krb5 library missing functions for collections
Charles Hedrick
hedrick at rutgers.edu
Mon Jul 22 11:16:27 EDT 2019
I have code to deal with a number of difficulties in implementing kerberos transparently to users.
Some of this code needs to know whether a KRB5CCNAME is a collection or a specific cache, and to be able to find the collection if it’s a cache.
I was surprised to find the methods to do these things aren’t present. Here’s what I’ve defined:
convert_to_collection(const char *ptr, uid_t uid)
convert ccache name to the collection containing it
ccname_to_uid(const char *ptr, uid_t uid)
find the uid that owns the cache
is_collection_type(const char *ccname)
does the type support collections?
is_collection(const char *ccname)
is it actually a collection (rather than a specific cache)
get_cc_type(const char *ccname)
return the cache type
The first two have uid arguments because of KCM. Every other cache type allows you to determine unambiguously what user it’s associated with. For files you can use the file APIs to see who knows the file. Otherwise it’s encoded in the name. However the collection name for KCM is “KCM:”. This is ambiguous. You need to know the current user to resolve it.
convert_to_collection actually returns KCM:uid so it’s unambiguous. This works as long as the code is always dealing with collection names. But it wouldn’t work in general, because KCM:uid is an actual collection name. (What I should have done is return something like KCM:#uid, so you can tell that it’s not a valid cache name.)
This oddity of KCM is really irritating. It means you have to do setruid every time you want to deal with a collection from a daemon, since otherwise the name is ambiguous.
More information about the Kerberos
mailing list