[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Detect when KRB5CCNAME changes for certain server scenarios

On Fri, 9 Feb 2007 12:35:22 +1100
Love Hörnquist Åstrand <lha@kth.se> wrote:

> 8 feb 2007 kl. 16.14 skrev Michael B Allen:
> > Please consider the below patch. This will cause  
> > krb5_cc_set_default_name
> > to be called if KRB5CCNAME changes at all. It assumes getenv returns
> > the same address but if it does not the code is at least correct.
> Shouldn't all inputs that changes the default name affect the "probe  
> function"
> Right now that is KRB5CCNAME and uid of the process.

Not if KRB5CCNAME is allowed to change at runtime.

Consider a single threaded server that authenticates a client
and calls setenv("KRB5CCNAME=deleg/ccache1") and then calls
gss_init_sec_context to authenticate with second server. That will
trigger context->default_cc_name to be set.

Then a second client is authenticated and calls
setenv("KRB5CCNAME=deleg/ccache2"). Again gss_init_sec_context is called
but now context->default_cc_name will *not* be set and the *wrong*
ccache file will be used.

> Also, if you use a static variable, you need to use a pthread mutex.
> In this case I don't think it would matter much, but better be safe.

True. I think on some archs you can get a bus error or similar.

Considering the error scenario is largely specific to GSSAPI the proper
fix would be to have GSSAPI call krb5_cc_set_default_name whenever it
detects a change in KRB5CCNAME.


Michael B Allen
PHP Active Directory SSO