diff options
| author | Simo Sorce <simo@redhat.com> | 2013-08-31 22:44:06 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2013-09-19 23:01:22 -0400 |
| commit | f43d0bbb4bd51271b3c1b1c56c4eb680d6e00438 (patch) | |
| tree | e8d571ea65a1284e4b4bcd50378f5be66922fa19 /src/providers/krb5/krb5_auth.c | |
| parent | 85822e46c1d26204b022a8c6cdbbb0b478235754 (diff) | |
| download | sssd-ccname.tar.gz sssd-ccname.tar.xz sssd-ccname.zip | |
krb5: More correct approach to public dir expansionccname
Commit 29752834fbf3a19e4e117668abfce4e4c7c48ee4 (Add expandable sequences
to krb5_ccachedir) introduce a new behavior that tried to take in account
the fact that parent directories may need to be created as accessible to
anyone by setting them to 01777 permissions.
However the test that determines whether the path shuld be public or not
is flawed and bleeds into pure file templates with undeiserable consequences.
Theis patch corrects thi behavior by clearly returning a specific path if it
need to be made public and preserves any subdir in the template with user
private ownership.
Resolves:
https://fedorahosted.org/sssd/ticket/2071
Diffstat (limited to 'src/providers/krb5/krb5_auth.c')
| -rw-r--r-- | src/providers/krb5/krb5_auth.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 6df34a8a..7937ec7e 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -293,7 +293,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr, { const char *ccname_template; const char *realm; - bool private_path = false; + char *public_dir = NULL; errno_t ret; if (!kr->is_offline) { @@ -301,11 +301,11 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr, } ccname_template = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_CCNAME_TMPL); - kr->ccname = expand_ccname_template(kr, kr, ccname_template, true, - be_ctx->domain->case_sensitive, - &private_path); - if (kr->ccname == NULL) { - DEBUG(1, ("expand_ccname_template failed.\n")); + ret = expand_ccname_template(kr, kr, ccname_template, + be_ctx->domain->case_sensitive, + &public_dir, &kr->ccname); + if (ret != EOK) { + DEBUG(1, ("expand_ccname_template failed.\n")); return ENOMEM; } @@ -354,9 +354,9 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr, kr->valid_tgt ? "" : "not")); /* always recreate the ccache directory path */ - ret = sss_krb5_precreate_ccache(kr->ccname, + ret = sss_krb5_precreate_ccache(kr->ccname, public_dir, kr->krb5_ctx->illegal_path_re, - kr->uid, kr->gid, private_path); + kr->uid, kr->gid); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("ccache precreation failed.\n")); return ret; @@ -626,7 +626,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, NULL); if (ccache_file != NULL) { kr->old_ccname = talloc_strdup(kr, ccache_file); - if (kr->old_ccname == NULL) { + if (kr->ccname == NULL || kr->old_ccname == NULL) { DEBUG(1, ("talloc_strdup failed.\n")); ret = ENOMEM; goto done; |