diff options
author | Simo Sorce <simo@redhat.com> | 2017-11-16 15:39:01 -0500 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2017-11-16 16:28:28 -0500 |
commit | 799c0303440e66004b4517e66d7f2852cfd313e4 (patch) | |
tree | 294e1eb2acf0dfe3f043d5be13f6de28e16e4f48 | |
parent | 8d9bf479441d9d7a44a86b69026a7e9d431d3ade (diff) | |
download | nfs-utils-fixrootccache.tar.gz nfs-utils-fixrootccache.tar.xz nfs-utils-fixrootccache.zip |
Avoid clobbering root's ccache if possiblefixrootccache
If the gssapi library is modern enough, store the ccache in a process
scoped keyring by default. This will avoid clobbering root's default
ccache, and keep the creds from littering the filesystem.
Signed-off-by: Simo Sorce <simo@redhat.com>
-rw-r--r-- | aclocal/kerberos5.m4 | 4 | ||||
-rw-r--r-- | utils/gssd/gss_util.c | 17 | ||||
-rw-r--r-- | utils/gssd/gss_util.h | 3 | ||||
-rw-r--r-- | utils/gssd/gssd.h | 1 | ||||
-rw-r--r-- | utils/gssd/svcgssd.c | 4 |
5 files changed, 25 insertions, 4 deletions
diff --git a/aclocal/kerberos5.m4 b/aclocal/kerberos5.m4 index 8a0f3e4..c26881b 100644 --- a/aclocal/kerberos5.m4 +++ b/aclocal/kerberos5.m4 @@ -94,6 +94,10 @@ AC_DEFUN([AC_KERBEROS_V5],[ AC_CHECK_LIB($gssapi_lib, krb5_get_init_creds_opt_set_addressless, AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS, 1, [Define this if the function krb5_get_init_creds_opt_set_addressless is available]), ,$KRBLIBS) + dnl Optional functions that make life better + AC_CHECK_LIB($gssapi_lib, gss_acquire_cred_from, + AC_DEFINE(HAVE_GSS_ACQUIRE_CRED_FROM, 1, [Define this if the function gss_acquire_cred_from is available]), ,$KRBLIBS) + dnl If they specified a directory and it didn't work, give them a warning if test "x$krb5_with" != "x" -a "$krb5_with" != "$KRBDIR"; then AC_MSG_WARN(Using $KRBDIR instead of requested value of $krb5_with for Kerberos!) diff --git a/utils/gssd/gss_util.c b/utils/gssd/gss_util.c index 2e6d40f..6235b7a 100644 --- a/utils/gssd/gss_util.c +++ b/utils/gssd/gss_util.c @@ -81,6 +81,9 @@ #include <gssapi/gssapi_generic.h> #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name #endif +#ifdef HAVE_GSS_ACQUIRE_CRED_FROM +#include <gssapi/gssapi_ext.h> +#endif #include "gss_util.h" #include "err_util.h" #include "gssd.h" @@ -88,6 +91,7 @@ #include <unistd.h> #endif #include <stdlib.h> +#include <stdbool.h> #ifdef HAVE_COM_ERR_H #include <com_err.h> #endif @@ -269,7 +273,7 @@ pgsserr(char *msg, u_int32_t maj_stat, u_int32_t min_stat, const gss_OID mech) } int -gssd_acquire_cred(char *server_name, const gss_OID oid) +gssd_acquire_cred(char *server_name, bool machine, const gss_OID oid) { gss_buffer_desc name; gss_name_t target_name; @@ -294,6 +298,17 @@ gssd_acquire_cred(char *server_name, const gss_OID oid) } } +#ifdef HAVE_GSS_ACQUIRE_CRED_FROM + if (machine) { + gss_key_value_element_desc gssd_ccache = { "ccache", + GSSD_SECURE_MACHINE_CACHE }; + gss_key_value_set_desc cred_store = {1, &gssd_ccache}; + maj_stat = gss_acquire_cred_from(&min_stat, target_name, + GSS_C_INDEFINITE, GSS_C_NO_OID_SET, + GSS_C_ACCEPT, &cred_store, + &gssd_creds, NULL, NULL); + } else +#endif maj_stat = gss_acquire_cred(&min_stat, target_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, &gssd_creds, NULL, NULL); diff --git a/utils/gssd/gss_util.h b/utils/gssd/gss_util.h index aa9f778..24fad94 100644 --- a/utils/gssd/gss_util.h +++ b/utils/gssd/gss_util.h @@ -32,12 +32,13 @@ #define _GSS_UTIL_H_ #include <stdlib.h> +#include <stdbool.h> #include <rpc/rpc.h> #include "write_bytes.h" extern gss_cred_id_t gssd_creds; -int gssd_acquire_cred(char *server_name, const gss_OID oid); +int gssd_acquire_cred(char *server_name, bool machine, const gss_OID oid); void pgsserr(char *msg, u_int32_t maj_stat, u_int32_t min_stat, const gss_OID mech); int gssd_check_mechs(void); diff --git a/utils/gssd/gssd.h b/utils/gssd/gssd.h index f4f5975..88839f6 100644 --- a/utils/gssd/gssd.h +++ b/utils/gssd/gssd.h @@ -45,6 +45,7 @@ #define GSSD_DEFAULT_CRED_DIR "/tmp" #define GSSD_USER_CRED_DIR "/run/user/%U" +#define GSSD_SECURE_MACHINE_CACHE "KEYRING:process:gssd_ccache" #define GSSD_DEFAULT_CRED_PREFIX "krb5cc" #define GSSD_DEFAULT_MACHINE_CRED_SUFFIX "machine" #define GSSD_DEFAULT_KEYTAB_FILE "/etc/krb5.keytab" diff --git a/utils/gssd/svcgssd.c b/utils/gssd/svcgssd.c index 3514ae1..a521689 100644 --- a/utils/gssd/svcgssd.c +++ b/utils/gssd/svcgssd.c @@ -182,10 +182,10 @@ main(int argc, char *argv[]) if (get_creds) { if (principal) - status = gssd_acquire_cred(principal, + status = gssd_acquire_cred(principal, true, ((const gss_OID)GSS_C_NT_USER_NAME)); else - status = gssd_acquire_cred(GSSD_SERVICE_NAME, + status = gssd_acquire_cred(GSSD_SERVICE_NAME, true, (const gss_OID)GSS_C_NT_HOSTBASED_SERVICE); if (status == FALSE) { printerr(0, "unable to obtain root (machine) credentials\n"); |