From 9d890186ec2b511aa30a9574543f29e1ef56e0e8 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Sat, 6 Apr 2013 17:58:53 +0200 Subject: Fix krbcc dir creation issue with MIT krb5 1.11 In krb5-libs >= 1.11, function krb5_cc_resolve verify if credential cache dir exists. If it doesn't exist, than it will be created with process permissions and not user permissions. Function cc_residual_is_used has already checked for non existing directory, but it wasn't considered to be a failure and therefore next call of krb5_init_context will create directory with wrong permissions. Now if directory doesn't exist, it will be handled like there was not ccache attribute in sysdb cache. We also check if "primary" file in ccache directory has right permissions. But we ignore missing "primary" file. https://fedorahosted.org/sssd/ticket/1822 --- src/providers/krb5/krb5_auth.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'src/providers/krb5/krb5_auth.c') diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 00025bfc..5baea0bc 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -106,6 +106,11 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr, ret = old_cc_ops->check_existing(old_ccache, kr->uid, realm, kr->upn, cc_template, active, valid); + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, + ("Saved ccache %s doesn't exist.\n", old_ccache)); + return ret; + } if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Cannot check if saved ccache %s is active and valid\n", @@ -617,7 +622,12 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, ret = check_old_ccache(ccache_file, kr, realm, &kr->active_ccache, &kr->valid_tgt); - if (ret != EOK) { + if (ret == ENOENT) { + DEBUG(SSSDBG_FUNC_DATA, + ("Ignoring ccache attribute [%s], because it doesn't" + "exist.\n", ccache_file)); + ccache_file = NULL; + } else if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, ("check_if_ccache_file_is_used failed.\n")); goto done; -- cgit