Skip to content

krb5: make sure keytab is a FILE before checking for access#8556

Open
257 wants to merge 1 commit intoSSSD:masterfrom
257:improve-reporting-when-running-as-sssd2
Open

krb5: make sure keytab is a FILE before checking for access#8556
257 wants to merge 1 commit intoSSSD:masterfrom
257:improve-reporting-when-running-as-sssd2

Conversation

@257
Copy link
Copy Markdown

@257 257 commented Mar 27, 2026

KCM: and API: are other cases besides MEMORY:

Resolves: #8555
Signed-off-by: Paymon MARANDI paymon@encs.concordia.ca

Copilot AI review requested due to automatic review settings March 27, 2026 15:48
gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request modifies the copy_keytab_into_memory function in src/providers/krb5/krb5_keytab.c to ensure that the file accessibility check using faccessat is only performed when the keytab name is explicitly prefixed with "FILE:". This change prevents potential errors when dealing with non-file-based keytabs. I have no feedback to provide as there were no review comments to evaluate.

Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Kerberos keytab handling in SSSD to avoid incorrectly applying filesystem readability checks to non-file keytab backends (e.g., KCM: / API:), addressing the regression described in #8555.

Changes:

  • Restrict the faccessat() readability check to only FILE: keytabs in copy_keytab_into_memory().

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@257 257 force-pushed the improve-reporting-when-running-as-sssd2 branch from 477139e to e895edb Compare March 27, 2026 15:53
alexey-tikhonov
alexey-tikhonov reviewed Mar 27, 2026
View reviewed changes
@alexey-tikhonov alexey-tikhonov added the no-backport This should go to target branch only. label Mar 27, 2026
krb5: make sure keytab is a FILE before checking for access
d50b0d2 
KCM: and API: are other cases besides MEMORY:

Resolves: SSSD#8555
Signed-off-by: Paymon MARANDI <paymon@encs.concordia.ca>
@257 257 force-pushed the improve-reporting-when-running-as-sssd2 branch from e895edb to d50b0d2 Compare March 27, 2026 16:03
alexey-tikhonov
alexey-tikhonov reviewed Mar 27, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexey-tikhonov alexey-tikhonov alexey-tikhonov left review comments

Copilot code review Copilot Copilot left review comments

@pbrezina pbrezina Awaiting requested review from pbrezina

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

no-backport This should go to target branch only.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

KRB5:do_keytab_copy(): don't faccessat() for types other than 'FILE:'

3 participants

@257 @alexey-tikhonov