[PATCH] documentation fixes and keytab handling regression
Jeremy Allison
jra at samba.org
Fri Dec 2 21:44:25 UTC 2016
On Fri, Dec 02, 2016 at 10:08:02PM +0200, Alexander Bokovoy wrote:
> >
> > Is this correct ?
> The very same logic is in the smb_krb5_kt_open_relative() which
> smb_krb5_kt_open() calls to after this check. However,
> smb_krb5_kt_open_relative() supports also other prefixes, including
> MEMORY: and ANY:. Thus, with your approach you would break the code that
> might want to pull in a keytab created by Samba code somewhere else in
> the process memory using MEMORY: prefix. Actually, it will not be able
> to create such keytab at all, due to this change, unless
> smb_krb5_kt_open_relative() is called directly.
Thinking some more - your patch checks all non absolute paths for :/
and refuses anything that doesn't have those.
So unless you have MEMORY:/ and ANY:/ then your patch breaks
those too.
I think we need a list of allowable prefixes and what the
following tags can be - so we can differentiate between
pathname based prefixes and others.
More information about the samba-technical
mailing list