Mercurial > illumos > illumos-gate
changeset 5034:7c6859eb3dd0
6598382 idmapd should have its own ccache
| author | nw141292 |
|---|---|
| date | Wed, 12 Sep 2007 15:45:31 -0700 |
| parents | 75b59b888626 |
| children | 8571b83c9ad0 |
| files | usr/src/cmd/idmap/idmapd/idmapd.c usr/src/cmd/idmap/idmapd/idmapd.h |
| diffstat | 2 files changed, 30 insertions(+), 27 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/cmd/idmap/idmapd/idmapd.c Wed Sep 12 14:53:08 2007 -0700 +++ b/usr/src/cmd/idmap/idmapd/idmapd.c Wed Sep 12 15:45:31 2007 -0700 @@ -80,7 +80,17 @@ /* * This is needed for mech_krb5 -- we run as daemon, yes, but we want - * mech_krb5 to think we're root. + * mech_krb5 to think we're root so it can get host/nodename.fqdn + * tickets for us so we can authenticate to AD as the machine account + * that we are. For more details look at the entry point in mech_krb5 + * corresponding to gss_init_sec_context(). + * + * As a side effect of faking our effective UID to mech_krb5 we will use + * root's default ccache (/tmp/krb5cc_0). But if that's created by + * another process then we won't have access to it: we run as daemon and + * keep PRIV_FILE_DAC_READ, which is insufficient to share the ccache + * with others. We putenv("KRB5CCNAME=/var/run/idmap/ccache") in main() + * to avoid this issue; see main(). * * Someday we'll have gss/mech_krb5 extensions for acquiring initiator * creds with keytabs/raw keys, and someday we'll have extensions to @@ -98,13 +108,6 @@ return (0); } -static void -set_signal_handlers() { - (void) sigset(SIGPIPE, SIG_IGN); - (void) sigset(SIGHUP, hup_handler); - (void) sigset(SIGTERM, term_handler); -} - /*ARGSUSED*/ static void hup_handler(int sig) { @@ -150,6 +153,7 @@ int filedes[2]; pid_t pid; + (void) sigset(SIGPIPE, SIG_IGN); devnull = open("/dev/null", O_RDONLY); if (devnull < 0) return (-1); @@ -163,11 +167,6 @@ /* * parent */ - struct sigaction act; - act.sa_sigaction = SIG_DFL; - (void) sigemptyset(&act.sa_mask); - act.sa_flags = 0; - (void) sigaction(SIGPIPE, &act, NULL); /* ignore SIGPIPE */ (void) close(filedes[1]); if (read(filedes[0], &data, 1) == 1) { /* presume success */ @@ -218,22 +217,13 @@ (void) setlocale(LC_ALL, ""); (void) textdomain(TEXT_DOMAIN); - if (is_system_labeled() && (getzoneid() != GLOBAL_ZONEID)) { + if (getzoneid() != GLOBAL_ZONEID) { (void) idmapdlog(LOG_ERR, - "idmapd: With TX, idmapd runs only in the global zone"); + "idmapd: idmapd runs only in the global zone"); exit(1); } - /* create directories as root and chown to daemon uid */ - if (create_directory(IDMAP_DBDIR, DAEMON_UID, DAEMON_GID) < 0) - exit(1); - if (create_directory(IDMAP_CACHEDIR, DAEMON_UID, DAEMON_GID) < 0) - exit(1); - - INIT_IDMAPD_STATE(); - (void) mutex_init(&_svcstate_lock, USYNC_THREAD, NULL); - set_signal_handlers(); if (daemonize == TRUE) { if (daemonize_start() < 0) { @@ -247,6 +237,10 @@ init_idmapd(); + /* signal handlers that should run only after we're initialized */ + (void) sigset(SIGTERM, term_handler); + (void) sigset(SIGHUP, hup_handler); + if (__init_daemon_priv(PU_RESETGROUPS|PU_CLEARLIMITSET, DAEMON_UID, DAEMON_GID, PRIV_PROC_AUDIT, PRIV_FILE_DAC_READ, @@ -270,6 +264,18 @@ init_idmapd() { int error; + /* create directories as root and chown to daemon uid */ + if (create_directory(IDMAP_DBDIR, DAEMON_UID, DAEMON_GID) < 0) + exit(1); + if (create_directory(IDMAP_CACHEDIR, DAEMON_UID, DAEMON_GID) < 0) + exit(1); + + /* + * Set KRB5CCNAME in the environment. See app_krb5_user_uid() + * for more details. + */ + putenv("KRB5CCNAME=" IDMAP_CACHEDIR "/ccache"); + memset(&_idmapdstate, 0, sizeof (_idmapdstate)); if (sysinfo(SI_HOSTNAME, _idmapdstate.hostname,
--- a/usr/src/cmd/idmap/idmapd/idmapd.h Wed Sep 12 14:53:08 2007 -0700 +++ b/usr/src/cmd/idmap/idmapd/idmapd.h Wed Sep 12 15:45:31 2007 -0700 @@ -78,9 +78,6 @@ } idmapd_state_t; extern idmapd_state_t _idmapdstate; -#define INIT_IDMAPD_STATE() \ - (void) memset(&_idmapdstate, 0, sizeof (_idmapdstate)); - #define RDLOCK_CONFIG() \ (void) rw_rdlock(&_idmapdstate.rwlk_cfg); #define WRLOCK_CONFIG() \