-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.7.0
-
None
-
None
-
rhel-sst-filesystems
-
None
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
Description of problem:
The manpage for request-key.conf(5) states:
<op> <type> <description> <callout-info> <prog> <arg1> <arg2> ...
The first four fields are used to match the parameters passed to
request-key by the kernel. op is the operation type; currently the
only supported operation is "create".
type, description and callout-info match the three parameters
passed to keyctl request2 or the request_key() system call. Each of
these may contain one or more asterisk '*' characters as wildcards
anywhere within the string.
However the code in keyutils.c states that only one asterisk is allowed in the entire pattern:
/*****************************************************************************/
/*
- attempt to match a datum to a pattern
- - one asterisk is allowed anywhere in the pattern to indicate a wildcard
- - returns true if matched, false if not
*/
static int match(const char *pattern, int plen, const char *datum, int dlen)
Multiple wildcards are necessary in some cases where multiple dynamic fields exist, for example with cifs.spnego:
ver=0x2;host=SERVER_HOSTNAME;ip4=SERVER_IP;sec=krb5;uid=0x0;creduid=0x0;user=USERNAME;pid=PID
Version-Release number of selected component (if applicable):
keyutils-1.5.10-9.el8.x86_64
How reproducible:
easy
Steps to Reproduce:
Attempt to match with multiple asterisks in the relevant request-key file:
/etc/request-key.d/cifs.spnego.conf
create cifs.spnego ver=;host=;ip4=;sec=krb5;uid=0x0;creduid=0x0;user=MYUSER1@,pid=* /usr/sbin/cifs.upcall -t /path/to/MYUSER1.keytab %k
create cifs.spnego ver=;host=;ip4=;sec=krb5;uid=0x0;creduid=0x0;user=MYUSER2@,pid=* /usr/sbin/cifs.upcall -t /path/to/MYUSER2.keytab %k
attempt to mount a cifs share using krb5 (it is not necessary to actually have cifs+kerberos set up correctly):
- mount //server/share /mnt/tmp -o sec=krb5,user=MYUSER1
- mount //server/share /mnt/tmp -o sec=krb5,user=MYUSER2
Actual results:
strings with multiple wildcards will not match
Expected results:
multiple wildcards are accepted, and work as described in the manpage
Additional info:
- external trackers