oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

add [libdefaults]fcache_strict_checking to gate the strict checking, defaults to on

Browse Source
This commit is contained in:
Love Hornquist Astrand
2013-07-11 21:17:49 +02:00
parent 2a565482f4
commit f396f66523
5 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/krb5/context.c
View File

@@ -250,6 +250,11 @@ init_context_from_config_file(krb5_context context)
if (strcasecmp(tmp, "ignore") == 0) if (strcasecmp(tmp, "ignore") == 0)
context->flags |= KRB5_CTX_F_RD_REQ_IGNORE; context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
} }
ret = krb5_config_get_bool_default(context, NULL, TRUE,
"libdefaults",
"fcache_strict_checking", NULL);
if (ret)
context->flags |= KRB5_CTX_F_FCACHE_STRICT_CHECKING;
return 0; return 0;
} }

8
lib/krb5/fcache.c
View File

@@ -395,6 +395,7 @@ fcc_open(krb5_context context,
krb5_error_code ret; krb5_error_code ret;
const char *filename; const char *filename;
struct stat sb1, sb2; struct stat sb1, sb2;
int strict_checking;;
int fd; int fd;
if (FCACHE(id) == NULL) if (FCACHE(id) == NULL)
@@ -402,7 +403,10 @@ fcc_open(krb5_context context,
filename = FILENAME(id); filename = FILENAME(id);
if ((flags & O_CREAT) == 0) { strict_checking = (flags & O_CREAT) == 0 &&
(context->flags & KRB5_CTX_F_FCACHE_STRICT_CHECKING) != 0;
if (strict_checking) {
ret = lstat(filename, &sb1); ret = lstat(filename, &sb1);
if (ret < 0) { if (ret < 0) {
krb5_set_error_message(context, ret, N_("%s lstat(%s)", "file, error"), krb5_set_error_message(context, ret, N_("%s lstat(%s)", "file, error"),
@@ -423,7 +427,7 @@ fcc_open(krb5_context context,
} }
rk_cloexec(fd); rk_cloexec(fd);
if ((flags & O_CREAT) == 0) { if (strict_checking) {
ret = fstat(fd, &sb2); ret = fstat(fd, &sb2);
if (ret < 0) { if (ret < 0) {

3
lib/krb5/krb5.conf.5
View File

@@ -319,6 +319,9 @@ given principal name, and if found the given username will be used, or,
if the username is missing, an error will be returned. If the file if the username is missing, an error will be returned. If the file
doesn't exist, or if no matching line is found then other plugins will doesn't exist, or if no matching line is found then other plugins will
be allowed to run. be allowed to run.
.It Li fcache_strict_checking
strict checking in FILE credential caches that owner, no symlink and
permissions is correct.
.El .El
.It Li [domain_realm] .It Li [domain_realm]
This is a list of mappings from DNS domain to Kerberos realm. This is a list of mappings from DNS domain to Kerberos realm.

1
lib/krb5/krb5_locl.h
View File

@@ -302,6 +302,7 @@ typedef struct krb5_context_data {
#define KRB5_CTX_F_HOMEDIR_ACCESS 4 #define KRB5_CTX_F_HOMEDIR_ACCESS 4
#define KRB5_CTX_F_SOCKETS_INITIALIZED 8 #define KRB5_CTX_F_SOCKETS_INITIALIZED 8
#define KRB5_CTX_F_RD_REQ_IGNORE 16 #define KRB5_CTX_F_RD_REQ_IGNORE 16
#define KRB5_CTX_F_FCACHE_STRICT_CHECKING 32
struct send_to_kdc *send_to_kdc; struct send_to_kdc *send_to_kdc;
#ifdef PKINIT #ifdef PKINIT
hx509_context hx509ctx; hx509_context hx509ctx;

1
lib/krb5/verify_krb5_conf.c
View File

@@ -391,6 +391,7 @@ struct entry libdefaults_entries[] = {
{ "encrypt", krb5_config_string, check_boolean, 0 }, { "encrypt", krb5_config_string, check_boolean, 0 },
{ "extra_addresses", krb5_config_string, NULL, 0 }, { "extra_addresses", krb5_config_string, NULL, 0 },
{ "fcache_version", krb5_config_string, check_numeric, 0 }, { "fcache_version", krb5_config_string, check_numeric, 0 },
{ "fcache_strict_checking", krb5_config_string, check_boolean, 0 },
{ "fcc-mit-ticketflags", krb5_config_string, check_boolean, 0 }, { "fcc-mit-ticketflags", krb5_config_string, check_boolean, 0 },
{ "forward", krb5_config_string, check_boolean, 0 }, { "forward", krb5_config_string, check_boolean, 0 },
{ "forwardable", krb5_config_string, check_boolean, 0 }, { "forwardable", krb5_config_string, check_boolean, 0 },