sssd.git/src/providers/krb5, branch token3 System Security Services Daemon [okos' clone] krb5: Fix warning sometimes uninitialized 2013-09-10T15:32:33+00:00 Lukas Slebodnik lslebodn@redhat.com 2013-09-10T08:07:51+00:00 c1f94194a9fee8582a0af3b151b4f2b14fa1019a warning: variable 'ret' is used uninitialized whenever 'if' condition is false if (kerr) { ^~~~ 
warning: variable 'ret' is used uninitialized whenever
'if' condition is false
    if (kerr) {
        ^~~~
krb5_child: Simplify ccache creation 2013-09-09T19:11:46+00:00 Simo Sorce simo@redhat.com 2013-09-03T03:52:46+00:00 a6a0d4edebccd3cf04f9813fc65185845626b5d4 The containing ccache directory is precreated by the parent code, so there is no special need to do so here for any type. Also the special handling for the FILE ccache temporary file is not really useful, because libkrb5 internally unlinks and then recreate the file, so mkstemp cannot really prevent subtle races, it can only make sure the file is unique at creation time. Resolves: https://fedorahosted.org/sssd/ticket/2061 
The containing ccache directory is precreated by the parent code,
so there is no special need to do so here for any type.
Also the special handling for the FILE ccache temporary file is not really
useful, because libkrb5 internally unlinks and then recreate the file, so
mkstemp cannot really prevent subtle races, it can only make sure the file is
unique at creation time.

Resolves:
https://fedorahosted.org/sssd/ticket/2061
krb5: Add file/dir path precheck 2013-09-09T19:11:46+00:00 Simo Sorce simo@redhat.com 2013-08-31T18:21:22+00:00 14050f35224360883e20ebd810d3eb40f39267cf Add a precheck on the actual existence at all of the file/dir ccname targeted (for FILE/DIR types), and bail early if nothing is available. While testing I found out that without this check, the krb5_cc_resolve() function we call as user to check old paths would try to create the directory if it didn't exist. With a ccname of DIR:/tmp/ccdir_1000 saved in the user entry this would cause two undesirable side effects: First it would actually create a directory with the old name, when it should not. Second, because for some reason the umask is set to 0127 in sssd_be, it would create the directory with permission 600 (missing the 'x' traverse bit on the directory. If the new ccache has the same name it would cause the krb5_child process to fal to store the credential cache in it. Related: https://fedorahosted.org/sssd/ticket/2061 
Add a precheck on the actual existence at all of the file/dir ccname
targeted (for FILE/DIR types), and bail early if nothing is available.

While testing I found out that without this check, the krb5_cc_resolve()
function we call as user to check old paths would try to create the
directory if it didn't exist.

With a ccname of DIR:/tmp/ccdir_1000 saved in the user entry this would
cause two undesirable side effects:

First it would actually create a directory with the old name, when it
should not.

Second, because for some reason the umask is set to 0127 in sssd_be, it
would create the directory with permission 600 (missing the 'x' traverse
bit on the directory. If the new ccache has the same name it would cause
the krb5_child process to fal to store the credential cache in it.

Related:
https://fedorahosted.org/sssd/ticket/2061
krb5: Remove unused ccache backend infrastructure 2013-09-09T19:11:46+00:00 Simo Sorce simo@redhat.com 2013-08-31T00:11:42+00:00 d20a5a74666413cadbf64c02eb656a5a3b4bb1de Remove struct sss_krb5_cc_be and the remaining functions that reference it as they are all unused now. Resolves: https://fedorahosted.org/sssd/ticket/2061 
Remove struct sss_krb5_cc_be and the remaining functions that reference
it as they are all unused now.

