ptserver: Do not use cell for entry name len check

Do not use the local cell name when determining if a new entry name is
too long. This check assumes that foreign cells will use our local
cell name (assumed to be our local Kerberos realm) in a certain way,
and prevents creating users that will make those names too long.

This is undesirable for several reasons. One is that the local realm
name may not be the same as the local cell name (and we may have many
local realms). Another is that we cannot reliably predict how foreign
cells will construct foreign pt entry names, so preventing entry
creation based on that may prevent names that will never cause any
problems. This check also assumes that our names will be used as
foreign entries in other cells, which may not be the case.

So, remove the check based on the local cell name, and remove the
pr_realmNameLen variable while we are at it, since this is all it is
used for.

Thanks to Jeffrey Altman for discussion, and for bringing this up in
the first place.

Change-Id: Ief4bc94d9ead61a1589797b5dc663a6473c9ed72
Reviewed-on: http://gerrit.openafs.org/2488
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>

diff --git a/src/ptserver/ptserver.c b/src/ptserver/ptserver.c
index b0fe4f984bdc986aa840d508e9acca94b5bd96fd..c5a5c07920b3a496d9f828145728df9fd7c96ac9 100644 (file)
--- a/src/ptserver/ptserver.c
+++ b/src/ptserver/ptserver.c
@@ -153,7 +153,6 @@ struct afsconf_dir *prdir;
 extern afs_int32 depthsg;
 #endif
 
-int pr_realmNameLen;
 char *pr_realmName;
 
 int debuglevel = 0;
@@ -454,7 +453,6 @@ main(int argc, char **argv)
        PT_EXIT(2);
     }
     pr_realmName = info.name;
-    pr_realmNameLen = strlen(pr_realmName);
 
     {
        afs_int32 kvno;         /* see if there is a KeyFile here */

diff --git a/src/ptserver/ptutils.c b/src/ptserver/ptutils.c
index be99ddbc1601ccbe842de0a52fab458df48e58f7..dd185da09f35ed0bcfb90ee7d708a2d1b0e18a4e 100644 (file)
--- a/src/ptserver/ptutils.c
+++ b/src/ptserver/ptutils.c
@@ -176,31 +176,19 @@ pt_hook_write(void)
 #endif /* SUPERGROUPS */
 
 /* CorrectUserName - Check to make sure a user name is OK.  It must not include
- *   either a colon (or it would look like a group) or an atsign (or it would
- *   look like a foreign user).  The length is checked as well to make sure
- *   that the user name, an atsign, and the local cell name will fit in
- *   PR_MAXNAMELEN.  This is so this user can fit in another cells database as
- *   a foreign user with our cell name tacked on.  This is a predicate, so it
- *   return one if name is OK and zero if name is bogus. */
+ *   either a colon (or it would look like a group) or a newline (which can
+ *   confuse some ptdb code, depending on the format we're reading from).
+ *   This is a predicate, so it return one if name is OK and zero if name is
+ *   bogus. */
 
 static int
 CorrectUserName(char *name)
 {
-    extern int pr_realmNameLen;
-
     /* We accept foreign names, so we will deal with '@' later */
     if (strchr(name, ':') || strchr(name, '\n'))
        return 0;
-    if (strchr(name, '@')) {
-       /* foreign user; we don't need to worry about pr_realmNameLen, since
-        * our local realm name will never be appended to this */
-       if (strlen(name) >= PR_MAXNAMELEN) {
-           return 0;
-       }
-    } else {
-       if (strlen(name) >= PR_MAXNAMELEN - pr_realmNameLen - 1)
-           return 0;
-    }
+    if (strlen(name) >= PR_MAXNAMELEN)
+       return 0;
     return 1;
 }
 

diff --git a/src/ptserver/ubik.c b/src/ptserver/ubik.c
index befe081304db83c8089d30c553d0c3dd00b545cd..be28de43ab94346c7a1e78ae87da82c85423d9c9 100644 (file)
--- a/src/ptserver/ubik.c
+++ b/src/ptserver/ubik.c
@@ -187,5 +187,4 @@ afsconf_GetNoAuthFlag(struct afsconf_dir *adir)
 
 char *prdir = "/dev/null";
 struct prheader cheader;
-int pr_realmNameLen;
 char *pr_realmName;