The /tmp directory can lead to bugs and DoS of the apache process
because any user on the system can block the creation of predictable
file names.
Simply error out if GssapiDelegCcacheDir is not explicitly set.
Signed-off-by: Simo Sorce <simo@redhat.com>
+static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) {
+ if (req_cfg->cfg->use_s4u2proxy) {
+ if (req_cfg->cfg->deleg_ccache_dir != NULL) {
+ return true;
+ } else {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req_cfg->req,
+ "S4U2 Proxy requested but GssapiDelegCcacheDir "
+ "is not set. Constrained delegation disabled!");
+ }
+ }
+ return false;
+}
+
static int mag_auth(request_rec *req)
{
const char *type;
static int mag_auth(request_rec *req)
{
const char *type;
req->ap_auth_type = apr_pstrdup(req->pool, auth_types[auth_type]);
#ifdef HAVE_CRED_STORE
req->ap_auth_type = apr_pstrdup(req->pool, auth_types[auth_type]);
#ifdef HAVE_CRED_STORE
- if (cfg->use_s4u2proxy) {
+ if (use_s4u2proxy(req_cfg)) {
cred_usage = GSS_C_BOTH;
}
#endif
cred_usage = GSS_C_BOTH;
}
#endif
struct mag_config *cfg = (struct mag_config *)mconfig;
cfg->use_s4u2proxy = on ? true : false;
struct mag_config *cfg = (struct mag_config *)mconfig;
cfg->use_s4u2proxy = on ? true : false;
- if (cfg->deleg_ccache_dir == NULL) {
- cfg->deleg_ccache_dir = apr_pstrdup(parms->pool, "/tmp");
- }