krb5/0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch

370 lines
12 KiB
Diff
Raw Normal View History

From 9ebae7cb434b9b177c0af85c67a6d6267f46bc68 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Fri, 1 Nov 2013 09:48:13 -0400
Subject: [PATCH 2/7] In ksu, don't stat() not-on-disk ccache residuals
Don't assume that ccache residual names are filenames which we can
stat() usefully. Instead, use helper functions to call the library
routines to try to read the default principal name from caches, and
use whether or not that succeeds as an indication of whether or not
there's a ccache in a given location.
ticket: 7728
---
src/clients/ksu/ccache.c | 60 ++++++++++++++++++++--------------
src/clients/ksu/heuristic.c | 13 ++------
src/clients/ksu/ksu.h | 8 +++--
src/clients/ksu/main.c | 79 +++++++++------------------------------------
4 files changed, 60 insertions(+), 100 deletions(-)
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index 118fc53..5f57279 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -62,12 +62,9 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
{
int i=0;
krb5_ccache * cc_other;
- const char * cc_def_name;
- const char * cc_other_name;
krb5_error_code retval=0;
krb5_creds ** cc_def_creds_arr = NULL;
krb5_creds ** cc_other_creds_arr = NULL;
- struct stat st_temp;
cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache));
@@ -76,16 +73,13 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
return retval;
}
- cc_def_name = krb5_cc_get_name(context, cc_def);
- cc_other_name = krb5_cc_get_name(context, *cc_other);
-
- if ( ! stat(cc_def_name, &st_temp)){
+ if (ks_ccache_is_initialized(context, cc_def)) {
if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
return retval;
}
}
- if (!lstat( cc_other_name, &st_temp))
+ if (ks_ccache_name_is_initialized(context, cc_other_tag))
return EINVAL;
if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
@@ -540,24 +534,18 @@ krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal)
krb5_ccache cct;
krb5_principal primary_principal;
{
- const char * cct_name;
- const char * ccs_name;
krb5_error_code retval=0;
krb5_principal temp_principal;
krb5_creds ** ccs_creds_arr = NULL;
int i=0;
- struct stat st_temp;
- ccs_name = krb5_cc_get_name(context, ccs);
- cct_name = krb5_cc_get_name(context, cct);
-
- if ( ! stat(ccs_name, &st_temp)){
+ if (ks_ccache_is_initialized(context, ccs)) {
if ((retval = krb5_get_nonexp_tkts(context, ccs, &ccs_creds_arr))){
return retval;
}
}
- if ( ! stat(cct_name, &st_temp)){
+ if (ks_ccache_is_initialized(context, cct)) {
if ((retval = krb5_cc_get_principal(context, cct, &temp_principal))){
return retval;
}
@@ -643,12 +631,10 @@ krb5_error_code krb5_ccache_filter (context, cc, prst)
krb5_creds ** cc_creds_arr = NULL;
const char * cc_name;
krb5_boolean stored;
- struct stat st_temp;
cc_name = krb5_cc_get_name(context, cc);
- if ( ! stat(cc_name, &st_temp)){
-
+ if (ks_ccache_is_initialized(context, cc)) {
if (auth_debug) {
fprintf(stderr,"putting cache %s through a filter for -z option\n", cc_name);
}
@@ -713,12 +699,8 @@ krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found)
{
krb5_error_code retval;
krb5_creds ** creds_list = NULL;
- const char * cc_name;
- struct stat st_temp;
-
- cc_name = krb5_cc_get_name(context, cc);
- if ( ! stat(cc_name, &st_temp)){
+ if (ks_ccache_is_initialized(context, cc)) {
if ((retval = krb5_get_nonexp_tkts(context, cc, &creds_list))){
return retval;
}
@@ -727,3 +709,33 @@ krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found)
*found = krb5_find_princ_in_cred_list(context, creds_list, princ);
return 0;
}
+
+krb5_boolean
+ks_ccache_name_is_initialized(krb5_context context, const char *cctag)
+{
+ krb5_boolean result;
+ krb5_ccache cc;
+
+ if (krb5_cc_resolve(context, cctag, &cc) != 0)
+ return FALSE;
+ result = ks_ccache_is_initialized(context, cc);
+ krb5_cc_close(context, cc);
+
+ return result;
+}
+
+krb5_boolean
+ks_ccache_is_initialized(krb5_context context, krb5_ccache cc)
+{
+ krb5_principal princ;
+ krb5_error_code retval;
+
+ if (cc == NULL)
+ return FALSE;
+
+ retval = krb5_cc_get_principal(context, cc, &princ);
+ if (retval == 0)
+ krb5_free_principal(context, princ);
+
+ return retval == 0;
+}
diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c
index 99b54e5..f73b8eb 100644
--- a/src/clients/ksu/heuristic.c
+++ b/src/clients/ksu/heuristic.c
@@ -397,12 +397,8 @@ krb5_error_code find_either_ticket (context, cc, client, end_server, found)
krb5_principal kdc_server;
krb5_error_code retval;
krb5_boolean temp_found = FALSE;
- const char * cc_source_name;
- struct stat st_temp;
- cc_source_name = krb5_cc_get_name(context, cc);
-
- if ( ! stat(cc_source_name, &st_temp)){
+ if (ks_ccache_is_initialized(context, cc)) {
retval = find_ticket(context, cc, client, end_server, &temp_found);
if (retval)
@@ -539,7 +535,6 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
{
princ_info princ_trials[10];
- const char * cc_source_name;
krb5_principal cc_def_princ = NULL;
krb5_principal temp_client;
krb5_principal target_client;
@@ -551,7 +546,6 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
struct stat tb;
int count =0;
int i;
- struct stat st_temp;
*path_out = 0;
@@ -559,10 +553,7 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
if (options->princ)
return 0;
- cc_source_name = krb5_cc_get_name(context, cc_source);
-
-
- if (! stat(cc_source_name, &st_temp)) {
+ if (ks_ccache_is_initialized(context, cc_source)) {
retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
if (retval)
return retval;
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index 9e0c613..e1e34f1 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -141,6 +141,12 @@ extern krb5_error_code krb5_store_some_creds
(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **,
krb5_principal, krb5_boolean *);
+extern krb5_boolean ks_ccache_name_is_initialized
+(krb5_context, const char *);
+
+extern krb5_boolean ks_ccache_is_initialized
+(krb5_context, krb5_ccache);
+
extern krb5_error_code krb5_ccache_refresh
(krb5_context, krb5_ccache);
@@ -198,8 +204,6 @@ extern int standard_shell (char *);
extern krb5_error_code get_params (int *, int, char **, char ***);
-extern char *get_dir_of_file (const char *);
-
/* heuristic.c */
extern krb5_error_code get_all_princ_from_file (FILE *, char ***);
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 62f3bc0..8c49f94 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -51,7 +51,6 @@ static void print_status( const char *fmt, ...)
