The latest krb5 in F-19 updates-testing enables DIR ccache by default.
This is breaking mod_auth_kerb.
Attached is a WIP patch that works in permissive mode.
At this point I'm not sure if we're better off trying to force a FILE
ccache onto httpd in /tmp or go with the DIR method in which case we
need to involve the SELinux folks. I think the DIR method is probably
better long-term.
rob
diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
index 455e6dd..828fd07 100644
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -75,6 +75,8 @@
#include <stdio.h>
#include <stdarg.h>
#include <unixd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
#define MODAUTHKERB_VERSION "5.4"
@@ -163,6 +165,8 @@ static const char *lockname;
static apr_global_mutex_t *s4u2proxy_lock = NULL;
#endif
+char *apache_user = NULL;
+
/***************************************************************************
Macros To Ease Compatibility
***************************************************************************/
@@ -232,6 +236,9 @@ krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg);
static const char *
cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1);
+const char *
+set_apache_user(cmd_parms *cmd, void *dummy, const char *arg);
+
static int
obtain_server_credentials(request_rec *r, const char *service_name);
@@ -292,6 +299,9 @@ static const command_rec kerb_auth_cmds[] = {
AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL,
RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"),
+
+ AP_INIT_TAKE1("User", set_apache_user, NULL, RSRC_CONF,
+ "Apache user. Comes from httpd.conf."),
#endif
#ifdef KRB4
@@ -393,6 +403,14 @@ cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1)
return NULL;
}
+const char *
+set_apache_user(cmd_parms *cmd, void *dummy, const char *arg)
+{
+ apache_user = arg;
+
+ return NULL;
+}
+
static void
log_rerror(const char *file, int line,
#ifdef WITH_HTTPD24
@@ -2172,6 +2190,10 @@ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *s)
{
apr_status_t rv;
+ int old_umask, ret;
+ char *dirname = NULL;
+ apr_uid_t userid;
+ apr_gid_t groupid;
ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
#ifndef HEIMDAL
/* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
@@ -2179,6 +2201,24 @@ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
putenv(strdup("KRB5RCACHETYPE=none"));
#endif
+ apr_uid_get(&userid, &groupid, apache_user, ptemp);
+ dirname = apr_psprintf(ptemp, "/run/user/%d", userid);
+ old_umask = umask(0000);
+ ret = mkdir(dirname, 0700);
+ umask(old_umask);
+ if (ret == -1) {
+ if (errno != EEXIST) {
+ ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s,
+ "Unable to create ccache directory: %d", errno);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ }
+ ret = chown(dirname, userid, groupid);
+ if (ret == -1) {
+ ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s,
+ "Unable to chown ccache directory: %d", errno);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
#ifdef STANDARD20_MODULE_STUFF
rv = s4u2proxylock_create(s, p);
if (rv != APR_SUCCESS) {
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel