powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1055 Commits
1 Branch
0 Tags
390 MiB
 
 
 
 
 
 
Tree: 260568e7ec
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '260568e7ec'
${ noResults }
base/SOURCES/Only-empty-FILE-ccaches-whe...

55 lines
2.0 KiB
Raw Blame History

From f2d1472f1557ceee70f2eaacf790c0222a36c4a1 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 10 Oct 2017 18:00:45 -0400
Subject: [PATCH] Only empty FILE ccaches when storing remote creds
This mitigates issues when services share a ccache between two
processes. We cannot fix this for FILE ccaches without introducing
other issues.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Merges: #216
(cherry picked from commit d09e87f47a21dd250bfd7a9c59a5932b5c995057)
---
proxy/src/mechglue/gpp_creds.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c
index 9fe9bd1..6bdff45 100644
--- a/proxy/src/mechglue/gpp_creds.c
+++ b/proxy/src/mechglue/gpp_creds.c
@@ -147,6 +147,7 @@ uint32_t gpp_store_remote_creds(uint32_t *min, bool default_creds,
char cred_name[creds->desired_name.display_name.octet_string_len + 1];
XDR xdrctx;
bool xdrok;
+ const char *cc_type;
*min = 0;
@@ -193,13 +194,20 @@ uint32_t gpp_store_remote_creds(uint32_t *min, bool default_creds,
}
cred.ticket.length = xdr_getpos(&xdrctx);
- /* Always initialize and destroy any existing contents to avoid pileup of
- * entries */
- ret = krb5_cc_initialize(ctx, ccache, cred.client);
- if (ret == 0) {
- ret = krb5_cc_store_cred(ctx, ccache, &cred);
+ cc_type = krb5_cc_get_type(ctx, ccache);
+ if (strcmp(cc_type, "FILE") == 0) {
+ /* FILE ccaches don't handle updates properly: if they have the same
+ * principal name, they are blackholed. We either have to change the
+ * name (at which point the file grows forever) or flash the cache on
+ * every update. */
+ ret = krb5_cc_initialize(ctx, ccache, cred.client);
+ if (ret != 0) {
+ goto done;
+ }
}
+ ret = krb5_cc_store_cred(ctx, ccache, &cred);
+
done:
if (ctx) {
krb5_free_cred_contents(ctx, &cred);