[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Why is KRB5CCNAME ignored if issuid?


I see an issue with the following code:

krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_set_default_name(krb5_context context, const char *name)
    krb5_error_code ret = 0;
    char *p; 

    if (name == NULL) {
        const char *e = NULL;

        if(!issuid()) {
            e = getenv("KRB5CCNAME");

It is not unheard of for a web script to use the KRB5CCNAME environment
variable to communicate the authenticated user's credential to Kerberos
aware clients such as curl_open, pgsql_connect, ldap_sasl_bind,
... etc. A worker process in a web server will almost certainly call
setuid or perhaps seteuid. This means that the above 'if (!issuid())'
check will return false [1] and the credential will not be found.

What specifically is that 'if (!issuid())' condition for and can it be
adjusted to accommodate the scenario described?


[1] Actually for some reason this does not happen on Linux but I just
ported some code to FreeBSD and it does return false.

Michael B Allen
PHP Active Directory Kerberos SSO