On Thu, Apr 04, 2013 at 12:14:31PM +0200, Lukas Slebodnik wrote: > ehlo, > > In krb5-libs 1.11, function krb5_cc_resolve verify if credential cache dir > exists. If it doesn't exist, than it will be created. We > have to ensure, that it will be created with right uid, gid and permissions. > > There is check in krb_auth_send, whether cached user data in ldb contains > SYSDB_CCACHE_FILE attribute. If it is available, then old ccache is checked in > function check_old_ccache. Gdm clean user directory (in /run/user/) > after logout. This is the reason why SYSDB_CCACHE_FILE attribute was found > in ldb cache and directory did not exist and then in function krb5_cc_resolve > was created with wrong permissions. > > Patch attached. > > LS
This is an interesting idea, but I wonder it is safe to drop and restore euid like this. At the very least, you need to restore the ID back after krb5_cc_resolve no matter what and I would prefer if this mechanism happened in a self-contained function with one return path. But in general, I wonder if it was better to move calling krb5_cc_resolve completely to krb5_child and always call the child. If the ccache was active then the child would not kinit but just return the reused ccache. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