__attribute__ ((__format__ (__printf__, 1, 2)))
#endif
;
-char * get_dir_of_file();
/* Note -e and -a options are mutually exclusive */
/* insure the proper specification of target user as well as catching
@@ -96,7 +95,6 @@ main (argc, argv)
const char * cc_source_tag = NULL;
uid_t source_gid;
const char * cc_source_tag_tmp = NULL;
- char * cc_target_tag_tmp=NULL;
char * cmd = NULL, * exec_cmd = NULL;
int errflg = 0;
krb5_boolean auth_val;
@@ -112,11 +110,9 @@ main (argc, argv)
extern char * getpass(), *crypt();
int pargc;
char ** pargv;
- struct stat st_temp;
krb5_boolean stored = FALSE;
krb5_principal kdc_server;
krb5_boolean zero_password;
- char * dir_of_cc_target;
krb5_boolean restrict_creds;
options.opt = KRB5_DEFAULT_OPTIONS;
@@ -266,9 +262,10 @@ main (argc, argv)
if ( strchr(cc_source_tag, ':')){
cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
- if( stat( cc_source_tag_tmp, &st_temp)){
+ if (!ks_ccache_name_is_initialized(ksu_context,
+ cc_source_tag)) {
com_err(prog_name, errno,
- _("while looking for credentials file %s"),
+ _("while looking for credentials cache %s"),
cc_source_tag_tmp);
exit (1);
}
@@ -419,32 +416,18 @@ main (argc, argv)
exit(1);
}
- if (cc_target_tag == NULL) {
-
- cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE ,sizeof(char));
- /* make sure that the new ticket file does not already exist
- This is run as source_uid because it is reasonable to
- require the source user to have write to where the target
- cache will be created.*/
-
- do {
- snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d",
- KRB5_SECONDARY_CACHE,
- (long) target_uid, gen_sym());
- cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1;
-
- }while ( !stat ( cc_target_tag_tmp, &st_temp));
- }
-
-
- dir_of_cc_target = get_dir_of_file(cc_target_tag_tmp);
-
- if (access(dir_of_cc_target, R_OK | W_OK )){
- fprintf(stderr,
- _("%s does not have correct permissions for %s\n"),
- source_user, cc_target_tag);
- exit(1);
- }
+ /*
+ * Make sure that the new ticket file does not already exist.
+ * This is run as source_uid because it is reasonable to
+ * require the source user to have write to where the target
+ * cache will be created.
+ */
+ cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE, sizeof(char));
+ do {
+ snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d",
+ KRB5_SECONDARY_CACHE,
+ (long)target_uid, gen_sym());
+ } while (ks_ccache_name_is_initialized(ksu_context, cc_target_tag));
if (auth_debug){
fprintf(stderr, " source cache = %s\n", cc_source_tag);
@@ -747,13 +730,6 @@ main (argc, argv)
exit(1);
}
- if (access( cc_target_tag_tmp, R_OK | W_OK )){
- com_err(prog_name, errno,
- _("%s does not have correct permissions for %s, %s aborted"),
- target_user, cc_target_tag_tmp, prog_name);
- exit(1);
- }
-
if ( cc_source)
krb5_cc_close(ksu_context, cc_source);
@@ -873,8 +849,6 @@ static void sweep_up(context, cc)
krb5_ccache cc;
{
krb5_error_code retval;
- const char * cc_name;
- struct stat st_temp;
krb5_seteuid(0);
if (krb5_seteuid(target_uid) < 0) {
@@ -883,8 +857,7 @@ static void sweep_up(context, cc)
exit(1);
}
- cc_name = krb5_cc_get_name(context, cc);
- if ( ! stat(cc_name, &st_temp)){
+ if (ks_ccache_is_initialized(context, cc)) {
if ((retval = krb5_cc_destroy(context, cc)))
com_err(prog_name, retval, _("while destroying cache"));
}
@@ -937,26 +910,6 @@ void print_status(const char *fmt, ...)
}
}
-
-char *get_dir_of_file(path)
- const char *path;
-{
- char * temp_path;
- char * ptr;
-
- temp_path = xstrdup(path);
-
- if ((ptr = strrchr( temp_path, '/'))) {
- *ptr = '\0';
- } else {
- free (temp_path);
- temp_path = xmalloc(MAXPATHLEN);
- if (temp_path)
- getcwd(temp_path, MAXPATHLEN);
- }
- return temp_path;
-}
-
krb5_error_code
ksu_tgtname(context, server, client, tgtprinc)
krb5_context context;
--
2.0.4