From 624a18044d42bef24223beff9f584799e1429715 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 17 Apr 2013 13:31:55 +0200 Subject: [PATCH] Add a patch to fix krb5 ccache creation issue with krb5 1.11 --- ...ir-creation-issue-with-MIT-krb5-1.11.patch | 181 ++++++++++++++++++ sssd.spec | 6 +- 2 files changed, 186 insertions(+), 1 deletion(-) create mode 100644 0001-Fix-krbcc-dir-creation-issue-with-MIT-krb5-1.11.patch diff --git a/0001-Fix-krbcc-dir-creation-issue-with-MIT-krb5-1.11.patch b/0001-Fix-krbcc-dir-creation-issue-with-MIT-krb5-1.11.patch new file mode 100644 index 0000000..bd98652 --- /dev/null +++ b/0001-Fix-krbcc-dir-creation-issue-with-MIT-krb5-1.11.patch @@ -0,0 +1,181 @@ +From 9d890186ec2b511aa30a9574543f29e1ef56e0e8 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Sat, 6 Apr 2013 17:58:53 +0200 +Subject: [PATCH] Fix krbcc dir creation issue with MIT krb5 1.11 + +In krb5-libs >= 1.11, function krb5_cc_resolve verify if credential cache dir +exists. If it doesn't exist, than it will be created with process permissions +and not user permissions. + +Function cc_residual_is_used has already checked for non existing +directory, but it wasn't considered to be a failure and therefore next call +of krb5_init_context will create directory with wrong permissions. + +Now if directory doesn't exist, it will be handled like there was not ccache +attribute in sysdb cache. We also check if "primary" file in ccache directory +has right permissions. But we ignore missing "primary" file. + +https://fedorahosted.org/sssd/ticket/1822 +--- + src/providers/krb5/krb5_auth.c | 12 ++++++++- + src/providers/krb5/krb5_utils.c | 60 ++++++++++++++++++++++++++++++++++------- + 2 files changed, 61 insertions(+), 11 deletions(-) + +diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c +index 00025bfc156eaf641217194c6301f4d70a773a73..5baea0bc84bb6991d32300210d4bb4db3bcee5d0 100644 +--- a/src/providers/krb5/krb5_auth.c ++++ b/src/providers/krb5/krb5_auth.c +@@ -106,6 +106,11 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr, + + ret = old_cc_ops->check_existing(old_ccache, kr->uid, realm, kr->upn, + cc_template, active, valid); ++ if (ret == ENOENT) { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ ("Saved ccache %s doesn't exist.\n", old_ccache)); ++ return ret; ++ } + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("Cannot check if saved ccache %s is active and valid\n", +@@ -617,7 +622,12 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, + ret = check_old_ccache(ccache_file, kr, realm, + &kr->active_ccache, + &kr->valid_tgt); +- if (ret != EOK) { ++ if (ret == ENOENT) { ++ DEBUG(SSSDBG_FUNC_DATA, ++ ("Ignoring ccache attribute [%s], because it doesn't" ++ "exist.\n", ccache_file)); ++ ccache_file = NULL; ++ } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("check_if_ccache_file_is_used failed.\n")); + goto done; +diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c +index ad77c7cc8305a98cc263cd7c6222979f361d0155..524568939507dac497ebf373612c40dfac6bf74c 100644 +--- a/src/providers/krb5/krb5_utils.c ++++ b/src/providers/krb5/krb5_utils.c +@@ -776,7 +776,7 @@ cc_residual_is_used(uid_t uid, const char *ccname, + DEBUG(SSSDBG_FUNC_DATA, ("Cache file [%s] does not exist, " + "it will be recreated\n", ccname)); + *result = false; +- return EOK; ++ return ENOENT; + } + + DEBUG(SSSDBG_OP_FAILURE, +@@ -869,10 +869,13 @@ cc_file_check_existing(const char *location, uid_t uid, + + ret = cc_residual_is_used(uid, filename, SSS_KRB5_TYPE_FILE, &active); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, ("Could not check if ccache is active. " +- "Will create a new one.\n")); ++ if (ret != ENOENT) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ ("Could not check if ccache is active.