krb5 library missing functions for collections
Robbie Harwood
rharwood at redhat.com
Mon Jul 29 14:35:40 EDT 2019
Greg Hudson <ghudson at mit.edu> writes:
> On 7/22/19 1:39 PM, Charles Hedrick wrote:
>
>> Please be aware that I’m using Redhat’s KCM implementation in
>> sssd. It’s supposed to be compatible with Heimdal’s, but based on
>> documentation it appears that it may not be.
>>
>> The default value of KRB5CCNAME is simply KCM: It had better be
>> user-specific, or everybody shares a collection.
>
> The Heimdal KCM implements a single global collection with access
> control on individual caches, with the euid and egid of the client as
> the access keys. If a client doesn't have access to a cache, it isn't
> visible in the collection as presented to that client. Clients can
> only create ccaches with names beginning with their "<euid>:" prefix.
>
> In practice, users other than root will typically see disjoint
> collections, where each cache name begins with the client's euid. But
> that's not a fundamental property of the daemon, and therefore not an
> assumption of either the MIT krb5 or Heimdal client code.
>
> One could conceivably build this namespace assumption into the client,
> retrofitting it to treat "KCM:uid" as a collection by filtering out
> caches whose names don't begin with the uid prefix. Unfortunately
> that wouldn't be 100% backward-compatible, as the Heimdal kcm daemon
> allows clients to create individual caches named with only the euid
> (with no ":" afterwards). Perhaps that's not important, though.
>
> The sssd KCM may have different semantics from Heimdal's. If it doesn't
> let root see caches owned by other uids, then that would also have to be
> changed to allow "KCM:uid" to work for root.
(CCing Jakub in case I miss anything here.)
To my reading, SSSD's KCM deliberately allows root to access all ccaches
but not list them. See
https://github.com/SSSD/sssd/blob/master/src/responder/kcm/kcmsrv_ccache.h#L75-L80
and
https://github.com/SSSD/sssd/blob/master/src/responder/kcm/kcmsrv_ccache.h#L144-L156
Thanks,
--Robbie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20190729/ddf86068/attachment.bin
More information about the Kerberos
mailing list