> In article <[EMAIL PROTECTED]>,
> Todd Zino <[EMAIL PROTECTED]> wrote:
> : I'd think this would conflict with the format in the keytab we generated.
> : I also noticed that the srv_rcache.c I stepped through en route to
> : rc_io.c has some blocks to check for backward slashes in the principal
> : name but not forward slashes. Is this to handle a different problem or
> : the same issue in Win32 type systems?
> :
[EMAIL PROTECTED] (Jeffrey Altman) responded:
> The code in srv_rcache.c certainly has nothing to do with Windows
> as the Windows file system APIs support '\' and '/' as identical
> path separators.
>
> More than likely the check for '\' is to ensure that escapes are
> not processed in calls to sprintf() or related functions.
I'm a bit confused as to why '/' is showing up in the first place.
Perhaps my copy of K5 is too old, but what I see in lib/krb5/krb/rd_req.c
is this:
if ((retval = krb5_get_server_rcache(context,
krb5_princ_component(context,server,0), &(*auth_context)->rcache)))
goto cleanup_auth_context;
}
where krb5_princ_component seems to be extracting the first component
of the parsed k5 filename. In lib/krb5/krb/parse.c, I see that '/' is
regarded as a component separator, so I don't *think* a component
should actually be capable of containing an embedded '/' in it. That
is, *unless* the / was escaped, which seems to be legal. That doesn't
sound like Todd Zino's problem, but it is a problem. Other potential
problems include embedded NUL characters (which the code goes to some
lengths to handle), characters with the parity bit set (not a special
case to K5, but might be to some filesystems), or principal names that
end in / or contain . or .. in combination with /.
I think a strong case could be made that krb5_get_server_rcache should
be doing *something* to ensure it's at least created a filename that's
legal according to the conventions of the local filesystem. There's
already some OS specific ugliness in krb5_get_server_rcache, but
perhaps that should all be moved to some new file under lib/krb5/os .
-Marcus Watts
UM ITCS Umich Systems Group
