Regarding Issues with Memory Credential Cache

Daniel Kouril kouril at ics.muni.cz
Fri Oct 17 08:57:40 EDT 2008 

For completness sake note that the change has been applied as revision 1.143
of the mod_auth_kerb.c source:

http://modauthkerb.cvs.sourceforge.net/viewvc/modauthkerb/mod_auth_kerb/src/mod_auth_kerb.c?r1=1.141&r2=1.142

The original module bug report can be found at http://sourceforge.net/tracker/index.php?func=detail&aid=1971514&group_id=51775&atid=464524

we'd be gratefull for any overview of the change,

cheers,

Daniel

On Fri, Oct 17, 2008 at 09:26:52AM +0000, Datar, Ashutosh Anil wrote:
> Hi Ezra,
> 
> Did you get to see if the modification to mod_auth_kerb, as you had suggested, works well and gets rid of the segmentation faults in memory cache section?
> Did you try making any changes to memory cache code?
> 
> As I said in my last mail, protecting the memory cache list traversal worked very well with mod_auth_kerb and didn't reproduce the SIGSEGV issues further.
> 
> Thanks and Regards,
> Ashutosh
> 
> -----Original Message-----
> From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf Of Datar, Ashutosh Anil
> Sent: Friday, August 29, 2008 6:29 PM
> To: Ezra Peisach
> Cc: krbdev at mit.edu
> Subject: RE: Regarding Issues with Memory Credential Cache
> 
> Hi,
> 
> Thanks very much for your analysis and feedback on the issue.
> I will also try to test with the suggested changes in mod_auth_kerb code and see how it works.
> 
> About the other point of changing memory cache code of Kerberos client,
> I have already tried protecting the memory cache list traversal which will prevent initialization of cache doing something illegal while someone else is still accessing it. It worked well with mod_auth_kerb under high load and I didn't see any SIGSEGVs after that.
> 
> Thanks again for the feedback.
> 
> Regards,
> Ashutosh
> 
> -----Original Message-----
> From: Ezra Peisach [mailto:epeisach at MIT.EDU]
> Sent: Friday, August 22, 2008 10:20 PM
> To: Datar, Ashutosh Anil
> Cc: krbdev at mit.edu
> Subject: Re: Regarding Issues with Memory Credential Cache
> 
> Datar, Ashutosh Anil wrote:
> > Hi,
> >
> > I was testing Apache Web Server (which uses mod_auth_kerb) with
> > Kerberos Client 1.6.2 and found some issue with the Memory Cache handling.
> 
> Okay - I have examined the situation a little more. The problem is
> readlly with mod_auth_kerb.  In version 5.3 (released at the end of
> 2006) - krb5_cc_resolve is used to create a temporary
> memory cache in two places.
> 
> The second argument for the cache is "MEMORY:".  This indicates that we
> want a memory cache with name "".  The cache is initialized, used and
> destroyed - so I believe it was never intended to last.  So - another
> thread might be iterating through the same cache and another thread then
> nukes the contents of the cache with krb5_cc_initialize.
> 
> The fix is pretty easy - in mod_auth_kerb, there are two places
> krb5_cc_resolve is used with "MEMORY:" as the second argument.  Change
> the code to use krb5_cc_new_unique and that should solve your
> problem.... (the type should be "MEMORY" without the :)
> 
> I would make the change the mod_auth_kerb and if it works - send the fix
> to the author.
> 
> I will meanwhile devise a way to bullet proof the memory cache code - to
> at least ensure that initializing a cache while someone else is walking
> it - will not do anything illegal - but probably result in an emptied
> cache - which is not what mod_auth_kerb would be expecting...
> 
> Ezra
> 
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list