Fwd: Question about aname_do_match behavior on invalid patten
ebd2.github at gmail.com
Wed Jan 25 10:25:01 EST 2017
Apologies, I did that thing :-/
On Tue, Jan 24, 2017 at 11:43 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 01/23/2017 06:15 PM, Eric Diven wrote:
> > When regcomp returns a non-zero result, aname_do_match returns
> > KRB5_LNAME_NOTRANS. This seems like odd behavior for what appears to be
> > error in the krb5.conf file. Can somebody please explain the rationale
> > behind this?
> I don't think anyone can speak to the rationale behind this behavior as
> it's very old. Although I reorganized the code significantly in 1.12
> when I added the localauth pluggable interface, that behavior dates back
> to 1.0. If you look at the an_to_ln.c code from back then, the behavior
> could be explained by a kind of laziness; the code looks like "if
> (!regcomp(...) && !regexec(...))" and similar for other regexp types.
Thanks for the explanation. I wanted to make sure I wasn't missing
something subtle (or blindingly obvious ;-) )
> I agree that it would be more helpful to KRB5_CONFIG_BADFORMAT, with an
> extended error message explaining that the regexp is bad. There is some
> risk of breaking people's kind-of-working config files if we make that
> change, but the risk might be acceptable.
My reading of the code is that invalid rules essentially become a no-op
since the auth to local code will keep trying rules. I'm going to follow
your example and if other folks on our end insist on throwing a config
error, the resolution step would be to just remove the offending rule.
More information about the krbdev