[31451] in CVS-changelog-for-Kerberos-V5
krb5 commit: Run KEYRING ccache tests in session wrapper
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Fri Aug 1 19:37:19 2025
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20250801233711.280A3103E8A@krbdev.mit.edu>
Date: Fri, 1 Aug 2025 19:37:11 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/820a7277ed1c553d33b2a7f3efb48655fb993b77
commit 820a7277ed1c553d33b2a7f3efb48655fb993b77
Author: Greg Hudson <ghudson@mit.edu>
Date: Sun Jul 27 12:44:16 2025 -0400
Run KEYRING ccache tests in session wrapper
Tests for the KEYRING ccache type can fail if the session keyring has
been revoked. When keyctl is present, run these tests within a keyctl
session wrapper to isolate them from the containing environment's
session keyring.
src/config/pre.in | 1 +
src/configure.ac | 8 ++++++++
src/lib/krb5/ccache/Makefile.in | 4 ++--
src/tests/Makefile.in | 2 +-
4 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/config/pre.in b/src/config/pre.in
index 1197c1ffd..6a6a4adbb 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -178,6 +178,7 @@ KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
LDFLAGS = @LDFLAGS@
LIBS = @LIBS@
FUZZ_LDFLAGS = @FUZZ_LDFLAGS@
+KEYCTL_SESSION = @KEYCTL_SESSION@
INSTALL=@INSTALL@
INSTALL_STRIP=
diff --git a/src/configure.ac b/src/configure.ac
index bf6cc14c5..7313bc552 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -351,6 +351,14 @@ if test "$with_keyutils" != no; then
fi
fi
+# Check for keyctl. If it is found, define a command prefix for
+# running a command inside a keyring session. Include "env" in the
+# wrapper to allow environment variable settings in the wrapped
+# command.
+AC_CHECK_PROG(KEYCTL,keyctl,keyctl)
+AS_IF([test x"$KEYCTL" != x], [KEYCTL_SESSION="keyctl session - env"])
+AC_SUBST([KEYCTL_SESSION])
+
# The SPAKE preauth plugin currently supports edwards25519 natively,
# and can support three NIST groups using OpenSSL.
HAVE_SPAKE_OPENSSL=no
diff --git a/src/lib/krb5/ccache/Makefile.in b/src/lib/krb5/ccache/Makefile.in
index 2864e92b9..449f74bf4 100644
--- a/src/lib/krb5/ccache/Makefile.in
+++ b/src/lib/krb5/ccache/Makefile.in
@@ -145,11 +145,11 @@ t_marshal: $(T_MARSHAL_OBJS) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o $@ $(T_MARSHAL_OBJS) $(KRB5_BASE_LIBS)
check-unix: t_cc t_marshal
- $(RUN_TEST) ./t_cc
+ $(RUN_TEST) $(KEYCTL_SESSION) ./t_cc
$(RUN_TEST) ./t_marshal testcache
check-pytests: t_cccursor t_cccol
- $(RUNPYTEST) $(srcdir)/t_cccol.py $(PYTESTFLAGS)
+ $(KEYCTL_SESSION) $(RUNPYTEST) $(srcdir)/t_cccol.py $(PYTESTFLAGS)
clean-unix::
$(RM) t_cc t_cc.o t_cccursor t_cccursor.o t_cccol t_cccol.o
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 80ac35aac..52c5777b4 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -150,7 +150,7 @@ check-pytests: responder s2p s4u2proxy unlockiter s4u2self
$(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_renprinc.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_ccache.py $(PYTESTFLAGS)
+ $(KEYCTL_SESSION) $(RUNPYTEST) $(srcdir)/t_ccache.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_sesskeynego.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_crossrealm.py $(PYTESTFLAGS)
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
