Using different cred cache files
Sam Hartman
hartmans at MIT.EDU
Mon Apr 12 17:42:36 EDT 2004
>>>>> "Rick" == Rick Macklem <rmacklem at uoguelph.ca> writes:
Rick> A gssd daemon for nfs needs to get Initiator Credentials for
Rick> different users (principals), so that it can do a
Rick> gss_init_sec_context() for that principal. To get Initiator
Rick> credentials, it must use the cred. cache file for that
Rick> uid. Normally, a process would be that effective uid and
Rick> everything would work. (The problem with doing that in this
Rick> case is that a new daemon process would have to be forked
Rick> for each request, so it could setuid() and then exit after
Rick> getting the security context.)
Why do you need to fork to seteuid? You really want to open the cred
cache file as the effective uid of the user or you risk significant
security problems.
I'd recommend using the environment variable. That should work fine
with MIT Kerberos 1.3.3 provided that you call gss_acquire_creds after
changing it in your application or call gss_init_sec_context with
GSS_C_NO_CREDENTIAL.
The first gss_init_sec_context call needs to be done with your euid
set to the euid of the cache file.
More information about the Kerberos
mailing list