Bug 243910 - krb5-libs are not thread-safe
krb5-libs are not thread-safe
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: cyrus-sasl (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Steve Conklin
Brian Brock
Depends On:
Blocks: 240316
  Show dependency treegraph
Reported: 2007-06-12 13:45 EDT by Nathan Kinder
Modified: 2007-11-16 20:14 EST (History)
4 users (show)

See Also:
Fixed In Version: RHSA-2007-0795
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-04 10:49:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Nathan Kinder 2007-06-12 13:45:40 EDT
The kerberos libraries included in RHEL-4 are not thread-safe.  This presents
problems for multi-threaded server software that accepts kerberos authentication.

Newer Kerberos versions (1.5 and later) are supposed to be thread-safe.  Is it
possible to backport any of these changes to make the libraries thread-safe on
RHEL-4?  I have seen this done on other operating systems where pre-1.5 versions
of kerberos were made thread-safe.
Comment 1 Nalin Dahyabhai 2007-06-12 15:44:56 EDT
Thread-safety should have been sorted in the 1.4 release, but RHEL 4 included
version 1.3.4.  A workaround I've seen used is to put a mutex around the
gss_accept_security_context() function calls.  I can't say what kind of (if any)
performance hit this might create.

I'm not sure that backporting the proper fixes (threading mutexes through
libkrb5 and the gssapi libraries, at least) is really feasible at this point.
Comment 2 Nathan Kinder 2007-06-12 16:48:45 EDT
Since I'm coding my multi-threaded application against the SASL api, I don't
have an option to add a mutex around gss_accept_security_context().  This would
need to be done in the SASL GSSAPI plugin.

Since the Kerberos libraries are not, and will not, be thread-safe on RHEL-4, is
it possible to add a mutex around gss_accept_security_context() in the GSSAPI
SASL plugin that we include as a part of the cyrus-sasl-gssapi package?  The
mutex would only be used if the application that was coded against SASL passes
in it's own mutex function callbacks by calling sasl_set_mutex(), otherwise it
would have no effect.
Comment 3 Nalin Dahyabhai 2007-06-12 17:01:11 EDT
Yes, I think that's doable.  It looks like that was done in 2.1.20,
while RHEL 4 has 2.1.19 and RHEL 5 has 2.1.22.  The patch looks pretty
well-isolated.  Moving to cyrus-sasl and proposing for 4.6 as an
Comment 15 Red Hat Bugzilla 2007-09-04 10:49:40 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.