[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Detect when KRB5CCNAME changes for certain server scenarios
On Fri, 9 Feb 2007 12:35:22 +1100
Love Hörnquist Åstrand <firstname.lastname@example.org> wrote:
> 8 feb 2007 kl. 16.14 skrev Michael B Allen:
> > Please consider the below patch. This will cause
> > krb5_cc_set_default_name
> > to be called if KRB5CCNAME changes at all. It assumes getenv returns
> > the same address but if it does not the code is at least correct.
> Shouldn't all inputs that changes the default name affect the "probe
> Right now that is KRB5CCNAME and uid of the process.
Not if KRB5CCNAME is allowed to change at runtime.
Consider a single threaded server that authenticates a client
and calls setenv("KRB5CCNAME=deleg/ccache1") and then calls
gss_init_sec_context to authenticate with second server. That will
trigger context->default_cc_name to be set.
Then a second client is authenticated and calls
setenv("KRB5CCNAME=deleg/ccache2"). Again gss_init_sec_context is called
but now context->default_cc_name will *not* be set and the *wrong*
ccache file will be used.
> Also, if you use a static variable, you need to use a pthread mutex.
> In this case I don't think it would matter much, but better be safe.
True. I think on some archs you can get a bus error or similar.
Considering the error scenario is largely specific to GSSAPI the proper
fix would be to have GSSAPI call krb5_cc_set_default_name whenever it
detects a change in KRB5CCNAME.
Michael B Allen
PHP Active Directory SSO