krb5 commit: Add environment variable for GSS mech config

Greg Hudson ghudson at mit.edu
Thu Sep 19 16:28:04 EDT 2019 

https://github.com/krb5/krb5/commit/2977b8e88002fc928a0ff3757098b34ca83645ef
commit 2977b8e88002fc928a0ff3757098b34ca83645ef
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Sep 16 14:36:32 2019 -0400

    Add environment variable for GSS mech config
    
    If the environment variable GSS_MECH_CONFIG is set (and the process is
    not privileged), read it instead of /etc/gss/mech or files within
    /etc/gss/mech.d.
    
    Set GSS_MECH_CONFIG in test frameworks so that system configuration
    does not interfere with tests.
    
    Fix documentation to indicate that the default mech config file is in
    sysconfdir, not necessarily /etc.
    
    ticket: 8833 (new)

 doc/admin/host_config.rst                 |   10 ++++++----
 doc/mitK5defaults.rst                     |    1 +
 doc/plugindev/gssapi.rst                  |   11 +++++------
 doc/user/user_config/kerberos.rst         |    6 ++++++
 src/kadmin/testing/scripts/env-setup.shin |    1 +
 src/kadmin/testing/scripts/init_db        |    1 +
 src/lib/gssapi/mechglue/g_initialize.c    |    7 +++++++
 src/man/kerberos.man                      |    6 ++++++
 src/tests/Makefile.in                     |    2 +-
 src/tests/dejagnu/config/default.exp      |   15 +++++++++++++++
 src/util/k5test.py                        |    2 ++
 11 files changed, 51 insertions(+), 11 deletions(-)

diff --git a/doc/admin/host_config.rst b/doc/admin/host_config.rst
index 6df2504..e186dd4 100644
--- a/doc/admin/host_config.rst
+++ b/doc/admin/host_config.rst
@@ -199,10 +199,9 @@ GSSAPI mechanism modules
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
 GSSAPI mechanism modules are registered using the file
-``/etc/gss/mech`` or configuration files in the ``/etc/gss/mech.d/``
-directory.  Only files with a ``.conf`` suffix will be read from the
-``/etc/gss/mech.d/`` directory.  Each line in these files has the
-form::
+|sysconfdir|\ ``/gss/mech`` or configuration files in the
+|sysconfdir|\ ``/gss/mech.d`` directory with a ``.conf``
+suffix.  Each line in these files has the form::
 
     oid  pathname  [options]  <type>
 
@@ -214,6 +213,9 @@ options provided to the plugin module, surrounded in square brackets.
 Currently the only special module type is "interposer", for a module
 designed to intercept calls to other mechanisms.
 
+If the environment variable **GSS_MECH_CONFIG** is set, its value is
+used as the sole mechanism configuration filename.
+
 
 .. _profile_plugin_config:
 
diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst
index 65d904e..58f4f16 100644
--- a/doc/mitK5defaults.rst
+++ b/doc/mitK5defaults.rst
@@ -14,6 +14,7 @@ Client :ref:`keytab_definition` file        |ckeytab|                      **KRB
 Kerberos config file :ref:`krb5.conf(5)`    |krb5conf|\ ``:``\             **KRB5_CONFIG**
                                             |sysconfdir|\ ``/krb5.conf``
 KDC config file :ref:`kdc.conf(5)`          |kdcdir|\ ``/kdc.conf``        **KRB5_KDC_PROFILE**
+GSS mechanism config file                   |sysconfdir|\ ``/gss.mech``    **GSS_MECH_CONFIG**
 KDC database path (DB2)                     |kdcdir|\ ``/principal``
 Master key :ref:`stash_definition`          |kdcdir|\ ``/.k5.``\ *realm*
 Admin server ACL file :ref:`kadm5.acl(5)`   |kdcdir|\ ``/kadm5.acl``
diff --git a/doc/plugindev/gssapi.rst b/doc/plugindev/gssapi.rst
index 34fc9e4..28e62ae 100644
--- a/doc/plugindev/gssapi.rst
+++ b/doc/plugindev/gssapi.rst
@@ -9,8 +9,7 @@ the set of built-in mechanisms.
 
 A mechanism module is a Unix shared object or Windows DLL, built
 separately from the krb5 tree.  Modules are loaded according to the
-``/etc/gss/mech`` or ``/etc/gss/mech.d/*.conf`` config files, as
-described in :ref:`gssapi_plugin_config`.
+GSS mechanism config files described in :ref:`gssapi_plugin_config`.
 
 For the most part, a GSSAPI mechanism module exports the same
 functions as would a GSSAPI implementation itself, with the same
@@ -45,10 +44,10 @@ with the following signature::
     gss_OID_set gss_mech_interposer(gss_OID mech_type);
 
 This function is invoked with the OID of the interposer mechanism as
-specified in ``/etc/gss/mech`` or in a ``/etc/gss/mech.d/*.conf``
-file, and returns a set of mechanism OIDs to be interposed.  The
-returned OID set must have been created using the mechglue's
-gss_create_empty_oid_set and gss_add_oid_set_member functions.
+specified in the mechanism config file, and returns a set of mechanism
+OIDs to be interposed.  The returned OID set must have been created
+using the mechglue's gss_create_empty_oid_set and
+gss_add_oid_set_member functions.
 
