sys_getpeerid() [was Re: svn commit: samba r21887 -...]
Gerald (Jerry) Carter
jerry at samba.org
Tue Mar 20 14:04:16 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
gd at samba.org wrote:
> Author: gd
> Date: 2007-03-20 12:44:40 +0000 (Tue, 20 Mar 2007)
> New Revision: 21887
>
> WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21887
>
> Log:
> Fix annoying bug where in a pam_close_session (or a pam_setcred with the
> PAM_DELETE_CREDS flag set) any user could delete krb5 credential caches.
> Make sure that only root can do this.
>
> Jerry, Jeremy, please check.
There are three places we use sys_getpeerid() that I can tell.
(a) Jeremy's Domain Users hack for reporting group membership,
(b) access to the ntlm_auth cache for applications like Firefox,
and now
(c) The capability to issue a logoff call.
If we don't have getpeerid() I can loose the first two. No big
deal.
The problem I see with (c) is that if a platform does not support
getpeerid() then you get init a user's krb5 ccache but never
delete it. Which makes the feature asymetrical based on support
for getpeerid().
Am I missing something here ?
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF/+ngIR7qMdg1EfYRAhArAJ9DTSiM/wWflGkVq3kf0jIwC2j4dACgkINs
KunBqbQWkDYlMjC5yJ4ZJtY=
=hNHM
-----END PGP SIGNATURE-----
More information about the samba-cvs
mailing list