 insertions(+), 100 deletions(-)