diff options
| author | Kevin Coffman <kwc@citi.umich.edu> | 2007-03-16 10:27:44 -0400 |
|---|---|---|
| committer | Neil Brown <neilb@suse.de> | 2007-03-19 09:47:37 +1100 |
| commit | 1a5b79866092e5061f3a6d2cd1a644f47e65ba3a (patch) | |
| tree | d026002d1dff437290ac963fa508cf99e6c81961 /utils/gssd/gssd.c | |
| parent | 3bfd8b18c743cc0908a70a7d401521250ade4776 (diff) | |
| download | nfs-utils-1a5b79866092e5061f3a6d2cd1a644f47e65ba3a.tar.gz nfs-utils-1a5b79866092e5061f3a6d2cd1a644f47e65ba3a.tar.xz nfs-utils-1a5b79866092e5061f3a6d2cd1a644f47e65ba3a.zip | |
Add option to allow root to use credentials other than machine credentials
Add a new option ("-n") to rpc.gssd to indicate that accesses as root
(uid 0) should not use machine credentials, but should instead use
"normal" Kerberos credentials obtained by root.
This change was prompted by a suggestion and patch from Daniel
Muntz <Dan.Muntz@netapp.com>. That patch suggested trying "normal"
credentials first and falling back to using machine creds for
uid 0 if normal creds failed.
This opens up the case where root may have credentials as "foo@REALM"
and begins accessing files. Then the context using those credentials
expires and must be renewed. If the credentials are now expired, then
root's new context would fall back and be created with the machine
credentials.
Instead, this patch insists that the administrator choose to use either
machine credentials for accesses by uid 0 (the default behavior, as
it was before) or "normal" credentials. In the latter case, arrangements
must be made to obtain credentials before attempting a mount. There
should be no doubts which credentials are used for uid 0.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
Diffstat (limited to 'utils/gssd/gssd.c')
| -rw-r--r-- | utils/gssd/gssd.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c index 9988fe4..319dca4 100644 --- a/utils/gssd/gssd.c +++ b/utils/gssd/gssd.c @@ -57,12 +57,14 @@ char pipefsdir[PATH_MAX] = GSSD_PIPEFS_DIR; char keytabfile[PATH_MAX] = GSSD_DEFAULT_KEYTAB_FILE; char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR; int use_memcache = 0; +int root_uses_machine_creds = 1; void sig_die(int signal) { /* destroy krb5 machine creds */ - gssd_destroy_krb5_machine_creds(); + if (root_uses_machine_creds) + gssd_destroy_krb5_machine_creds(); printerr(1, "exiting on signal %d\n", signal); exit(1); } @@ -78,7 +80,7 @@ sig_hup(int signal) static void usage(char *progname) { - fprintf(stderr, "usage: %s [-f] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir]\n", + fprintf(stderr, "usage: %s [-f] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir]\n", progname); exit(1); } @@ -93,7 +95,7 @@ main(int argc, char *argv[]) extern char *optarg; char *progname; - while ((opt = getopt(argc, argv, "fvrmMp:k:d:")) != -1) { + while ((opt = getopt(argc, argv, "fvrmnMp:k:d:")) != -1) { switch (opt) { case 'f': fg = 1; @@ -104,6 +106,9 @@ main(int argc, char *argv[]) case 'M': use_memcache = 1; break; + case 'n': + root_uses_machine_creds = 0; + break; case 'v': verbosity++; break; @@ -160,7 +165,8 @@ main(int argc, char *argv[]) signal(SIGHUP, sig_hup); /* Process keytab file and get machine credentials */ - gssd_refresh_krb5_machine_creds(); + if (root_uses_machine_creds) + gssd_refresh_krb5_machine_creds(); gssd_run(); printerr(0, "gssd_run returned!\n"); |