[38572] in Kerberos
Re: krb5 library missing functions for collections
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jul 22 13:01:03 2019
To: Charles Hedrick <hedrick@rutgers.edu>,
"kerberos@mit.edu"
<kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <9f9094e8-4e89-f9f9-e902-4f144a54b97f@mit.edu>
Date: Mon, 22 Jul 2019 13:00:48 -0400
MIME-Version: 1.0
In-Reply-To: <A0FCAB92-AC49-48DD-89DA-55A805D1B770@rutgers.edu>
Content-Language: en-US
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 7/22/19 11:16 AM, Charles Hedrick wrote:
> I was surprised to find the methods to do these things aren’t present. Here’s what I’ve defined:
Some of this is covered in
https://k5wiki.kerberos.org/wiki/Projects/Credential_cache_collection_improvements
(which unfortunately has not been worked on in quite a while), but not
all of it.
> The first two have uid arguments because of KCM. Every other cache type allows you to determine unambiguously what user it’s associated with.
By my reading, KEYRING also doesn't generally include the uid in the name.
> This oddity of KCM is really irritating. It means you have to do setruid every time you want to deal with a collection from a daemon, since otherwise the name is ambiguous.
The KCM daemon's namespace is machine-global, not uid-specific, and I
don't think doing setruid() would be visible to the daemon anyway (it
should see the euid of the client, not the ruid).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
