diff options
| author | Steve Dickson <steved@redhat.com> | 2012-03-22 11:02:46 -0400 |
|---|---|---|
| committer | Steve Dickson <steved@redhat.com> | 2012-03-22 11:07:23 -0400 |
| commit | 245fad6be5a32866b2cefad55b3e2d50f6b197af (patch) | |
| tree | 2e154f30dbd040701de88abae66fe2a67b2b696d | |
| parent | 5397edac120350bd5fd8284819c1a900cb41546c (diff) | |
| download | nfs-utils-245fad6be5a32866b2cefad55b3e2d50f6b197af.tar.gz nfs-utils-245fad6be5a32866b2cefad55b3e2d50f6b197af.tar.xz nfs-utils-245fad6be5a32866b2cefad55b3e2d50f6b197af.zip | |
gssd: Look for user creds in user defined directory
The user credential cache currently is kept in /tmp.
In upcoming Kerberos release that will be moved to
/run/user/<username>/. This patch enables gssd to
look in both the old and new caches
Signed-off-by: Steve Dickson <steved@redhat.com>
| -rw-r--r-- | utils/gssd/gssd.c | 2 | ||||
| -rw-r--r-- | utils/gssd/gssd.h | 1 | ||||
| -rw-r--r-- | utils/gssd/gssd_proc.c | 36 |
3 files changed, 36 insertions, 3 deletions
diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c index ccadb07..d53795e 100644 --- a/utils/gssd/gssd.c +++ b/utils/gssd/gssd.c @@ -57,7 +57,7 @@ char pipefs_dir[PATH_MAX] = GSSD_PIPEFS_DIR; char keytabfile[PATH_MAX] = GSSD_DEFAULT_KEYTAB_FILE; -char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR; +char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR ":" GSSD_USER_CRED_DIR; char *ccachesearch[GSSD_MAX_CCACHE_SEARCH + 1]; int use_memcache = 0; int root_uses_machine_creds = 1; diff --git a/utils/gssd/gssd.h b/utils/gssd/gssd.h index 40f824c..28a8206 100644 --- a/utils/gssd/gssd.h +++ b/utils/gssd/gssd.h @@ -45,6 +45,7 @@ #define DNOTIFY_SIGNAL (SIGRTMIN + 3) #define GSSD_DEFAULT_CRED_DIR "/tmp" +#define GSSD_USER_CRED_DIR "/run/user" #define GSSD_DEFAULT_CRED_PREFIX "krb5cc_" #define GSSD_DEFAULT_MACHINE_CRED_SUFFIX "machine" #define GSSD_DEFAULT_KEYTAB_FILE "/etc/krb5.keytab" diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index a51dbae..aa39435 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -918,6 +918,23 @@ int create_auth_rpc_client(struct clnt_info *clp, goto out; } +static char * +user_cachedir(char *dirname, uid_t uid) +{ + struct passwd *pw; + char *ptr; + + if ((pw = getpwuid(uid)) == NULL) { + printerr(0, "user_cachedir: Failed to find '%d' uid" + " for cache directory\n"); + return NULL; + } + ptr = malloc(strlen(dirname)+strlen(pw->pw_name)+2); + if (ptr) + sprintf(ptr, "%s/%s", dirname, pw->pw_name); + + return ptr; +} /* * this code uses the userland rpcsec gss library to create a krb5 * context on behalf of the kernel @@ -932,7 +949,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, gss_buffer_desc token; char **credlist = NULL; char **ccname; - char **dirname; + char **dirname, *dir, *userdir; int create_resp = -1; int err, downcall_err = -EACCES; @@ -975,7 +992,22 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, service == NULL)) { /* Tell krb5 gss which credentials cache to use */ for (dirname = ccachesearch; *dirname != NULL; dirname++) { - err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname); + /* See if the user name is needed */ + if (strncmp(*dirname, GSSD_USER_CRED_DIR, + strlen(GSSD_USER_CRED_DIR)) == 0) { + userdir = user_cachedir(*dirname, uid); + if (userdir == NULL) + continue; + dir = userdir; + } else + dir = *dirname; + + err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, dir); + + if (userdir) { + free(userdir); + userdir = NULL; + } if (err == -EKEYEXPIRED) downcall_err = -EKEYEXPIRED; else if (!err) |