Bug 2212509
| Summary: | Allow matching multiple wildcards, as described in manpage | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Frank Sorenson <fsorenso> |
| Component: | keyutils | Assignee: | David Howells <dhowells> |
| Status: | NEW --- | QA Contact: | Kun Wang <kunwan> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.7 | CC: | dwysocha, xzhou |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Note: when I said it is not necessary to have cifs+kerberos set up, I meant simply in order to test the matching; either recompiling request-key with debugging enabled or replacing the cifs.upcall with a script that logs its execution would work to verify that the matching is working as expected |
Description of problem: The manpage for request-key.conf(5) states: <op> <type> <description> <callout-info> <prog> <arg1> <arg2> ... The first four fields are used to match the parameters passed to request-key by the kernel. op is the operation type; currently the only supported operation is "create". type, description and callout-info match the three parameters passed to keyctl request2 or the request_key() system call. Each of these may contain one or more asterisk '*' characters as wildcards anywhere within the string. However the code in keyutils.c states that only one asterisk is allowed in the entire pattern: /*****************************************************************************/ /* * attempt to match a datum to a pattern * - one asterisk is allowed anywhere in the pattern to indicate a wildcard * - returns true if matched, false if not */ static int match(const char *pattern, int plen, const char *datum, int dlen) Multiple wildcards are necessary in some cases where multiple dynamic fields exist, for example with cifs.spnego: ver=0x2;host=SERVER_HOSTNAME;ip4=SERVER_IP;sec=krb5;uid=0x0;creduid=0x0;user=USERNAME;pid=PID Version-Release number of selected component (if applicable): keyutils-1.5.10-9.el8.x86_64 How reproducible: easy Steps to Reproduce: Attempt to match with multiple asterisks in the relevant request-key file: /etc/request-key.d/cifs.spnego.conf create cifs.spnego ver=*;host=*;ip4=*;sec=krb5;uid=0x0;creduid=0x0;user=MYUSER1@*,pid=* /usr/sbin/cifs.upcall -t /path/to/MYUSER1.keytab %k create cifs.spnego ver=*;host=*;ip4=*;sec=krb5;uid=0x0;creduid=0x0;user=MYUSER2@*,pid=* /usr/sbin/cifs.upcall -t /path/to/MYUSER2.keytab %k attempt to mount a cifs share using krb5 (it is not necessary to actually have cifs+kerberos set up correctly): # mount //server/share /mnt/tmp -o sec=krb5,user=MYUSER1 # mount //server/share /mnt/tmp -o sec=krb5,user=MYUSER2 Actual results: strings with multiple wildcards will not match Expected results: multiple wildcards are accepted, and work as described in the manpage Additional info: