From 2dcecd21262513a0866c321643fc33d3d0135915 Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlayton@samba.org>
Date: Thu, 23 Feb 2017 18:28:24 -0500
Subject: cifs.upcall: unset $KRB5CCNAME when creating new credcache from
 keytab

We don't want to trust $KRB5CCNAME when creating or updating a new
credcache since we could be operating under the wrong credentials.
Always create new credcaches in the default location instead.

Reported-by: Chad William Seys <cwseys@physics.wisc.edu>
Signed-off-by: Jeff Layton <jlayton@samba.org>
---
 cifs.upcall.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/cifs.upcall.c b/cifs.upcall.c
index 15e1e0f..0c89d7c 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -379,6 +379,12 @@ init_cc_from_keytab(const char *keytab_name, const char *user)
 
 	memset((char *) &my_creds, 0, sizeof(my_creds));
 
+	/*
+	 * Unset the environment variable, if any. If we're creating our own
+	 * credcache here, stick it in the default location.
+	 */
+	unsetenv(ENV_NAME);
+
 	if (keytab_name)
 		ret = krb5_kt_resolve(context, keytab_name, &keytab);
 	else
-- 
cgit v1.2.3