[PATCH] documentation fixes and keytab handling regression

Alexander Bokovoy ab at samba.org
Fri Dec 2 20:08:02 UTC 2016


On pe, 02 joulu 2016, Jeremy Allison wrote:
> On Fri, Dec 02, 2016 at 12:56:03PM +0200, Alexander Bokovoy wrote:
> > Hi,
> > 
> > attached two patches improve documentation for 'logon script' and
> > 'dedicated keytab file' options.
> > 
> > The second patch also fixes a regression introduced by the commit
> > c2f5c30b which broke specifying storage access format for keytabs.
> 
> NAK on the second patch. Sorry, but I don't understand what
> you're trying to check for w.r.t. relative/absolute paths
> here.
> 
> The original code refuses all paths that don't start with '/'
> (i.e. don't allow relative paths).
> 
> I'm assuming you want to allow paths of the form:
> 
> /absol/ute/path
> FILE:/absol/ute/path
> WRFILE:/absol/ute/path
> 
> but disallow paths of the form:
> 
> rela/tive/path
> FILE:rela/tive/path
> WRFILE:rela/tive/path
> 
> In which case the logic should be:
> 
> 	if (keytab_name_req != NULL) {
> 		if (keytab_name_req[0] != '/') {
> 			/*
> 			 * Might still be an absolute path, but
> 			 * prefixed by FILE:/ or WRFILE:/
> 			 */
> 			bool good_file = (strncmp(keytab_name_req, "FILE:/", 6) == 0);
> 			bool good_wrfile = (strncmp(keytab_name_req, "WRFILE:/", 8) == 0);
> 
> 			if (!good_file && !good_wrfile) {
> 				/* Nope - relative path. Disallow. */
> 				return KRB5_KT_BADNAME;
> 			}
> 		}
> 	}
> 
> Is this correct ?
The very same logic is in the smb_krb5_kt_open_relative() which
smb_krb5_kt_open() calls to after this check. However,
smb_krb5_kt_open_relative() supports also other prefixes, including
MEMORY: and ANY:. Thus, with your approach you would break the code that
might want to pull in a keytab created by Samba code somewhere else in
the process memory using MEMORY: prefix. Actually, it will not be able
to create such keytab at all, due to this change, unless
smb_krb5_kt_open_relative() is called directly.

We don't currently have anything like that yet (all callers to
smb_krb5_kt_open() do it either with NULL keytab or with externally
provided keytab name) but I can certainly imagine the use of it in case
we move away from always generating keys based on the plain text secret
from secrets.tdb.
-- 
/ Alexander Bokovoy



More information about the samba-technical mailing list