diff options
| author | Jeff Layton <jlayton@samba.org> | 2017-02-11 08:38:46 -0500 |
|---|---|---|
| committer | Jeff Layton <jlayton@samba.org> | 2017-02-15 12:11:27 -0500 |
| commit | ed97e4ecab4e9a103c46232785fb76b3f07d0637 (patch) | |
| tree | 9f3a2552fdd2f06dccc52cc147b07e4baa0c97a4 /pam_cifscreds.pod | |
| parent | 109c189bf4720b0d7ed43113e1e26c89c8b15ada (diff) | |
| download | cifs-utils-ed97e4ecab4e9a103c46232785fb76b3f07d0637.tar.gz cifs-utils-ed97e4ecab4e9a103c46232785fb76b3f07d0637.tar.bz2 cifs-utils-ed97e4ecab4e9a103c46232785fb76b3f07d0637.zip | |
cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file
Chad reported that he was seeing a regression in cifs-utils-6.6. Prior
to that, cifs.upcall was able to find credcaches in non-default FILE:
locations, but with the rework of that code, that ability was lost.
Unfortunately, the krb5 library design doesn't really take into account
the fact that we might need to find a credcache in a process that isn't
descended from the session.
When the kernel does an upcall, it passes several bits of info about the
task that initiated the upcall. One of those things is the PID (the
tgid, in particular). We can use that info to reach into the
/proc/<pid>/environ file for the process, and grab whatever value of
$KRB5CCNAME is there.
Then, after switching credentials, set $KRB5CCNAME in the environment
to the same value before opening the credcache, to hint to the krb5
libs where they ought to look.
This new behavior is on by default, but can be disabled by having
request-key pass a '-E' flag to cifs.upcall.
Reported-by: Chad William Seys <cwseys@physics.wisc.edu>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Diffstat (limited to 'pam_cifscreds.pod')
0 files changed, 0 insertions, 0 deletions