Do not look for plugin DLLs in either
$ORIGIN/../lib/plugin/krb5
$ORIGIN/../lib
Only look for plugin DLLs in $ORIGIN
Change-Id: I432cd81720b172e7451601b56ea7bba3c03d7d47
Execute tests that were built on Windows but previously skipped.
Remove the duplicate build rules for test-rfc3961.exe.
Change-Id: Icc84c07a33afbdc6ffa509222a3c81de35168eaf
Normally one would dlopen() a shared object's basename, not its absolute
path. However, lib/krb5/plugin.c, in an effort to be zero-conf-ish,
wants to readdir() to find plugins to load, and in the process it ends
up defeating the RTLD's search-the-caller's-rpath.
This commit partially addresses this by allowing the use of $ORIGIN in
plugin_dir values and using them for the default (except on OS X).
This allows multiple Heimdal versions installed on the same host, but
with different plugin ABIs, to co-exist. A step forward for doing make
check on hosts where Heimdal is installed.
For now we hardcode $ORIGIN/../lib/plugin/krb5 (linux, Solaris, *BSD),
or $ORIGIN (Windows; for assemblies objects need to be in the same
directory) and we eval $ORIGIN by using dladdr() (Linux, Solaris) or
GetModuleHandleEx() (Win32, via a dladdr() wrapper in libroken) to find
the path to libkrb5 whose dirname to use as $ORIGIN. For Windows,
because we need the plugins to be in the same directory as libkrb5, we
require a prefix on plugin DLLs ("plugin_krb5_") to distinguish them
from other objects.
We should add a special token to mean "look in $ORIGIN, sure, but
dlopen() the plugin basenames only (so the RTLD can search the rpath)".
- use O_NOFOLLOW
- be more strict not to follow symlinks
- require cache files to be owned by the user
- have sane permissions (not group/other readable)
As kerberos(8) provides a brief outline of this network authentication
system I would suggest extending SEE ALSO to include a few section 8
commands. I have excluded kadmind(8) and kpasswdd(8) as these servers
can be easily reachable from kadmin(8) and kpasswd(8) manual pages
respectively.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
There is no fchmod() implementation on Windows. For now prevent its
use on Windows with #ifndef _WIN32 but in the future set_default_cache()
should be updated to set ownership permissions for the cache file.
Change-Id: I57214dfecbd25d7b337a568fa5e522c0a22dbb76
If the registry type is NONE and the string is all numeric or
if the type is DWORD, the string is converted to a DWORD and then
stored into the registry as a REG_DWORD using RegSetValueEx().
The input parameter should be a pointer to the DWORD variable not
its value.
Change-Id: I9ff12121c6c17eb5afb2ea89adf8bb9cc6aa3a89
- KRB5_PRINCIPAL_PARSE_IGNORE_REALM: MIT compatible
- KRB5_PRINCIPAL_PARSE_NO_DEF_REALM: Don't default the realm
The first ignores the realm if present.
The second does not impute the default realm if no realm is given and
leaves the realm NULL. This will be used in kinit to determine whether
the user provided a realm or not, and if not we may use the user_realm,
or find the realm via the keytab.
Set the realm argument to NULL to get the usual default realm.
The krb5_parse_name_flags() function is now a wrapper around
krb5_parse_name_flags_realm().
