diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2014-10-18 22:03:13 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-11-18 20:33:42 +0100 |
| commit | 2745b0156f12df7a7eb93d57716233243658e4d9 (patch) | |
| tree | c0accf228b7d15d1d9114b7522ac3bf7b8efd492 /src/providers/krb5/krb5_child_handler.c | |
| parent | 7c5cd2e7711621af9163a41393e88896a91ac33b (diff) | |
| download | sssd-2745b0156f12df7a7eb93d57716233243658e4d9.tar.gz sssd-2745b0156f12df7a7eb93d57716233243658e4d9.tar.xz sssd-2745b0156f12df7a7eb93d57716233243658e4d9.zip | |
KRB5: Move all ccache operations to krb5_child.c
The credential cache operations must be now performed by the krb5_child
completely, because the sssd_be process might be running as the sssd
user who doesn't have access to the ccaches.
src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5
until we fix Kerberos ticket renewal as non-root.
Also includes a new error code that indicates that the back end should
remove the old ccache attribute -- the child can't do that if it's
running as the user.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src/providers/krb5/krb5_child_handler.c')
| -rw-r--r-- | src/providers/krb5/krb5_child_handler.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 71c7f9c9f..93961172c 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -144,6 +144,11 @@ static errno_t create_send_buffer(struct krb5child_req *kr, kr->pd->cmd == SSS_PAM_CHAUTHTOK) { buf->size += 4*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) + sss_authtok_get_size(kr->pd->authtok); + + buf->size += sizeof(uint32_t); + if (kr->old_ccname) { + buf->size += strlen(kr->old_ccname); + } } if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) { @@ -182,6 +187,14 @@ static errno_t create_send_buffer(struct krb5child_req *kr, SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(kr->ccname), &rp); safealign_memcpy(&buf->data[rp], kr->ccname, strlen(kr->ccname), &rp); + if (kr->old_ccname) { + SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(kr->old_ccname), &rp); + safealign_memcpy(&buf->data[rp], kr->old_ccname, + strlen(kr->old_ccname), &rp); + } else { + SAFEALIGN_SET_UINT32(&buf->data[rp], 0, &rp); + } + SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(keytab), &rp); safealign_memcpy(&buf->data[rp], keytab, strlen(keytab), &rp); |