tids prints bad error on wrong gss name
Bug #1325953 reported by
Sam Hartman
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Moonshot Trust-Router |
Fix Released
|
High
|
Jennifer Richards | ||
Bug Description
When the gss name specified on the command line does not match the gss name in the incoming request tids_auth_handler returns 1 without printing an error message.
The return value is treated as an errno or com_err value.
Recommendations:
* Print a specific authorization failure error
* return the appropriate errno value for authorization denied.
| Changed in moonshot-tr: | |
| status: | New → Confirmed |
| Changed in moonshot-tr: | |
| assignee: | nobody → Jennifer Richards (jennifer-k) |
| Changed in moonshot-tr: | |
| status: | Confirmed → In Progress |
Revision history for this message
| Jennifer Richards (jennifer-k) wrote | #1 |
Revision history for this message
| Sam Hartman (hartmans) wrote Re: [Bug 1325953] Re: tids prints bad error on wrong gss name | #2 |
Revision history for this message
| Jennifer Richards (jenny-borkbork) wrote | #3 |
| Changed in moonshot-tr: | |
| status: | In Progress → Fix Released |
To post a comment you must log in.
I have a patch for this, using EACCES as the error code. It results in output like:
Auth denied for incorrect gss-name ('<email address hidden>' requested, expected '<email address hidden>').
tids_auth_cb: client '<email address hidden>' denied authorization.
Authenticate failed: Permission denied (err = 13)
tids_auth_
tids_handle_
If there's no objection, I'll commit this.