Reducing FILE ccache race conditions: please allocate new ccache v4 tag

Nico Williams nico at
Fri Aug 9 12:37:24 EDT 2013

I've been working on a fix to some FILE ccache race conditions in
Heimdal.  In the process I reminded myself that FILE ccaches are
inherently racy, particularly around re-initialization.  Here's a
proposal for making the FILE ccache no longer racy in any case :

 - first, regarding 1777 mode tmp dirs, use O_NOFOLLOW and check that
st_uid matches EUID; there are things that can be done in the absence
of O_NOFOLLOW too;

 - second, add a new ccache v4 tag containing a "ccache instance ID",
to be written by krb5_cc_initialize(), and which should be a value
that is unlikely to be reused in future calls to krb5_cc_initialize().

 - third, in the FILE implementation of krb5_cc_next_cred() pread(2)
the ccache instance ID after locking the ccache and before reading the
next credential; if the ccache instance ID has changed, then re-read
the ccache header and reset the cursor to point to the current first
credential, then continue.

That's it.  This doesn't fix race conditions in legacy
implementations, but it stops the rot and gets us on a path to
race-free FILE ccaches.

None of this gets us on a path to *fast* FILE ccaches -- FILE ccaches
do not work well when they are a) large, b) highly contended.  But one
could use openat() to keep shadow indexes that make the file ccache


More information about the krbdev mailing list