Commit 2f682f25c642fcfe7c511d04bc9d67e732282348 changed existing
behavior to avoid a deadlock for users using Kerberized NFS home dirs.
However, this also prevents users leveraging their own k5identity
files under their home directory and instead rpc.gssd uses a
system-wide /.k5identity file. For users expecting to use their own
k5identity file this is certainly unexpected.
Below is some pseudo code that was proposed and would just add a flag
allowing for the behavior prior to
2f682f25c642fcfe7c511d04bc9d67e732282348:
/* psudo code snippet starts here */
/*
* Some krb5 routines try to scrape info out of files in the user's
* home directory. This can easily deadlock when that homedir is on a
- * kerberized NFS mount. By setting $HOME unconditionally to "/", we
+ * kerberized NFS mount. Some users may not have $HOME on NFS.
+ * By default setting $HOME unconditionally to "/", we
* prevent this behavior in routines that use $HOME in preference to
* the results of getpw*.
+ * Users who have $HOME on krb5-NFS should set
`--home-not-kerberized` in argv
+ * Users who have $HOME on krb5-NFS but want to use their
$HOME anyway should set NFS_HOME_ACCESSIBLE=TRUE
*/
+ if (argv == '--home-not-kerberized') ||
(getenv("NFS_HOME_ACCESSIBLE") == 'TRUE') {
+ log.debug('Not masking $HOME, this breaks on Kerberized $HOME');
+ }
+ else {
+ log.debug('Assuming $HOME requires Kerberos, use
`--home-not-kerberized` to change this behavior');
if (setenv("HOME", "/", 1)) {
printerr(1, "Unable to set $HOME: %s\n", strerror(errn));
exit(1);
}
+ }
/* psudo code snippet ends here */
While acknowledging the use of this flag for Kerberized NFS home dirs
is undesirable and would cause a deadlock, there should be no issue
for users not using Kerberized NFS home dirs.
Does anyone consider adding the above proposed flag as being problematic?
