gssd: Use /run/user/${UID} instead of /run/user/${USER}

Newer versions of systemd create a /run/user/${UID} directory
instead of the /run/user/${USER} directory, so switch to
scanning for that.  To make the per-user directory bit a little
less magical, change the default to incorporate a "%U", which
gets dynamically expanded to the user's UID when needed.

Signed-off-by: Steve Dickson <steved@redhat.com>

diff --git a/utils/gssd/gssd.h b/utils/gssd/gssd.h
index 1d923d716f4a52e8ab28924de83821a969f6f53b..86472a1239355d18f2ad2acd6583907a7c6b294a 100644 (file)
--- a/utils/gssd/gssd.h
+++ b/utils/gssd/gssd.h
@@ -45,7 +45,7 @@
 #define DNOTIFY_SIGNAL         (SIGRTMIN + 3)
 
 #define GSSD_DEFAULT_CRED_DIR                  "/tmp"
 #define DNOTIFY_SIGNAL         (SIGRTMIN + 3)
 
 #define GSSD_DEFAULT_CRED_DIR                  "/tmp"

-#define GSSD_USER_CRED_DIR                     "/run/user"
+#define GSSD_USER_CRED_DIR                     "/run/user/%U"

 #define GSSD_DEFAULT_CRED_PREFIX               "krb5cc"
 #define GSSD_DEFAULT_MACHINE_CRED_SUFFIX       "machine"
 #define GSSD_DEFAULT_KEYTAB_FILE               "/etc/krb5.keytab"
 #define GSSD_DEFAULT_CRED_PREFIX               "krb5cc"
 #define GSSD_DEFAULT_MACHINE_CRED_SUFFIX       "machine"
 #define GSSD_DEFAULT_KEYTAB_FILE               "/etc/krb5.keytab"

diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man
index d8138faf0e3f8ac4ce1f15c37c886bf2238bb060..c74b7e8ce4846bfd204170a505e7741e34e75ff4 100644 (file)
--- a/utils/gssd/gssd.man
+++ b/utils/gssd/gssd.man
@@ -103,9 +103,12 @@ where to look for the rpc_pipefs filesystem.  The default value is
 .B -d directory
 Tells
 .B rpc.gssd
 .B -d directory
 Tells
 .B rpc.gssd

-where to look for Kerberos credential files.  The default value is "/tmp".
-This can also be a colon separated list of directories to be searched
-for Kerberos credential files.  Note that if machine credentials are being
+where to look for Kerberos credential files.  The default value is
+"/tmp:/run/user/%U".
+This can also be a colon separated list of directories to be searched for
+Kerberos credential files.  The sequence "%U", if used, is replaced with
+the UID of the user for whom credentials are being searched.
+Note that if machine credentials are being

 stored in files, then the first directory on this list is where the
 machine credentials are stored.
 .TP
 stored in files, then the first directory on this list is where the
 machine credentials are stored.
 .TP

diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index e393d5902f578f91134463ed9073c849c69a9499..336f3e9c1686e7bea708289206aebe96e753b221 100644 (file)
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -937,23 +937,6 @@ int create_auth_rpc_client(struct clnt_info *clp,
        goto out;
 }
 
        goto out;
 }
 

-static char *
-user_cachedir(char *dirname, uid_t uid)
-{
-       struct passwd *pw;
-       char *ptr;
-
-       if ((pw = getpwuid(uid)) == NULL) {
-               printerr(0, "user_cachedir: Failed to find '%d' uid"
-                           " for cache directory\n");
-               return NULL;
-       }
-       ptr = malloc(strlen(dirname)+strlen(pw->pw_name)+2);
-       if (ptr)
-               sprintf(ptr, "%s/%s", dirname, pw->pw_name);
-
-       return ptr;
-}

 /*
  * this code uses the userland rpcsec gss library to create a krb5
  * context on behalf of the kernel
 /*
  * this code uses the userland rpcsec gss library to create a krb5
  * context on behalf of the kernel


@@ -968,7 +951,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
        gss_buffer_desc         token;
        char                    **credlist = NULL;
        char                    **ccname;
        gss_buffer_desc         token;
        char                    **credlist = NULL;
        char                    **ccname;

-       char                    **dirname, *dir, *userdir;
+       char                    **dirname;

        int                     create_resp = -1;
        int                     err, downcall_err = -EACCES;
 
        int                     create_resp = -1;
        int                     err, downcall_err = -EACCES;
 


@@ -1011,22 +994,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
                                service == NULL)) {
                /* Tell krb5 gss which credentials cache to use */
                for (dirname = ccachesearch; *dirname != NULL; dirname++) {
                                service == NULL)) {
                /* Tell krb5 gss which credentials cache to use */
                for (dirname = ccachesearch; *dirname != NULL; dirname++) {

-                       /* See if the user name is needed */
-                       if (strncmp(*dirname, GSSD_USER_CRED_DIR, 
-                                       strlen(GSSD_USER_CRED_DIR)) == 0) {
-                               userdir = user_cachedir(*dirname, uid);
-                               if (userdir == NULL) 
-                                       continue;
-                               dir = userdir;
-                       } else
-                               dir = *dirname;
-
-                       err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, dir);
-
-                       if (userdir) {
-                               free(userdir);
-                               userdir = NULL;
-                       }
+                       err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname);

                        if (err == -EKEYEXPIRED)
                                downcall_err = -EKEYEXPIRED;
                        else if (!err)
                        if (err == -EKEYEXPIRED)
                                downcall_err = -EKEYEXPIRED;
                        else if (!err)

diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 238927622f614c284970b2e5d2360f21046c8f51..60ba594babd4acca780fa7b03e7581ceebb2e331 100644 (file)
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -1036,16 +1036,38 @@ err_cache:
  * Returns 0 if a ccache was found, and a non-zero error code otherwise.
  */
 int
  * Returns 0 if a ccache was found, and a non-zero error code otherwise.
  */
 int

-gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername, char *dirname)
+gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername, char *dirpattern)

 {
 {

-       char                    buf[MAX_NETOBJ_SZ];
+       char                    buf[MAX_NETOBJ_SZ], dirname[PATH_MAX];

        const char              *cctype;
        struct dirent           *d;
        const char              *cctype;
        struct dirent           *d;

-       int                     err;
+       int                     err, i, j;

 
        printerr(2, "getting credentials for client with uid %u for "
                    "server %s\n", uid, servername);
 
        printerr(2, "getting credentials for client with uid %u for "
                    "server %s\n", uid, servername);

-       memset(buf, 0, sizeof(buf));
+
+       for (i = 0, j = 0; dirpattern[i] != '\0'; i++) {
+               switch (dirpattern[i]) {
+               case '%':
+                       switch (dirpattern[i + 1]) {
+                       case '%':
+                               dirname[j++] = dirpattern[i];
+                               i++;
+                               break;
+                       case 'U':
+                               j += sprintf(dirname + j, "%lu",
+                                            (unsigned long) uid);
+                               i++;
+                               break;
+                       }
+                       break;
+               default:
+                       dirname[j++] = dirpattern[i];
+                       break;
+               }
+       }
+       dirname[j] = '\0';
+

        err = gssd_find_existing_krb5_ccache(uid, dirname, &cctype, &d);
        if (err)
                return err;
        err = gssd_find_existing_krb5_ccache(uid, dirname, &cctype, &d);
        if (err)
                return err;