add [libdefaults]fcache_strict_checking to gate the strict checking, defaults to on

2013-07-11 21:17:49 +02:00
parent 2a565482f4
commit f396f66523
5 changed files with 16 additions and 2 deletions
--- a/lib/krb5/context.c
+++ b/lib/krb5/context.c
@@ -250,6 +250,11 @@ init_context_from_config_file(krb5_context context)
 	if (strcasecmp(tmp, "ignore") == 0)
 	    context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
    }
+    ret = krb5_config_get_bool_default(context, NULL, TRUE,
+				       "libdefaults",
+				       "fcache_strict_checking", NULL);
+    if (ret)
+	context->flags |= KRB5_CTX_F_FCACHE_STRICT_CHECKING;

    return 0;
 }
--- a/lib/krb5/fcache.c
+++ b/lib/krb5/fcache.c
@@ -395,6 +395,7 @@ fcc_open(krb5_context context,
    krb5_error_code ret;
    const char *filename;
    struct stat sb1, sb2;
+    int strict_checking;;
    int fd;

    if (FCACHE(id) == NULL)
@@ -402,7 +403,10 @@ fcc_open(krb5_context context,

    filename = FILENAME(id);

-    if ((flags & O_CREAT) == 0) {
+    strict_checking = (flags & O_CREAT) == 0 &&
+	(context->flags & KRB5_CTX_F_FCACHE_STRICT_CHECKING) != 0;
+
+    if (strict_checking) {
 	ret = lstat(filename, &sb1);
 	if (ret < 0) {
 	    krb5_set_error_message(context, ret, N_("%s lstat(%s)", "file, error"),
@@ -423,7 +427,7 @@ fcc_open(krb5_context context,
    }
    rk_cloexec(fd);

-    if ((flags & O_CREAT) == 0) {
+    if (strict_checking) {

 	ret = fstat(fd, &sb2);
 	if (ret < 0) {
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -319,6 +319,9 @@ given principal name, and if found the given username will be used, or,
 if the username is missing, an error will be returned.  If the file
 doesn't exist, or if no matching line is found then other plugins will
 be allowed to run.
+.It Li fcache_strict_checking
+strict checking in FILE credential caches that owner, no symlink and
+permissions is correct.
 .El
 .It Li [domain_realm]
 This is a list of mappings from DNS domain to Kerberos realm.
--- a/lib/krb5/krb5_locl.h
+++ b/lib/krb5/krb5_locl.h
@@ -302,6 +302,7 @@ typedef struct krb5_context_data {
 #define KRB5_CTX_F_HOMEDIR_ACCESS		4
 #define KRB5_CTX_F_SOCKETS_INITIALIZED          8
 #define KRB5_CTX_F_RD_REQ_IGNORE		16
+#define KRB5_CTX_F_FCACHE_STRICT_CHECKING	32
    struct send_to_kdc *send_to_kdc;
 #ifdef PKINIT
    hx509_context hx509ctx;
--- a/lib/krb5/verify_krb5_conf.c
+++ b/lib/krb5/verify_krb5_conf.c
@@ -391,6 +391,7 @@ struct entry libdefaults_entries[] = {
    { "encrypt", krb5_config_string, check_boolean, 0 },
    { "extra_addresses", krb5_config_string, NULL, 0 },
    { "fcache_version", krb5_config_string, check_numeric, 0 },
+    { "fcache_strict_checking", krb5_config_string, check_boolean, 0 },
    { "fcc-mit-ticketflags", krb5_config_string, check_boolean, 0 },
    { "forward", krb5_config_string, check_boolean, 0 },
    { "forwardable", krb5_config_string, check_boolean, 0 },