Using different cred cache files

Sam Hartman hartmans at MIT.EDU
Mon Apr 12 17:42:36 EDT 2004


>>>>> "Rick" == Rick Macklem <rmacklem at uoguelph.ca> writes:


    Rick> A gssd daemon for nfs needs to get Initiator Credentials for
    Rick> different users (principals), so that it can do a
    Rick> gss_init_sec_context() for that principal. To get Initiator
    Rick> credentials, it must use the cred. cache file for that
    Rick> uid. Normally, a process would be that effective uid and
    Rick> everything would work. (The problem with doing that in this
    Rick> case is that a new daemon process would have to be forked
    Rick> for each request, so it could setuid() and then exit after
    Rick> getting the security context.)

Why do you need to fork to seteuid?  You really want to open the cred
cache file as the effective uid of the user or you risk significant
security problems.

I'd recommend using the environment variable.  That should work fine
with MIT Kerberos 1.3.3 provided that you call gss_acquire_creds after
changing it in your application or call gss_init_sec_context with
GSS_C_NO_CREDENTIAL.


The first gss_init_sec_context call needs to be done with your euid
set to the euid of the cache file.



More information about the Kerberos mailing list