From 14050f35224360883e20ebd810d3eb40f39267cf Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 31 Aug 2013 14:21:22 -0400 Subject: krb5: Add file/dir path precheck Add a precheck on the actual existence at all of the file/dir ccname targeted (for FILE/DIR types), and bail early if nothing is available. While testing I found out that without this check, the krb5_cc_resolve() function we call as user to check old paths would try to create the directory if it didn't exist. With a ccname of DIR:/tmp/ccdir_1000 saved in the user entry this would cause two undesirable side effects: First it would actually create a directory with the old name, when it should not. Second, because for some reason the umask is set to 0127 in sssd_be, it would create the directory with permission 600 (missing the 'x' traverse bit on the directory. If the new ccache has the same name it would cause the krb5_child process to fal to store the credential cache in it. Related: https://fedorahosted.org/sssd/ticket/2061 --- src/providers/krb5/krb5_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src/providers/krb5/krb5_auth.c') diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 1585f709..7cfa3e94 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -69,6 +69,7 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr, realm, kr->upn); switch (ret) { case ERR_NOT_FOUND: + case ENOENT: DEBUG(SSSDBG_TRACE_FUNC, ("Saved ccache %s doesn't exist.\n", old_ccache)); return ENOENT; -- cgit