From owner-freebsd-current@FreeBSD.ORG Mon Feb 18 16:06:15 2013 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 5D5AB5BA for ; Mon, 18 Feb 2013 16:06:15 +0000 (UTC) (envelope-from lokedhs@gmail.com) Received: from mail-lb0-f181.google.com (mail-lb0-f181.google.com [209.85.217.181]) by mx1.freebsd.org (Postfix) with ESMTP id B5D59709 for ; Mon, 18 Feb 2013 16:06:14 +0000 (UTC) Received: by mail-lb0-f181.google.com with SMTP id gm6so4292225lbb.26 for ; Mon, 18 Feb 2013 08:06:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=AjYu5h10RZ3NCbIKTZaI/rhuz8QRF4I8ne5kbj9dQSs=; b=SAenXA2aqQwZTNlaKQ02hAyQnBMoNyHKlrwZsB2BSLdgfqZdHuuV1aSfOBhkQoWK9m xx3mOFnzK8DVPZWV3m0TEjHrGuHzA+2CSswYjM3bcJHuCgh8yaeCrn13mwMxhbQ3VNmR JfJAcQ0TUEihnD2B7uR11dtnC01ZsBYl2LkVNsoeiY8o1oE9XU9hDiHe+6AD99NM1jJl Vuju9A1ROxz08TFDaDdmED2GH/r9a9LcpBcImOUJFeookATGb5BsMSPIIBJUJ6Hw0qXy 96bUo2zZ7j4DyMFseCnBqjpgFOknkBryrpElMauCJ3+juJrvXKl1107j2tUxLnvTq+sW eemw== MIME-Version: 1.0 X-Received: by 10.112.26.10 with SMTP id h10mr5962539lbg.63.1361203573289; Mon, 18 Feb 2013 08:06:13 -0800 (PST) Received: by 10.112.41.68 with HTTP; Mon, 18 Feb 2013 08:06:13 -0800 (PST) In-Reply-To: <477291850.3084864.1361113135205.JavaMail.root@erie.cs.uoguelph.ca> References: <477291850.3084864.1361113135205.JavaMail.root@erie.cs.uoguelph.ca> Date: Tue, 19 Feb 2013 00:06:13 +0800 Message-ID: Subject: Re: Possible bug in NFSv4 with krb5p security? From: =?ISO-8859-1?Q?Elias_M=E5rtenson?= To: Rick Macklem Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-current@freebsd.org, Benjamin Kaduk X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2013 16:06:15 -0000 On 17 February 2013 22:58, Rick Macklem wrote: I think the Makefiles are in the kerberos5 directory. > > Since the only function you care about is the one in > kerberos5/lib/libgssapi_krb5/pname_to_uid.c, I'd > just put a copy of that file in usr.sbin/gssd and > modify the Makefile there to compile it and link > its .o into gssd, avoiding rebuilding any libraries. > > I'd put a couple of fprintf(stderr, ...) in it and > then run "gssd -d" and see what it says. > > Just how I'd attack it, rick Good news! The problem is solved! You were right, the problem was in pname_to_uid.c. In it, the following code can be found: char lname[MAXLOGNAME + 1], buf[1024]; /* some code snipped for brevity... */ getpwnam_r(lname, &pwd, buf, sizeof(buf), &pw); if (pw) { *uidp = pw->pw_uid; return (GSS_S_COMPLETE); } else { return (GSS_S_FAILURE); } As it turns out, the getpwnam_r() call fails with ERANGE (I had to check the return value from getpwnam_r() in order to determine this, as pw is set to NULL both if there was an error or if the user name can't be found). Now, increasing the size of buf to 1024 solved the problem, and now the lookup works correctly. I wrote a small test program that issued the same call to getpwnam_r() and it worked. Until I su'ed to root, and then it failed. It seems as though the buffer needs to be bigger if you're root. I have no idea why, but there you have it. Problem solved. Should this be fixed in the main codebase? Oh, and thanks so much to all of you for being patient with me while solving this. I really appreciate it. Also, I'd like to say that the code base was quite pleasant to work with. Thanks for that too. :-) Regards, Elias