 An interposer module must use the prefix ``gssi_`` for the GSSAPI
 functions it exports, instead of the prefix ``gss_``.
diff --git a/doc/user/user_config/kerberos.rst b/doc/user/user_config/kerberos.rst
index bcb79d9..1830447 100644
--- a/doc/user/user_config/kerberos.rst
+++ b/doc/user/user_config/kerberos.rst
@@ -142,6 +142,12 @@ programs.  These include:
 **KPROP_PORT**
     :ref:`kprop(8)` port to use.  Defaults to 754.
 
+**GSS_MECH_CONFIG**
+    Specifies a filename containing GSSAPI mechanism module
+    configuration.  The default is to read |sysconfdir|\ ``/gss/mech``
+    and files with a ``.conf`` suffix within the directory
+    |sysconfdir|\ ``/gss/mech.d``.
+
 Most environment variables are disabled for certain programs, such as
 login system programs and setuid programs, which are designed to be
 secure when run within an untrusted process environment.
diff --git a/src/kadmin/testing/scripts/env-setup.shin b/src/kadmin/testing/scripts/env-setup.shin
index 8c29bb9..084dadc 100755
--- a/src/kadmin/testing/scripts/env-setup.shin
+++ b/src/kadmin/testing/scripts/env-setup.shin
@@ -82,6 +82,7 @@ KRB5_KDC_PROFILE=$K5ROOT/kdc.conf; export KRB5_KDC_PROFILE
 KRB5_KTNAME=$K5ROOT/ovsec_adm.keytab; export KRB5_KTNAME
 KRB5_CLIENT_KTNAME=$K5ROOT/client_keytab; export KRB5_CLIENT_KTNAME
 KRB5CCNAME=$K5ROOT/krb5cc_unit-test; export KRB5CCNAME
+GSS_MECH_CONFIG=$K5ROOT/mech.conf; export GSS_MECH_CONFIG
 
 # Make sure we don't get confused by translated messages
 # or localized times.
diff --git a/src/kadmin/testing/scripts/init_db b/src/kadmin/testing/scripts/init_db
index 2496be2..c3a1499 100755
--- a/src/kadmin/testing/scripts/init_db
+++ b/src/kadmin/testing/scripts/init_db
@@ -225,6 +225,7 @@ setenv KRB5_CONFIG $KRB5_CONFIG
 setenv KRB5_KDC_PROFILE $KRB5_KDC_PROFILE
 setenv KRB5_KTNAME $KRB5_KTNAME
 setenv KRB5_CLIENT_KTNAME $KRB5_CLIENT_KTNAME
+setenv GSS_MECH_CONFIG $GSS_MECH_CONFIG
 $KRB5_RUN_ENV_CSH
 EOF
 
diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c
index 0ad11c0..394869e 100644
--- a/src/lib/gssapi/mechglue/g_initialize.c
+++ b/src/lib/gssapi/mechglue/g_initialize.c
@@ -473,12 +473,19 @@ loadConfigFiles()
 	glob_t globbuf;
 	time_t highest = 0, now;
 	char **path;
+	const char *val;
 
 	/* Don't glob and stat more than once per second. */
 	if (time(&now) == (time_t)-1 || now == g_confLastCall)
 		return;
 	g_confLastCall = now;
 
+	val = secure_getenv("GSS_MECH_CONFIG");
+	if (val != NULL) {
+		load_if_changed(val, g_confFileModTime, &g_confFileModTime);
+		return;
+	}
+
 	load_if_changed(MECH_CONF, g_confFileModTime, &highest);
 
 	memset(&globbuf, 0, sizeof(globbuf));
diff --git a/src/man/kerberos.man b/src/man/kerberos.man
index a109538..effdd8e 100644
--- a/src/man/kerberos.man
+++ b/src/man/kerberos.man
@@ -174,6 +174,12 @@ used).
 .TP
 \fBKPROP_PORT\fP
 kprop(8) port to use.  Defaults to 754.
+.TP
+\fBGSS_MECH_CONFIG\fP
+Specifies a filename containing GSSAPI mechanism module
+configuration.  The default is to read \fB at SYSCONFDIR@\fP\fB/gss/mech\fP
+and files with a \fB\&.conf\fP suffix within the directory
+\fB at SYSCONFDIR@\fP\fB/gss/mech.d\fP\&.
 .UNINDENT
 .sp
 Most environment variables are disabled for certain programs, such as
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 88545e3..81ca4cb 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -4,7 +4,7 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \
 	gss-threads misc threads softpkcs11
 
 RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
-	LC_ALL=C $(VALGRIND)
+	GSS_MECH_CONFIG=mech.conf LC_ALL=C $(VALGRIND)
 
 OBJS= adata.o etinfo.o forward.o gcred.o hist.o hooks.o hrealm.o \
 	icinterleave.o icred.o kdbtest.o localauth.o plugorder.o rdreq.o \
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index 93e2fb0..4cd7775 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -470,6 +470,7 @@ proc envstack_pop { } {
 #
 set envvars_tosave {
     KRB5_CONFIG KRB5CCNAME KRB5_CLIENT_KTNAME KRB5RCACHEDIR KRB5_KDC_PROFILE
+    GSS_MECH_CONFIG
 }
 set krb5_init_vars [list ]
 # XXX -- fix me later!
@@ -853,6 +854,12 @@ if [ info exists env(KRB5RCACHEDIR)] {
     catch "unset orig_krb5rcachedir"
 }
 
+if [ info exists env(GSS_MECH_CONFIG)] {
+    set orig_gss_mech_config $env(GSS_MECH_CONFIG)
+} else {
+    catch "unset orig_gss_mech_config"
+}
+
 # setup_kerberos_env
 # Set the environment variables needed to run Kerberos programs.
 
@@ -883,6 +890,11 @@ proc setup_kerberos_env { {type client} } {
     set env(KRB5RCACHEDIR) $tmppwd
     verbose "KRB5RCACHEDIR=$env(KRB5RCACHEDIR)"
 
+    # Direct the GSS library at a nonexistent file in the temporary
+    # directory, to avoid interference from system configuration.
+    set env(GSS_MECH_CONFIG) $tmppwd/mech.conf
+    verbose "GSS_MECH_CONFIG=$env(GSS_MECH_CONFIG)"
+
     # Get the run time environment variables... (including LD_LIBRARY_PATH)
     setup_runtime_env
 
@@ -905,6 +917,7 @@ proc setup_kerberos_env { {type client} } {
 	puts $envfile "KRB5CCNAME=$env(KRB5CCNAME)"
 	puts $envfile "KRB5_CLIENT_KTNAME=$env(KRB5_CLIENT_KTNAME)"
 	puts $envfile "KRB5RCACHEDIR=$env(KRB5RCACHEDIR)"
+	puts $envfile "GSS_MECH_CONFIG=$env(GSS_MECH_CONFIG)"
 	if [info exists env(KRB5_KDC_PROFILE)] {
 	    puts $envfile "KRB5_KDC_PROFILE=$env(KRB5_KDC_PROFILE)"
 	} else {
@@ -912,6 +925,7 @@ proc setup_kerberos_env { {type client} } {
 	}
 	puts $envfile "export KRB5_CONFIG KRB5CCNAME KRB5RCACHEDIR"
 	puts $envfile "export KRB5_KDC_PROFILE KRB5_CLIENT_KTNAME"
+	puts $envfile "export GSS_MECH_CONFIG"
 	foreach i $krb5_init_vars {
 		regexp "^(\[^=\]*)=(.*)" $i foo evar evalue
 		puts $envfile "$evar=$env($evar)"
@@ -925,6 +939,7 @@ proc setup_kerberos_env { {type client} } {
 	puts $envfile "setenv KRB5CCNAME $env(KRB5CCNAME)"
 	puts $envfile "setenv KRB5_CLIENT_KTNAME $env(KRB5_CLIENT_KTNAME)"
 	puts $envfile "setenv KRB5RCACHEDIR $env(KRB5RCACHEDIR)"
+	puts $envfile "setenv GSS_MECH_CONFIG $env(GSS_MECH_CONFIG)"
 	if [info exists env(KRB5_KDC_PROFILE)] {
 	    puts $envfile "setenv KRB5_KDC_PROFILE $env(KRB5_KDC_PROFILE)"
 	} else {
diff --git a/src/util/k5test.py b/src/util/k5test.py
index 2a042ff..89ebacd 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -884,6 +884,7 @@ class K5Realm(object):
         self.keytab = os.path.join(self.testdir, 'keytab')
         self.client_keytab = os.path.join(self.testdir, 'client_keytab')
         self.ccache = os.path.join(self.testdir, 'ccache')
+        self.gss_mech_config = os.path.join(self.testdir, 'mech.conf')
         self.kadmin_ccache = os.path.join(self.testdir, 'kadmin_ccache')
         self._krb5_conf = _cfg_merge(_default_krb5_conf, krb5_conf)
         base_kdc_conf = _default_kdc_conf
@@ -1002,6 +1003,7 @@ class K5Realm(object):
         env['KRB5RCACHEDIR'] = self.testdir
         env['KPROPD_PORT'] = str(self.kprop_port())
         env['KPROP_PORT'] = str(self.kprop_port())
+        env['GSS_MECH_CONFIG'] = self.gss_mech_config
         return env
 
     def run(self, args, env=None, **keywords):

More information about the cvs-krb5 mailing list