[16125] in Kerberos_V5_Development
Re: Profile include support
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Mon Aug 23 18:08:17 2010
Mime-Version: 1.0 (Apple Message framework v1081)
From: Ken Raeburn <raeburn@mit.edu>
In-Reply-To: <201008231503.o7NF3wYg014782@outgoing.mit.edu>
Date: Mon, 23 Aug 2010 18:08:13 -0400
Message-Id: <F0C77D0A-0DBE-4E74-B8D6-BAE814124893@mit.edu>
To: ghudson@mit.edu
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Aug 23, 2010, at 11:03, ghudson@MIT.EDU wrote:
> * Nothing in the design prevents include directives containing
> relative paths or patterns. Such an include directive would have
> unpredictable effects since the current working directory would be
> different for different invocations of the krb5 library. Should the
> profile library protect the administrator by restricting include
> directives to absolute paths? If so, how should it portably
> recognize an absolute path?
Interpreting a relative path as relative to the working directory of the process seems like a bad idea, though I haven't thought much about the testing case Russ pointed out.
However, interpreting it as relative to the location of the config file seems reasonable. So you could have a krb5.conf that says "include krb5.conf.d/*" and it would Just Work, pulling in config files from a subdirectory in the same place where the krb5.conf itself lives.
> Note that because of the profile library architecture, it cannot
> generate extended errors.
Russ is right, this should be fixed, whether as part of this project or separately. But if krb5_init_context can fail because of a profile library error, it becomes difficult to pass the error back to the application, even with profile library API changes. If we can go config-file-free (I forget, did that ever get fully implemented?), then certainly the krb5_context can hold the profile library error info.
Ken
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
