diff options
| author | Simo Sorce <simo@redhat.com> | 2013-08-31 14:21:22 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2013-09-09 15:11:46 -0400 |
| commit | 14050f35224360883e20ebd810d3eb40f39267cf (patch) | |
| tree | c31be7accf7d69007010ef67f832076ceffe9a7a /src/providers/krb5/krb5_auth.c | |
| parent | 0dbcc64a5cee58d5fffaaef923302d9c7a951a7d (diff) | |
| download | sssd-14050f35224360883e20ebd810d3eb40f39267cf.tar.gz sssd-14050f35224360883e20ebd810d3eb40f39267cf.tar.bz2 sssd-14050f35224360883e20ebd810d3eb40f39267cf.zip | |
krb5: Add file/dir path precheck
Add a precheck on the actual existence at all of the file/dir ccname
targeted (for FILE/DIR types), and bail early if nothing is available.
While testing I found out that without this check, the krb5_cc_resolve()
function we call as user to check old paths would try to create the
directory if it didn't exist.
With a ccname of DIR:/tmp/ccdir_1000 saved in the user entry this would
cause two undesirable side effects:
First it would actually create a directory with the old name, when it
should not.
Second, because for some reason the umask is set to 0127 in sssd_be, it
would create the directory with permission 600 (missing the 'x' traverse
bit on the directory. If the new ccache has the same name it would cause
the krb5_child process to fal to store the credential cache in it.
Related:
https://fedorahosted.org/sssd/ticket/2061
Diffstat (limited to 'src/providers/krb5/krb5_auth.c')
| -rw-r--r-- | src/providers/krb5/krb5_auth.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 1585f709..7cfa3e94 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -69,6 +69,7 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr, realm, kr->upn); switch (ret) { case ERR_NOT_FOUND: + case ENOENT: DEBUG(SSSDBG_TRACE_FUNC, ("Saved ccache %s doesn't exist.\n", old_ccache)); return ENOENT; |