All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kevin Coffman <kwc@citi.umich.edu>
To: neilb@suse.de
Cc: nfs@lists.sourceforge.net
Subject: [PATCH 09/12] Use owner rather than filename format in choosing cred cache files
Date: Thu, 08 Feb 2007 17:27:35 -0500	[thread overview]
Message-ID: <20070208222735.23464.48640.stgit@rock.citi.umich.edu> (raw)
In-Reply-To: <20070208222606.23464.71348.stgit@rock.citi.umich.edu>

From: Kevin Coffman <kwc@citi.umich.edu>

Signed-off-by: Glenn Machin <gmachin@sandia.gov>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>

Some installations use different name formats for their credentials
caches.  Instead of checking that the uid is part of the name, just
make sure that uid is the owner of the file.
This is a modification of the original patch from Glenn.
---

 utils/gssd/krb5_util.c |  106 +++++++++++++++++++++++-------------------------
 1 files changed, 50 insertions(+), 56 deletions(-)

diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index c43eb36..096f6cf 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -185,72 +185,66 @@ gssd_find_existing_krb5_ccache(uid_t uid
 		perror("scandir looking for krb5 credentials caches");
 	}
 	else if (n > 0) {
-		char substring[128];
-		char fullstring[128];
 		char statname[1024];
-		snprintf(substring, sizeof(substring), "_%d_", uid);
-		snprintf(fullstring, sizeof(fullstring), "_%d", uid);
 		for (i = 0; i < n; i++) {
 			printerr(3, "CC file '%s' being considered\n",
 				 namelist[i]->d_name);
-			if (strstr(namelist[i]->d_name, substring) ||
-			    !strcmp(namelist[i]->d_name, fullstring)) {
-				snprintf(statname, sizeof(statname),
-					 "%s/%s", ccachedir,
-					 namelist[i]->d_name);
-				if (stat(statname, &tmp_stat)) {
-					printerr(0, "Error doing stat "
-						    "on file '%s'\n",
-						 statname);
-					continue;
-				}
-				if (!S_ISREG(tmp_stat.st_mode)) {
-					printerr(3, "File '%s' is not "
-						    "a regular file\n",
-						 statname);
-					continue;
-				}
-				printerr(3, "CC file '%s' matches "
-					    "name check and has "
-					    "mtime of %u\n",
-					 namelist[i]->d_name,
-					 tmp_stat.st_mtime);
-				/* if more than one match is found,
-				 * return the most recent (the one
-				 * with the latest mtime),
-				 * and don't free the dirent */
-				if (!found) {
+			snprintf(statname, sizeof(statname),
+				 "%s/%s", ccachedir, namelist[i]->d_name);
+			if (stat(statname, &tmp_stat)) {
+				printerr(0, "Error doing stat on file '%s'\n",
+					 statname);
+				free(namelist[i]);
+				continue;
+			}
+			/* Only pick caches owned by the user (uid) */
+			if (tmp_stat.st_uid != uid) {
+				printerr(3, "'%s' owned by %u, not %u\n",
+					 statname, tmp_stat.st_uid, uid);
+				free(namelist[i]);
+				continue;
+			}
+			if (!S_ISREG(tmp_stat.st_mode)) {
+				printerr(3, "'%s' is not a regular file\n",
+					 statname);
+				free(namelist[i]);
+				continue;
+			}
+			printerr(3, "CC file '%s' matches owner check and has "
+				 "mtime of %u\n",
+				 namelist[i]->d_name, tmp_stat.st_mtime);
+			/*
+			 * if more than one match is found, return the most
+			 * recent (the one with the latest mtime), and
+			 * don't free the dirent
+			 */
+			if (!found) {
+				best_match_dir = namelist[i];
+				best_match_stat = tmp_stat;
+				found++;
+			}
+			else {
+				/*
+				 * If the current match has an mtime later
+				 * than the one we are looking at, then use
+				 * the current match.  Otherwise, we still
+				 * have the best match.
+				 */
+				if (tmp_stat.st_mtime >
+					    best_match_stat.st_mtime) {
+					free(best_match_dir);
 					best_match_dir = namelist[i];
 					best_match_stat = tmp_stat;
-					found++;
 				}
 				else {
-					/*
-					 * If the current match has
-					 * an mtime later than the
-					 * one we are looking at,
-					 * then use the current match.
-					 * Otherwise, we still have
-					 * the best match.
-					 */
-					if (tmp_stat.st_mtime >
-						    best_match_stat.st_mtime) {
-						free(best_match_dir);
-						best_match_dir = namelist[i];
-						best_match_stat = tmp_stat;
-					}
-					else {
-						free(namelist[i]);
-					}
-					printerr(3, "CC file '%s' is our "
-						    "current best match "
-						    "with mtime of %u\n",
-						 best_match_dir->d_name,
-						 best_match_stat.st_mtime);
+					free(namelist[i]);
 				}
+				printerr(3, "CC file '%s' is our "
+					    "current best match "
+					    "with mtime of %u\n",
+					 best_match_dir->d_name,
+					 best_match_stat.st_mtime);
 			}
-			else
-				free(namelist[i]);
 		}
 		free(namelist);
 	}

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

  parent reply	other threads:[~2007-02-08 22:27 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-08 22:26 [PATCH 00/12] misc nfs-utils patches Kevin Coffman
2007-02-08 22:26 ` [PATCH 01/12] Touch up some of the autotools files Kevin Coffman
2007-02-08 22:26 ` [PATCH 02/12] Add AM_MAINTAINER_MODE to configure.in Kevin Coffman
2007-02-08 22:27 ` [PATCH 03/12] Extend the exportfs interface to pass fslocations info into the kernel Kevin Coffman
2007-02-09  0:39   ` Neil Brown
2007-02-09 14:19     ` Kevin Coffman
2007-02-22  5:17       ` Neil Brown
2007-02-08 22:27 ` [PATCH 04/12] Treat GSSAPI error codes as unsigned Kevin Coffman
2007-02-08 22:27 ` [PATCH 05/12] Fix memory leak in idmapd Kevin Coffman
2007-02-08 22:27 ` [PATCH 06/12] Stop using storage after free Kevin Coffman
2007-02-08 22:27 ` [PATCH 07/12] Use the gssglue version of gssapi.h for svcgssd_mech2file.c Kevin Coffman
2007-02-08 22:27 ` [PATCH 08/12] Various minor manpage fixes Kevin Coffman
2007-02-08 22:27 ` Kevin Coffman [this message]
2007-02-08 22:27 ` [PATCH 10/12] Share handling of lucid_sec_context for Heimdal and MIT Kevin Coffman
2007-02-08 22:27 ` [PATCH 11/12] Remove duplicated code Kevin Coffman
2007-02-08 22:27 ` [PATCH 12/12] Add option to svcgssd to enable libnfsidmap debugging Kevin Coffman
2007-02-08 22:57   ` NFSv3 + krb5 home directory problem Jim Davis
2007-02-09  2:53     ` Kevin Coffman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070208222735.23464.48640.stgit@rock.citi.umich.edu \
    --to=kwc@citi.umich.edu \
    --cc=neilb@suse.de \
    --cc=nfs@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.