From: Greg Hudson Date: Fri, 14 Jun 2013 05:55:27 +0000 (-0400) Subject: Rely on module ordering for localauth X-Git-Tag: krb5-1.12-alpha1~125 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a6765ca3fa82fa9ac8045fb583d168c542b19585;p=thirdparty%2Fkrb5.git Rely on module ordering for localauth Register built-in localauth modules in the order we want them used by default, and document accordingly. ticket: 7665 --- diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index 0fd3f2c1d5..699628f563 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -749,30 +749,30 @@ for the local authorization interface, which affects the relationship between Kerberos principals and local system accounts. The following built-in modules exist for this interface: -**auth_to_local** - This module processes **auth_to_local** values in the default - realm's section, and applies the default method if no - **auth_to_local** values exist. - -**an2ln** - This module authorizes a principal to a local account if the - principal name maps to the local account name. - **default** This module implements the **DEFAULT** type for **auth_to_local** values. -**k5login** - This module authorizes a principal to a local account according to - the account's :ref:`.k5login(5)` file. +**rule** + This module implements the **RULE** type for **auth_to_local** + values. **names** This module looks for an **auth_to_local_names** mapping for the principal name. -**rule** - This module implements the **RULE** type for **auth_to_local** - values. +**auth_to_local** + This module processes **auth_to_local** values in the default + realm's section, and applies the default method if no + **auth_to_local** values exist. + +**k5login** + This module authorizes a principal to a local account according to + the account's :ref:`.k5login(5)` file. + +**an2ln** + This module authorizes a principal to a local account if the + principal name maps to the local account name. PKINIT options diff --git a/doc/plugindev/localauth.rst b/doc/plugindev/localauth.rst index 8a87f3ed9c..6f396a9c12 100644 --- a/doc/plugindev/localauth.rst +++ b/doc/plugindev/localauth.rst @@ -33,10 +33,10 @@ residual string of the **auth_to_local** value. If the module does not set **an2ln_types** but does implement **an2ln**, the module's **an2ln** method will be invoked for all -:c:func:`krb5_aname_to_localname` operations before the built-in -mechanisms are applied, with *type* and *residual* set to NULL. The -module can return KRB5_LNAME_NO_TRANS to defer mapping to the built-in -mechanisms. +:c:func:`krb5_aname_to_localname` operations unless an earlier module +determines a mapping, with *type* and *residual* set to NULL. The +module can return KRB5_LNAME_NO_TRANS to defer mapping to later +modules. If a module implements **an2ln**, it must also implement **free_string** to ensure that memory is allocated and deallocated diff --git a/src/lib/krb5/os/localauth.c b/src/lib/krb5/os/localauth.c index e48b3a9096..82fc1f9508 100644 --- a/src/lib/krb5/os/localauth.c +++ b/src/lib/krb5/os/localauth.c @@ -100,18 +100,6 @@ check_conflict(krb5_context context, struct localauth_module_handle **list, return 0; } -/* If mod is in list, move it to the back. */ -static void -move_to_back(krb5_plugin_initvt_fn *list, krb5_plugin_initvt_fn mod) -{ - for (; *list != NULL && *list != mod; list++); - if (*list == NULL) - return; - for (; *list != NULL; list++) - *list = *(list + 1); - *(list - 1) = mod; -} - /* Get the registered localauth modules including all built-in modules, in the * proper order. */ static krb5_error_code @@ -123,18 +111,18 @@ get_modules(krb5_context context, krb5_plugin_initvt_fn **modules_out) *modules_out = NULL; /* Register built-in modules. */ - ret = k5_plugin_register(context, intf, "auth_to_local", - localauth_auth_to_local_initvt); + ret = k5_plugin_register(context, intf, "default", + localauth_default_initvt); if (ret) return ret; - ret = k5_plugin_register(context, intf, "names", localauth_names_initvt); + ret = k5_plugin_register(context, intf, "rule", localauth_rule_initvt); if (ret) return ret; - ret = k5_plugin_register(context, intf, "default", - localauth_default_initvt); + ret = k5_plugin_register(context, intf, "names", localauth_names_initvt); if (ret) return ret; - ret = k5_plugin_register(context, intf, "rule", localauth_rule_initvt); + ret = k5_plugin_register(context, intf, "auth_to_local", + localauth_auth_to_local_initvt); if (ret) return ret; ret = k5_plugin_register(context, intf, "k5login", @@ -149,13 +137,6 @@ get_modules(krb5_context context, krb5_plugin_initvt_fn **modules_out) if (ret) return ret; - /* Move built-in userok and untyped an2ln localauth modules to back so we - * try loaded modules first. */ - move_to_back(*modules_out, localauth_names_initvt); - move_to_back(*modules_out, localauth_auth_to_local_initvt); - move_to_back(*modules_out, localauth_k5login_initvt); - move_to_back(*modules_out, localauth_an2ln_initvt); - return 0; }