diff options
-rw-r--r-- | doc/admin/host_config.rst | 10 | ||||
-rw-r--r-- | doc/mitK5defaults.rst | 1 | ||||
-rw-r--r-- | doc/plugindev/gssapi.rst | 11 | ||||
-rw-r--r-- | doc/user/user_config/kerberos.rst | 6 | ||||
-rwxr-xr-x | src/kadmin/testing/scripts/env-setup.shin | 1 | ||||
-rwxr-xr-x | src/kadmin/testing/scripts/init_db | 1 | ||||
-rw-r--r-- | src/lib/gssapi/mechglue/g_initialize.c | 7 | ||||
-rw-r--r-- | src/man/kerberos.man | 6 | ||||
-rw-r--r-- | src/tests/Makefile.in | 2 | ||||
-rw-r--r-- | src/tests/dejagnu/config/default.exp | 15 | ||||
-rw-r--r-- | src/util/k5test.py | 2 |
11 files changed, 51 insertions, 11 deletions
diff --git a/doc/admin/host_config.rst b/doc/admin/host_config.rst index 6df2504..e186dd4 100644 --- a/doc/admin/host_config.rst +++ b/doc/admin/host_config.rst @@ -199,10 +199,9 @@ GSSAPI mechanism modules ~~~~~~~~~~~~~~~~~~~~~~~~ GSSAPI mechanism modules are registered using the file -``/etc/gss/mech`` or configuration files in the ``/etc/gss/mech.d/`` -directory. Only files with a ``.conf`` suffix will be read from the -``/etc/gss/mech.d/`` directory. Each line in these files has the -form:: +|sysconfdir|\ ``/gss/mech`` or configuration files in the +|sysconfdir|\ ``/gss/mech.d`` directory with a ``.conf`` +suffix. Each line in these files has the form:: oid pathname [options] <type> @@ -214,6 +213,9 @@ options provided to the plugin module, surrounded in square brackets. Currently the only special module type is "interposer", for a module designed to intercept calls to other mechanisms. +If the environment variable **GSS_MECH_CONFIG** is set, its value is +used as the sole mechanism configuration filename. + .. _profile_plugin_config: diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst index 65d904e..58f4f16 100644 --- a/doc/mitK5defaults.rst +++ b/doc/mitK5defaults.rst @@ -14,6 +14,7 @@ Client :ref:`keytab_definition` file |ckeytab| **KRB Kerberos config file :ref:`krb5.conf(5)` |krb5conf|\ ``:``\ **KRB5_CONFIG** |sysconfdir|\ ``/krb5.conf`` KDC config file :ref:`kdc.conf(5)` |kdcdir|\ ``/kdc.conf`` **KRB5_KDC_PROFILE** +GSS mechanism config file |sysconfdir|\ ``/gss.mech`` **GSS_MECH_CONFIG** KDC database path (DB2) |kdcdir|\ ``/principal`` Master key :ref:`stash_definition` |kdcdir|\ ``/.k5.``\ *realm* Admin server ACL file :ref:`kadm5.acl(5)` |kdcdir|\ ``/kadm5.acl`` diff --git a/doc/plugindev/gssapi.rst b/doc/plugindev/gssapi.rst index 34fc9e4..28e62ae 100644 --- a/doc/plugindev/gssapi.rst +++ b/doc/plugindev/gssapi.rst @@ -9,8 +9,7 @@ the set of built-in mechanisms. A mechanism module is a Unix shared object or Windows DLL, built separately from the krb5 tree. Modules are loaded according to the -``/etc/gss/mech`` or ``/etc/gss/mech.d/*.conf`` config files, as -described in :ref:`gssapi_plugin_config`. +GSS mechanism config files described in :ref:`gssapi_plugin_config`. For the most part, a GSSAPI mechanism module exports the same functions as would a GSSAPI implementation itself, with the same @@ -45,10 +44,10 @@ with the following signature:: gss_OID_set gss_mech_interposer(gss_OID mech_type); This function is invoked with the OID of the interposer mechanism as -specified in ``/etc/gss/mech`` or in a ``/etc/gss/mech.d/*.conf`` -file, and returns a set of mechanism OIDs to be interposed. The -returned OID set must have been created using the mechglue's -gss_create_empty_oid_set and gss_add_oid_set_member functions. +specified in the mechanism config