Using KfM's credentials cache with Krb5 1.3 on OS X 10.2.6

Shantonu Sen ssen at MIT.EDU
Wed Jul 23 18:24:35 EDT 2003 

I think you and Sam are talking about two separate issues.

To yours: Yes, the API you want is NSAddImage, described in 
NSModule(3). It can be used for loading both bundles and dynamic 
libraries.

[shantonu at repl]$ cat testkrb.c
#include <Kerberos/Kerberos.h>
#include <libc.h>
#include <mach-o/dyld.h>

int main(int argc, char *argv[]) {

   const struct mach_header *krb;
   typeof(krb5_cc_initialize) *krbccinitptr = NULL;
   NSSymbol krbccinitsym = NULL;

   krb = 
NSAddImage("/System/Library/Frameworks/Kerberos.framework/Kerberos",
                    
NSADDIMAGE_OPTION_RETURN_ON_ERROR|NSADDIMAGE_OPTION_WITH_SEARCHING);

   printf("krb header is %p\n", krb);
   if(krb == NULL) exit(1);

   krbccinitsym = NSLookupSymbolInImage(krb, "_krb5_cc_initialize", 
NSLOOKUPSYMBOLINIMAGE_OPTION_BIND_FULLY);

   if(krbccinitsym == NULL) exit(1);

   krbccinitptr = NSAddressOfSymbol(krbccinitsym);

   printf("krbccinitptr is %p\n", krbccinitptr);

   return 0;
}


[shantonu at repl]$ cc -o testkrb testkrb.c
[shantonu at repl]$ ./testkrb
krb header is 0x943f0000
krbccinitptr is 0x94480a34
[shantonu at repl]$ nm -g /usr/lib/libkrb5.dylib | grep krb5_cc_initialize
94480a34 T _krb5_cc_initialize
[shantonu at repl]$


I think Sam's issue is "what happens if you load a framework defining 
the same symbols as the current binary". This should be no problem 
given Mac OS X's support for two-level namespace. That is, Mach-O 
binaries record the shared library where a symbol was found at link 
time, and only use that version at run-time (unless something 
catastrophic happens to kick the program into flat namespace mode, or 
someone is trying to impersonate your framework). In terms of 
dynamically loading dynamic libraries, the NSLookupSymbolInImage API 
exists specifically so you can pass in an object image for use for 
looking up the new symbol. It doesn't look for the symbol among all 
loaded symbols, which would potentially lead to multiple hits in the 
case Sam is worried about.

Shantonu

On Wednesday, July 23, 2003, at 12:16PM, Ken Hornstein wrote:

>> This assumes that OSX has a mechanism for opening a framework without
>> influencing the running application's namespace.  I suspect this is
>> true because without this feature it is almost impossible to
>> implement plugins that work.
>
> Note: I'm not an MacOS expert, so don't take my word as gospel, by any
> means.
>
> It seems to me that this, unfortunately, isn't possible.  It looks like
> the dlopen() equivalants (NSCreateObjectFileImageFromFile() and
> friends) can only be used on "bundles", not dynamic libraries.  At
> least if it is possible, I don't know the right API call to make it
> happen (NSCreateObjectFileImageFromFile() fails when used on the 
> Kerberos
> framework).  But I sure hope I'm wrong :-/
>
> --Ken
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list