Resolves:
https://fedorahosted.org/sssd/ticket/2061
krb5: Unify function to create ccache files 2013-09-09T19:11:46+00:00 Simo Sorce simo@redhat.com 2013-08-30T21:25:01+00:00 1c022b3556f442f57326c4a3f250128b1bd232ae Only 2 types (FILE and DIR) need to precreate files or directories on the file system, and the 2 functions were basically identical. Consolidate all in one common function and use that function directly where needed instead of using indirection. Resolves: https://fedorahosted.org/sssd/ticket/2061 
Only 2 types (FILE and DIR) need to precreate files or directories
on the file system, and the 2 functions were basically identical.

Consolidate all in one common function and use that function directly
where needed instead of using indirection.

Resolves:
https://fedorahosted.org/sssd/ticket/2061
krb5: Use new function to validate ccaches 2013-09-09T19:11:45+00:00 Simo Sorce simo@redhat.com 2013-08-30T20:35:43+00:00 84ce563e3f430eec1225a6f8493eb0a6c9a3013a This function replaces and combines check_for_valid_tgt() and type specific functions that checked for ccache existence by using generic krb5 cache function and executing them as the target user (implicitly validate the target use rcan properly access the ccache). Resolves: https://fedorahosted.org/sssd/ticket/2061 
This function replaces and combines check_for_valid_tgt() and type specific
functions that checked for ccache existence by using generic krb5 cache
function and executing them as the target user (implicitly validate the
target use rcan properly access the ccache).

Resolves:
https://fedorahosted.org/sssd/ticket/2061
krb5: Make check_for_valid_tgt() static 2013-09-09T19:11:45+00:00 Simo Sorce simo@redhat.com 2013-08-30T16:27:49+00:00 c121e65ed592bf3611053ee38032fd33c8d1b285 check_for_valid_tgt() is used exclusively in krb5_uitls.c so move it there. Resolves: https://fedorahosted.org/sssd/ticket/2061 
check_for_valid_tgt() is used exclusively in krb5_uitls.c so move it there.

Resolves:
https://fedorahosted.org/sssd/ticket/2061
krb5: move template check to initializzation 2013-09-09T19:11:45+00:00 Simo Sorce simo@redhat.com 2013-08-30T16:21:39+00:00 5dc3b01fd9b2fa244e7c2820ce04602c9f059370 The randomized template check realy only makes sense for the FILE ccache which is the only one that normally needs to use randomizing chars. Also it is better to warn the admin early rather than to warn 'when it is too late'. So move the check at initialization time when we determine what the template actually is. Resolves: https://fedorahosted.org/sssd/ticket/2061 
The randomized template check realy only makes sense for the FILE ccache
which is the only one that normally needs to use randomizing chars.
Also it is better to warn the admin early rather than to warn 'when it
is too late'.
So move the check at initialization time when we determine what the
template actually is.

Resolves:
https://fedorahosted.org/sssd/ticket/2061
krb5: Move determination of user being active 2013-09-09T19:11:45+00:00 Simo Sorce simo@redhat.com 2013-08-30T15:31:23+00:00 bfd32c9e8f302d7722838a68572c6801f5640657 The way a user is checked for being active does not depend on the ccache type so move that check out of the ccache specific functions. Resolves: https://fedorahosted.org/sssd/ticket/2061 
The way a user is checked for being active does not depend on the ccache
type so move that check out of the ccache specific functions.

Resolves:
https://fedorahosted.org/sssd/ticket/2061
krb5: Replace type-specific ccache/principal check 2013-09-09T19:11:45+00:00 Simo Sorce simo@redhat.com 2013-08-30T04:58:24+00:00 1536e39c191a013bc50bb6fd4b8eaef11cf0d436 Instead of having duplicate functions that are type custom use a signle common function that also performs access to the cache as the user owner, implicitly validating correctness of ownership. Resolves: https://fedorahosted.org/sssd/ticket/2061 
Instead of having duplicate functions that are type custom use a signle common
function that also performs access to the cache as the user owner, implicitly
validating correctness of ownership.

Resolves:
https://fedorahosted.org/sssd/ticket/2061