Re: Detect when KRB5CCNAME changes for certain server scenarios

[Michael B Allen <mba2000@ioplex.com>]

On Sat, 10 Feb 2007 08:05:26 +1100
Love Hörnquist Åstrand <lha@kth.se> wrote:

> 
> 10 feb 2007 kl. 04.03 skrev Michael B Allen:
> 
> > And what if you do not change uids?
> >
> > This is a real error that I ecountered in my application. Apache  
> > workers
> > all run as 'nobody' and do not change uids. Once the  
> > default_cc_name is
> > set for an httpd worker process all subsequent authentications by that
> > worker will use the old ccache and init_sec_context will fail to find
> > the desired cred.
> 
> I also think its a real problem, sorry if that didn't come across.
> 
> Lets try express this is code instead of words since I can't get  
> across what I
> the code to do.

You know what the best solution is but let me be thoughtful and offer
you another method to choose from.

You could add the following to lib/gssapi/krb5/ccache_name.c:

  krb5_error_code
  gss_krb5_cc_default(krb5_context context, krb5_ccache *id)
  {
      krb5_error_code kret;
 
      if (context == gssapi_krb5_context) {
          static char *krb5ccname;
          char *s;
  
          s = getenv("KRB5CCNAME");
  
          if (s != krb5ccname) {
              krb5ccname = s;
              kret = krb5_cc_set_default_name(context, krb5ccname);
              if (kret)
                  return kret;
          }
      }
  
      kret = krb5_cc_default(context, id);
  
      return kret;
  }

Then in lib/gssapi/krb5/acquire_cred.c:acquire_initiator_cred replace
the krb5_cc_default call with one to the above function. I have tested
this in my use-case and it works.

This method has two advantages.

  1) The fix is isolated to lib/gssapi/krb5 code which is the real
  source of the problem.  The problem (in my use-case at least) is
  caused by libgssapi's use of a static gssapi_krb5_context. Someone
  initiating an authentication using libkrb5 directly will create a
  separate krb5_context which in turn will have it's own default_cc_name.

  2) Because of 1, no mutex is necessary becasue the above function is
  already protected by the GSSAPI mutex provided that the context is
  in fact the static gssapi_krb5_context.

If you do choose this method then there are a handful of other instances
of krb5_cc_default and krb5_cc_default_name that need to be considered in
lib/gssapi/krb5. Additionally you would need to factor in your uid checks.

I am personnaly indifferent as to which method you choose. I just want
to make sure we have considered everything. One could argue that because
KRB5CCNAME is a concept specific to libkrb5 that it should be dealt
with there.

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/