Bug 243910

Summary: krb5-libs are not thread-safe
Product: Red Hat Enterprise Linux 4 Reporter: Nathan Kinder <nkinder>
Component: cyrus-saslAssignee: Steve Conklin <sconklin>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: low Docs Contact:
Priority: low    
Version: 4.5CC: ckannan, jplans, kevinu, shaines
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHSA-2007-0795 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-04 14:49:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 240316    

Description Nathan Kinder 2007-06-12 17:45:40 UTC 
The kerberos libraries included in RHEL-4 are not thread-safe.  This presents
problems for multi-threaded server software that accepts kerberos authentication.

Newer Kerberos versions (1.5 and later) are supposed to be thread-safe.  Is it
possible to backport any of these changes to make the libraries thread-safe on
RHEL-4?  I have seen this done on other operating systems where pre-1.5 versions
of kerberos were made thread-safe.
Comment 1 Nalin Dahyabhai 2007-06-12 19:44:56 UTC 
Thread-safety should have been sorted in the 1.4 release, but RHEL 4 included
version 1.3.4.  A workaround I've seen used is to put a mutex around the
gss_accept_security_context() function calls.  I can't say what kind of (if any)
performance hit this might create.

I'm not sure that backporting the proper fixes (threading mutexes through
libkrb5 and the gssapi libraries, at least) is really feasible at this point.
Comment 2 Nathan Kinder 2007-06-12 20:48:45 UTC 
Since I'm coding my multi-threaded application against the SASL api, I don't
have an option to add a mutex around gss_accept_security_context().  This would
need to be done in the SASL GSSAPI plugin.

Since the Kerberos libraries are not, and will not, be thread-safe on RHEL-4, is
it possible to add a mutex around gss_accept_security_context() in the GSSAPI
SASL plugin that we include as a part of the cyrus-sasl-gssapi package?  The
mutex would only be used if the application that was coded against SASL passes
in it's own mutex function callbacks by calling sasl_set_mutex(), otherwise it
would have no effect.
Comment 3 Nalin Dahyabhai 2007-06-12 21:01:11 UTC 
Yes, I think that's doable.  It looks like that was done in 2.1.20,
while RHEL 4 has 2.1.19 and RHEL 5 has 2.1.22.  The patch looks pretty
well-isolated.  Moving to cyrus-sasl and proposing for 4.6 as an
exception.
Comment 15 Red Hat Bugzilla 2007-09-04 14:49:40 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0795.html