Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-7964

Allow matching multiple wildcards, as described in manpage

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-8.7.0
    • keyutils
    • None
    • None
    • rhel-sst-filesystems
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem:

      The manpage for request-key.conf(5) states:

      <op> <type> <description> <callout-info> <prog> <arg1> <arg2> ...

      The first four fields are used to match the parameters passed to
      request-key by the kernel. op is the operation type; currently the
      only supported operation is "create".

      type, description and callout-info match the three parameters
      passed to keyctl request2 or the request_key() system call. Each of
      these may contain one or more asterisk '*' characters as wildcards
      anywhere within the string.

      However the code in keyutils.c states that only one asterisk is allowed in the entire pattern:

      /*****************************************************************************/
      /*

      • attempt to match a datum to a pattern
      • - one asterisk is allowed anywhere in the pattern to indicate a wildcard
      • - returns true if matched, false if not
        */
        static int match(const char *pattern, int plen, const char *datum, int dlen)

      Multiple wildcards are necessary in some cases where multiple dynamic fields exist, for example with cifs.spnego:

      ver=0x2;host=SERVER_HOSTNAME;ip4=SERVER_IP;sec=krb5;uid=0x0;creduid=0x0;user=USERNAME;pid=PID

      Version-Release number of selected component (if applicable):

      keyutils-1.5.10-9.el8.x86_64

      How reproducible:

      easy

      Steps to Reproduce:

      Attempt to match with multiple asterisks in the relevant request-key file:
      /etc/request-key.d/cifs.spnego.conf

      create cifs.spnego ver=;host=;ip4=;sec=krb5;uid=0x0;creduid=0x0;user=MYUSER1@,pid=* /usr/sbin/cifs.upcall -t /path/to/MYUSER1.keytab %k
      create cifs.spnego ver=;host=;ip4=;sec=krb5;uid=0x0;creduid=0x0;user=MYUSER2@,pid=* /usr/sbin/cifs.upcall -t /path/to/MYUSER2.keytab %k

      attempt to mount a cifs share using krb5 (it is not necessary to actually have cifs+kerberos set up correctly):

      1. mount //server/share /mnt/tmp -o sec=krb5,user=MYUSER1
      2. mount //server/share /mnt/tmp -o sec=krb5,user=MYUSER2

      Actual results:

      strings with multiple wildcards will not match

      Expected results:

      multiple wildcards are accepted, and work as described in the manpage

      Additional info:

              rhn-support-dhowells David Howells
              rhn-support-fsorenso Frank Sorenson
              David Howells David Howells
              Kun Wang Kun Wang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: