On Sun, Sep 23, 2012 at 11:12:30PM +0200, Jakub Hrozek wrote: > https://fedorahosted.org/sssd/ticket/1384 > > I tested by logging in from one terminal, then chowning the ccache to > root.root to make the existing ccache unusable by the krb5_child process > and attempting to log in from another terminal. > > Without the patch, the second login would just fail. With the patch, the > second login would succeed so the user can su or sudo and fix the > permissions problem.
But I would expect that it will only succeed if you use a ccache file with a random component. And since we use FILE:%d/krb5cc_%U_XXXXXX as a default this is good. But I think we should make clear that if e.g you use FILE:%d/krb5cc_%U or a DIR type ccache, which will most likely have a fixed location, the second login will still fail. It would be nice if a check for the random component can be added here so that if we already know that we cannot overwrite the existing file or directory we fail before a new ticket is requested from the KDC. If we really want to be able to allow logins even in this case the only solution I can think of is to generate a new ccache location with a random component based on the configured one, e.g. by adding a suffix like '_sssd_fallback_XXXXXX', and send a message back to the user via PAM which indicates this change and that the original localtion must be checked. bye, Sumit > From da9151e73d6389705463341728bc0fbef4982900 Mon Sep 17 00:00:00 2001 > From: Jakub Hrozek <jhro...@redhat.com> > Date: Sun, 23 Sep 2012 23:00:45 +0200 > Subject: [PATCH] KRB5: Recover gracefully if the ccache file could not be > reused > > https://fedorahosted.org/sssd/ticket/1384 > --- > src/providers/krb5/krb5_utils.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > > diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c > index > 8b15fc35dd172179713eac53fc2d4aa20f229d28..774f62dad092f54e979f887307b72f6ccdc4acbf > 100644 > --- a/src/providers/krb5/krb5_utils.c > +++ b/src/providers/krb5/krb5_utils.c > @@ -721,8 +721,9 @@ cc_file_check_existing(const char *location, uid_t uid, > > ret = cc_residual_is_used(uid, filename, SSS_KRB5_TYPE_FILE, &active); > if (ret != EOK) { > - DEBUG(SSSDBG_OP_FAILURE, ("Could not check if ccache is active\n")); > - return ret; > + DEBUG(SSSDBG_OP_FAILURE, ("Could not check if ccache is active. " > + "Will create a new one.\n")); > + active = false; > } > > kerr = krb5_init_context(&context); > @@ -890,8 +891,9 @@ cc_dir_check_existing(const char *location, uid_t uid, > ret = cc_residual_is_used(uid, dir, SSS_KRB5_TYPE_DIR, &active); > talloc_free(tmp); > if (ret != EOK) { > - DEBUG(SSSDBG_CRIT_FAILURE, ("Could not check if ccache is > active\n")); > - return ret; > + DEBUG(SSSDBG_OP_FAILURE, ("Could not check if ccache is active. " > + "Will create a new one.\n")); > + active = false; > } > > krberr = krb5_init_context(&context); > -- > 1.7.11.4 > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
