Re: Detect when KRB5CCNAME changes for certain server scenarios

[Love Hörnquist Åstrand <lha@kth.se>]

10 feb 2007 kl. 04.03 skrev Michael B Allen:

> And what if you do not change uids?
>
> This is a real error that I ecountered in my application. Apache  
> workers
> all run as 'nobody' and do not change uids. Once the  
> default_cc_name is
> set for an httpd worker process all subsequent authentications by that
> worker will use the old ccache and init_sec_context will fail to find
> the desired cred.

I also think its a real problem, sorry if that didn't come across.

Lets try express this is code instead of words since I can't get  
across what I
the code to do.

Love

--- cache.c	13 Sep 2006 03:35:19 +1000	1.82
+++ cache.c	10 Feb 2007 08:02:45 +1100	
@@ -382,6 +382,45 @@
 }
 
 /*
+ * Detect if enviroment changed and will require a update to the
+ * default credential cache name.
+ */
+
+static HEIMDAL_MUTEX cc_mutex = HEIMDAL_MUTEX_INITIALIZER;
+static unsigned cc_uid;
+static const char *cc_env;
+
+/* XXX will getenv return same value or should we make a copy */
+
+static int
+cc_env_changed_p(void)
+{
+    int update = 0;
+    const char *s;
+    HEIMDAL_MUTEX_lock(&cc_mutex);
+    s = getenv("KRB5CCNAME");
+    if (cc_env == NULL) {
+	update = 1;
+	goto out;
+    }
+    if (s && s != cc_env) {
+	update = 1;
+	goto out;
+    }
+    if (cc_uid != (unsigned)getuid()) {
+	update = 1;
+	goto out;
+    }
+out:
+    if (update) {
+	cc_env = s;
+	cc_uid = (unsigned)getuid();
+    }
+    HEIMDAL_MUTEX_unlock(&cc_mutex);
+    return update;
+}
+
+/*
  * Return a pointer to a context static string containing the default
  * ccache name.
  */
@@ -389,7 +428,7 @@
 const char* KRB5_LIB_FUNCTION
 krb5_cc_default_name(krb5_context context)
 {
-    if (context->default_cc_name == NULL)
+    if (context->default_cc_name == NULL || cc_env_changed_p())
 	krb5_cc_set_default_name(context, NULL);
 
     return context->default_cc_name;