file, and returns a set of mechanism +OIDs to be interposed. The returned OID set must have been created +using the mechglue's gss_create_empty_oid_set and +gss_add_oid_set_member functions. An interposer module must use the prefix ``gssi_`` for the GSSAPI functions it exports, instead of the prefix ``gss_``. diff --git a/doc/user/user_config/kerberos.rst b/doc/user/user_config/kerberos.rst index bcb79d9..1830447 100644 --- a/doc/user/user_config/kerberos.rst +++ b/doc/user/user_config/kerberos.rst @@ -142,6 +142,12 @@ programs. These include: **KPROP_PORT** :ref:`kprop(8)` port to use. Defaults to 754. +**GSS_MECH_CONFIG** + Specifies a filename containing GSSAPI mechanism module + configuration. The default is to read |sysconfdir|\ ``/gss/mech`` + and files with a ``.conf`` suffix within the directory + |sysconfdir|\ ``/gss/mech.d``. + Most environment variables are disabled for certain programs, such as login system programs and setuid programs, which are designed to be secure when run within an untrusted process environment. diff --git a/src/kadmin/testing/scripts/env-setup.shin b/src/kadmin/testing/scripts/env-setup.shin index 8c29bb9..084dadc 100755 --- a/src/kadmin/testing/scripts/env-setup.shin +++ b/src/kadmin/testing/scripts/env-setup.shin @@ -82,6 +82,7 @@ KRB5_KDC_PROFILE=$K5ROOT/kdc.conf; export KRB5_KDC_PROFILE KRB5_KTNAME=$K5ROOT/ovsec_adm.keytab; export KRB5_KTNAME KRB5_CLIENT_KTNAME=$K5ROOT/client_keytab; export KRB5_CLIENT_KTNAME KRB5CCNAME=$K5ROOT/krb5cc_unit-test; export KRB5CCNAME +GSS_MECH_CONFIG=$K5ROOT/mech.conf; export GSS_MECH_CONFIG # Make sure we don't get confused by translated messages # or localized times. diff --git a/src/kadmin/testing/scripts/init_db b/src/kadmin/testing/scripts/init_db index 2496be2..c3a1499 100755 --- a/src/kadmin/testing/scripts/init_db +++ b/src/kadmin/testing/scripts/init_db @@ -225,6 +225,7 @@ setenv KRB5_CONFIG $KRB5_CONFIG setenv KRB5_KDC_PROFILE $KRB5_KDC_PROFILE setenv KRB5_KTNAME $KRB5_KTNAME setenv KRB5_CLIENT_KTNAME $KRB5_CLIENT_KTNAME +setenv GSS_MECH_CONFIG $GSS_MECH_CONFIG $KRB5_RUN_ENV_CSH EOF diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c index 0ad11c0..394869e 100644 --- a/src/lib/gssapi/mechglue/g_initialize.c +++ b/src/lib/gssapi/mechglue/g_initialize.c @@ -473,12 +473,19 @@ loadConfigFiles() glob_t globbuf; time_t highest = 0, now; char **path; + const char *val; /* Don't glob and stat more than once per second. */ if (time(&now) == (time_t)-1 || now == g_confLastCall) return; g_confLastCall = now; + val = secure_getenv("GSS_MECH_CONFIG"); + if (val != NULL) { + load_if_changed(val, g_confFileModTime, &g_confFileModTime); + return; + } + load_if_changed(MECH_CONF, g_confFileModTime, &highest); memset(&globbuf, 0, sizeof(globbuf)); diff --git a/src/man/kerberos.man b/src/man/kerberos.man index a109538..effdd8e 100644 --- a/src/man/kerberos.man +++ b/src/man/kerberos.man @@ -174,6 +174,12 @@ used). .TP \fBKPROP_PORT\fP kprop(8) port to use. Defaults to 754. +.TP +\fBGSS_MECH_CONFIG\fP +Specifies a filename containing GSSAPI mechanism module +configuration. The default is to read \fB@SYSCONFDIR@\fP\fB/gss/mech\fP +and files with a \fB\&.conf\fP suffix within the directory +\fB@SYSCONFDIR@\fP\fB/gss/mech.d\fP\&. .UNINDENT .sp Most environment variables are disabled for certain programs, such as diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index 88545e3..81ca4cb 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -4,7 +4,7 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \ gss-threads misc threads softpkcs11 RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \ - LC_ALL=C $(VALGRIND) + GSS_MECH_CONFIG=mech.conf LC_ALL=C $(VALGRIND) OBJS= adata.o etinfo.o forward.o gcred.o hist.o hooks.o hrealm.o \ icinterleave.o icred.o kdbtest.o localauth.o plugorder.o rdreq.o \ diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp index 93e2fb0..4cd7775 100644 --- a/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp @@ -470,6 +470,7 @@ proc envstack_pop { } { # set envvars_tosave { KRB5_CONFIG KRB5CCNAME KRB5_CLIENT_KTNAME KRB5RCACHEDIR KRB5_KDC_PROFILE + GSS_MECH_CONFIG } set krb5_init_vars [list ] # XXX -- fix me later! @@ -853,6 +854,12 @@ if [ info exists env(KRB5RCACHEDIR)] { catch "unset orig_krb5rcachedir" } +if [ info exists env(GSS_MECH_CONFIG)] { + set orig_gss_mech_config $env(GSS_MECH_CONFIG) +} else { + catch "unset orig_gss_mech_config" +} + # setup_kerberos_env # Set the environment variables needed to run Kerberos programs. @@ -883,6 +890,11 @@ proc setup_kerberos_env { {type client} } { set env(KRB5RCACHEDIR) $tmppwd verbose "KRB5RCACHEDIR=$env(KRB5RCACHEDIR)" + # Direct the GSS library at a nonexistent file in the temporary + # directory, to avoid interference from system configuration. + set env(GSS_MECH_CONFIG) $tmppwd/mech.conf + verbose "GSS_MECH_CONFIG=$env(GSS_MECH_CONFIG)" + # Get the run time environment variables... (including LD_LIBRARY_PATH) setup_runtime_env @@ -905,6 +917,7 @@ proc setup_kerberos_env { {type client} } { puts $envfile "KRB5CCNAME=$env(KRB5CCNAME)" puts $envfile "KRB5_CLIENT_KTNAME=$env(KRB5_CLIENT_KTNAME)" puts $envfile "KRB5RCACHEDIR=$env(KRB5RCACHEDIR)" + puts $envfile "GSS_MECH_CONFIG=$env(GSS_MECH_CONFIG)" if [info exists env(KRB5_KDC_PROFILE)] { puts $envfile "KRB5_KDC_PROFILE=$env(KRB5_KDC_PROFILE)" } else { @@ -912,6 +925,7 @@ proc setup_kerberos_env { {type client} } { } puts $envfile "export KRB5_CONFIG KRB5CCNAME KRB5RCACHEDIR" puts $envfile "export KRB5_KDC_PROFILE KRB5_CLIENT_KTNAME" + puts $envfile "export GSS_MECH_CONFIG" foreach i $krb5_init_vars { regexp "^(\[^=\]*)=(.*)" $i foo evar evalue puts $envfile "$evar=$env($evar)" @@ -925,6 +939,7 @@ proc setup_kerberos_env { {type client} } { puts $envfile "setenv KRB5CCNAME $env(KRB5CCNAME)" puts $envfile "setenv KRB5_CLIENT_KTNAME $env(KRB5_CLIENT_KTNAME)" puts $envfile "setenv KRB5RCACHEDIR $env(KRB5RCACHEDIR)" + puts $envfile "setenv GSS_MECH_CONFIG $env(GSS_MECH_CONFIG)" if [info exists env(KRB5_KDC_PROFILE)] { puts $envfile "setenv KRB5_KDC_PROFILE $env(KRB5_KDC_PROFILE)" } else { diff --git a/src/util/k5test.py b/src/util/k5test.py index 2a042ff..89ebacd 100644 --- a/src/util/k5test.py +++ b/src/util/k5test.py @@ -884,6 +884,7 @@ class K5Realm(object): self.keytab = os.path.join(self.testdir, 'keytab') self.client_keytab = os.path.join(self.testdir, 'client_keytab') self.ccache = os.path.join(self.testdir, 'ccache') + self.gss_mech_config = os.path.join(self.testdir, 'mech.conf') self.kadmin_ccache = os.path.join(self.testdir, 'kadmin_ccache') self._krb5_conf = _cfg_merge(_default_krb5_conf, krb5_conf) base_kdc_conf = _default_kdc_conf @@ -1002,6 +1003,7 @@ class K5Realm(object): env['KRB5RCACHEDIR'] = self.testdir env['KPROPD_PORT'] = str(self.kprop_port()) env['KPROP_PORT'] = str(self.kprop_port()) + env['GSS_MECH_CONFIG'] = self.gss_mech_config return env def run(self, args, env=None, **keywords): |