diff --git a/Only-empty-FILE-ccaches-when-storing-remote-creds.patch b/Only-empty-FILE-ccaches-when-storing-remote-creds.patch new file mode 100644 index 0000000..17f4da8 --- /dev/null +++ b/Only-empty-FILE-ccaches-when-storing-remote-creds.patch @@ -0,0 +1,55 @@ +From b03095e656ae083e078829a87e00d60f405c3cf4 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 10 Oct 2017 18:00:45 -0400 +Subject: [PATCH] Only empty FILE ccaches when storing remote creds + +This mitigates issues when services share a ccache between two +processes. We cannot fix this for FILE ccaches without introducing +other issues. + +Signed-off-by: Robbie Harwood +Reviewed-by: Simo Sorce +Merges: #216 +(cherry picked from commit d09e87f47a21dd250bfd7a9c59a5932b5c995057) +--- + proxy/src/mechglue/gpp_creds.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c +index 9fe9bd1..6bdff45 100644 +--- a/proxy/src/mechglue/gpp_creds.c ++++ b/proxy/src/mechglue/gpp_creds.c +@@ -147,6 +147,7 @@ uint32_t gpp_store_remote_creds(uint32_t *min, bool default_creds, + char cred_name[creds->desired_name.display_name.octet_string_len + 1]; + XDR xdrctx; + bool xdrok; ++ const char *cc_type; + + *min = 0; + +@@ -193,13 +194,20 @@ uint32_t gpp_store_remote_creds(uint32_t *min, bool default_creds, + } + cred.ticket.length = xdr_getpos(&xdrctx); + +- /* Always initialize and destroy any existing contents to avoid pileup of +- * entries */ +- ret = krb5_cc_initialize(ctx, ccache, cred.client); +- if (ret == 0) { +- ret = krb5_cc_store_cred(ctx, ccache, &cred); ++ cc_type = krb5_cc_get_type(ctx, ccache); ++ if (strcmp(cc_type, "FILE") == 0) { ++ /* FILE ccaches don't handle updates properly: if they have the same ++ * principal name, they are blackholed. We either have to change the ++ * name (at which point the file grows forever) or flash the cache on ++ * every update. */ ++ ret = krb5_cc_initialize(ctx, ccache, cred.client); ++ if (ret != 0) { ++ goto done; ++ } + } + ++ ret = krb5_cc_store_cred(ctx, ccache, &cred); ++ + done: + if (ctx) { + krb5_free_cred_contents(ctx, &cred); diff --git a/gssproxy.spec b/gssproxy.spec index f55ab3e..db29f97 100644 --- a/gssproxy.spec +++ b/gssproxy.spec @@ -1,6 +1,6 @@ Name: gssproxy Version: 0.7.0 -Release: 23%{?dist} +Release: 24%{?dist} Summary: GSSAPI Proxy Group: System Environment/Libraries @@ -38,6 +38,7 @@ Patch20: Fix-silent-crash-with-duplicate-config-sections.patch Patch21: Emit-debug-on-queue-errors.patch Patch22: Do-not-call-gpm_grab_sock-twice.patch Patch23: Fix-error-message-handling-in-gp_config_from_dir.patch +Patch24: Only-empty-FILE-ccaches-when-storing-remote-creds.patch ### Dependencies ### Requires: krb5-libs >= 1.12.0 @@ -135,6 +136,9 @@ rm -rf %{buildroot} %systemd_postun_with_restart gssproxy.service %changelog +* Tue Oct 31 2017 Robbie Harwood - 0.7.0-24 +- Only empty FILE ccaches when storing remote creds + * Mon Oct 30 2017 Robbie Harwood - 0.7.0-23 - Fix error message handling in gp_config_from_dir()