\n")); ++ } + cc_check_template(cc_template); + active = false; ++ return ret; + } + + kerr = krb5_init_context(&context); +@@ -998,6 +1001,7 @@ cc_dir_check_existing(const char *location, uid_t uid, + const char *cc_template, bool *_active, bool *_valid) + { + bool active = false; ++ bool active_primary = false; + bool valid = false; + krb5_ccache ccache = NULL; + krb5_context context = NULL; +@@ -1006,7 +1010,9 @@ cc_dir_check_existing(const char *location, uid_t uid, + const char *filename; + const char *dir; + char *tmp; ++ char *primary_file; + errno_t ret; ++ TALLOC_CTX *tmp_ctx; + + type = sss_krb5_get_type(location); + if (type != SSS_KRB5_TYPE_DIR) { +@@ -1027,29 +1033,62 @@ cc_dir_check_existing(const char *location, uid_t uid, + return EINVAL; + } + +- tmp = talloc_strdup(NULL, filename); +- if (!tmp) return ENOMEM; ++ tmp_ctx = talloc_new(NULL); ++ if (tmp_ctx == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, ("talloc_new failed.\n")); ++ return ENOMEM; ++ } ++ ++ tmp = talloc_strdup(tmp_ctx, filename); ++ if (!tmp) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_strdup failed.\n")); ++ ret = ENOMEM; ++ goto done; ++ } + + dir = dirname(tmp); + if (!dir) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Cannot base get directory of %s\n", location)); +- return EINVAL; ++ ret = EINVAL; ++ goto done; + } + + ret = cc_residual_is_used(uid, dir, SSS_KRB5_TYPE_DIR, &active); +- talloc_free(tmp); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, ("Could not check if ccache is active. " +- "Will create a new one.\n")); ++ if (ret != ENOENT) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ ("Could not check if ccache is active.\n")); ++ } + cc_check_template(cc_template); + active = false; ++ goto done; ++ } ++ ++ /* If primary file isn't in ccache dir, we will ignore it. ++ * But if primary file has wrong permissions, we will fail. ++ */ ++ primary_file = talloc_asprintf(tmp_ctx, "%s/primary", dir); ++ if (!primary_file) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_asprintf failed.\n")); ++ ret = ENOMEM; ++ goto done; ++ } ++ ret = cc_residual_is_used(uid, primary_file, SSS_KRB5_TYPE_FILE, ++ &active_primary); ++ if (ret != EOK && ret != ENOENT) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ ("Could not check if file 'primary' [%s] in dir ccache" ++ " is active.\n", primary_file)); ++ active = false; ++ goto done; + } + + krberr = krb5_init_context(&context); + if (krberr) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to init kerberos context\n")); +- return EIO; ++ ret = EIO; ++ goto done; + } + + krberr = krb5_cc_resolve(context, location, &ccache); +@@ -1081,6 +1120,7 @@ cc_dir_check_existing(const char *location, uid_t uid, + + ret = EOK; + done: ++ talloc_free(tmp_ctx); + if (ccache) krb5_cc_close(context, ccache); + krb5_free_context(context); + *_active = active; +-- +1.8.1.4 + diff --git a/sssd.spec b/sssd.spec index b377b76..9d55da5 100644 --- a/sssd.spec +++ b/sssd.spec @@ -16,7 +16,7 @@ Name: sssd Version: 1.10.0 -Release: 1%{?dist}.alpha1 +Release: 2%{?dist}.alpha1 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -25,6 +25,7 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}alpha1.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### +Patch0001: 0001-Fix-krbcc-dir-creation-issue-with-MIT-krb5-1.11.patch Patch0501: 0501-FEDORA-Switch-the-default-ccache-location.patch ### Dependencies ### @@ -532,6 +533,9 @@ fi %postun -n libsss_sudo -p /sbin/ldconfig %changelog +* Wed Apr 17 2013 Jakub Hrozek - 1.10.0-2.alpha1 +- Add a patch to fix krb5 ccache creation issue with krb5 1.11 + * Tue Apr 2 2013 Jakub Hrozek - 1.10.0-1.alpha1 - New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1