[cifs-utils PATCH 7/8] cifs.upcall: unset $KRB5CCNAME when creating new credcache from keytab
Jeff Layton
jlayton at samba.org
Fri Feb 24 14:54:18 UTC 2017
On Fri, 2017-02-24 at 09:38 -0500, Simo Sorce wrote:
> On Fri, 2017-02-24 at 09:27 -0500, Jeff Layton wrote:
> > We don't want to trust $KRB5CCNAME when creating or updating a new
> > credcache since we could be operating under the wrong credentials.
> > Always create new credcaches in the default location instead.
> >
> > Reported-by: Chad William Seys <cwseys at physics.wisc.edu>
> > Signed-off-by: Jeff Layton <jlayton at samba.org>
> > ---
> > cifs.upcall.c | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/cifs.upcall.c b/cifs.upcall.c
> > index 15e1e0f91c22..0c89d7cf40d7 100644
> > --- a/cifs.upcall.c
> > +++ b/cifs.upcall.c
> > @@ -379,6 +379,12 @@ init_cc_from_keytab(const char *keytab_name, const char *user)
> >
> > memset((char *) &my_creds, 0, sizeof(my_creds));
> >
> > + /*
> > + * Unset the environment variable, if any. If we're creating our own
> > + * credcache here, stick it in the default location.
> > + */
> > + unsetenv(ENV_NAME);
> > +
> > if (keytab_name)
> > ret = krb5_kt_resolve(context, keytab_name, &keytab);
> > else
>
> How long do you need these credentials around for ?
> I wonder if using a memory ccache would work here.
>
>
Only for as long as the upcall program lasts. A memory cache sounds
like a good idea, actually. Let me ponder that...
More information about the samba-technical
mailing list