ptserver: Do not use cell for entry name len check

Do not use the local cell name when determining if a new entry name is
too long. This check assumes that foreign cells will use our local
cell name (assumed to be our local Kerberos realm) in a certain way,
and prevents creating users that will make those names too long.

This is undesirable for several reasons. One is that the local realm
name may not be the same as the local cell name (and we may have many
local realms). Another is that we cannot reliably predict how foreign
cells will construct foreign pt entry names, so preventing entry
creation based on that may prevent names that will never cause any
problems. This check also assumes that our names will be used as
foreign entries in other cells, which may not be the case.

So, remove the check based on the local cell name, and remove the
pr_realmNameLen variable while we are at it, since this is all it is
used for.

Thanks to Jeffrey Altman for discussion, and for bringing this up in
the first place.

Change-Id: Ief4bc94d9ead61a1589797b5dc663a6473c9ed72
Reviewed-on: http://gerrit.openafs.org/2488
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>

diff --git a/src/ptserver/ptserver.c b/src/ptserver/ptserver.c
index b0fe4f9..c5a5c07 100644 (file)
--- a/src/ptserver/ptserver.c
+++ b/src/ptserver/ptserver.c
@@ -153,7 +153,6 @@ struct afsconf_dir *prdir;
 extern afs_int32 depthsg;
 #endif
 
-int pr_realmNameLen;
 char *pr_realmName;
 
 int debuglevel = 0;
@@ -454,7 +453,6 @@ main(int argc, char **argv)
        PT_EXIT(2);
     }
     pr_realmName = info.name;
-    pr_realmNameLen = strlen(pr_realmName);
 
     {
        afs_int32 kvno;         /* see if there is a KeyFile here */

diff --git a/src/ptserver/ptutils.c b/src/ptserver/ptutils.c
index be99ddb..dd185da 100644 (file)
--- a/src/ptserver/ptutils.c
+++ b/src/ptserver/ptutils.c
@@ -176,31 +176,19 @@ pt_hook_write(void)
 #endif /* SUPERGROUPS */
 
 /* CorrectUserName - Check to make sure a user name is OK.  It must not include
- *   either a colon (or it would look like a group) or an atsign (or it would
- *   look like a foreign user).  The length is checked as well to make sure
- *   that the user name, an atsign, and the local cell name will fit in
- *   PR_MAXNAMELEN.  This is so this user can fit in another cells database as
- *   a foreign user with our cell name tacked on.  This is a predicate, so it
- *   return one if name is OK and zero if name is bogus. */
+ *   either a colon (or it would look like a group) or a newline (which can
+ *   confuse some ptdb code, depending on the format we're reading from).
+ *   This is a predicate, so it return one if name is OK and zero if name is
+ *   bogus. */
 
 static int
 CorrectUserName(char *name)
 {
-    extern int pr_realmNameLen;
-
     /* We accept foreign names, so we will deal with '@' later */
     if (strchr(name, ':') || strchr(name, '\n'))
        return 0;
-    if (strchr(name, '@')) {
-       /* foreign user; we don't need to worry about pr_realmNameLen, since
-        * our local realm name will never be appended to this */
-       if (strlen(name) >= PR_MAXNAMELEN) {
-           return 0;
-       }
-    } else {
-       if (strlen(name) >= PR_MAXNAMELEN - pr_realmNameLen - 1)
-           return 0;
-    }
+    if (strlen(name) >= PR_MAXNAMELEN)
+       return 0;
     return 1;
 }
 

diff --git a/src/ptserver/ubik.c b/src/ptserver/ubik.c
index befe081..be28de4 100644 (file)
--- a/src/ptserver/ubik.c
+++ b/src/ptserver/ubik.c
@@ -187,5 +187,4 @@ afsconf_GetNoAuthFlag(struct afsconf_dir *adir)
 
 char *prdir = "/dev/null";
 struct prheader cheader;
-int pr_realmNameLen;
 char *pr_realmName;