Question about aname_do_match behavior on invalid patten
ghudson at mit.edu
Tue Jan 24 11:43:24 EST 2017
On 01/23/2017 06:15 PM, Eric Diven wrote:
> When regcomp returns a non-zero result, aname_do_match returns
> KRB5_LNAME_NOTRANS. This seems like odd behavior for what appears to be an
> error in the krb5.conf file. Can somebody please explain the rationale
> behind this?
I don't think anyone can speak to the rationale behind this behavior as
it's very old. Although I reorganized the code significantly in 1.12
when I added the localauth pluggable interface, that behavior dates back
to 1.0. If you look at the an_to_ln.c code from back then, the behavior
could be explained by a kind of laziness; the code looks like "if
(!regcomp(...) && !regexec(...))" and similar for other regexp types.
I agree that it would be more helpful to KRB5_CONFIG_BADFORMAT, with an
extended error message explaining that the regexp is bad. There is some
risk of breaking people's kind-of-working config files if we make that
change, but the risk might be acceptable.
More information about the krbdev