krb5/0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch

From 74e775ac6d937c9d22be4fc1d429e5e62705fb7d Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Thu, 24 Jul 2014 15:39:53 -0400
Subject: [PATCH 1/7] In ksu, merge krb5_ccache_copy() and _restricted()

Other than whether or not they limit the creds it stores to the new
ccache based on the principal name of the client for whom the creds were
issued, there's no meaningful difference between what these two
functions do.  Merge them.
---
 src/clients/ksu/ccache.c | 106 ++++++-----------------------------------------
 src/clients/ksu/ksu.h    |   6 +--
 src/clients/ksu/main.c   |  27 ++++--------
 3 files changed, 22 insertions(+), 117 deletions(-)

diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index 9916c75..118fc53 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -47,12 +47,14 @@ void show_credential();
 */
 
 krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
-                                  primary_principal, cc_out, stored, target_uid)
+                                  primary_principal, restrict_creds, cc_out,
+                                  stored, target_uid)
 /* IN */
     krb5_context context;
     krb5_ccache cc_def;
     char *cc_other_tag;
     krb5_principal primary_principal;
+    krb5_boolean restrict_creds;
     uid_t target_uid;
     /* OUT */
     krb5_ccache *cc_out;
@@ -83,9 +85,6 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
         }
     }
 
-    *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
-                                           primary_principal);
-
     if (!lstat( cc_other_name, &st_temp))
         return EINVAL;
 
@@ -98,8 +97,16 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
         return retval;
     }
 
-    retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr,
-                                  cc_other_creds_arr);
+    if (restrict_creds) {
+        retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr,
+                                       cc_other_creds_arr, primary_principal,
+                                       stored);
+    } else {
+        *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
+                                               primary_principal);
+        retval = krb5_store_all_creds(context, *cc_other, cc_def_creds_arr,
+                                      cc_other_creds_arr);
+    }
 
     if (cc_def_creds_arr){
         while (cc_def_creds_arr[i]){
@@ -623,93 +630,6 @@ krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst,
     *stored = temp_stored;
     return 0;
 }
-/******************************************************************
-krb5_cache_copy_restricted
-
-gets rid of any expired tickets in the secondary cache,
-copies the default cache into the secondary cache,
-only credentials that are for prst are copied.
-
-the algorithm may look a bit funny,
-but I had to do it this way, since cc_remove function did not come
-with k5 beta 3 release.
-************************************************************************/
-
-krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag,
-                                             prst, cc_out, stored, target_uid)
-    krb5_context context;
-    krb5_ccache cc_def;
-    char *cc_other_tag;
-    krb5_principal prst;
-    uid_t target_uid;
-    /* OUT */
-    krb5_ccache *cc_out;
-    krb5_boolean *stored;
-{
-
-    int i=0;
-    krb5_ccache  * cc_other;
-    const char * cc_def_name;
-    const char * cc_other_name;
-    krb5_error_code retval=0;
-    krb5_creds ** cc_def_creds_arr = NULL;
-    krb5_creds ** cc_other_creds_arr = NULL;
-    struct stat st_temp;
-
-    cc_other = (krb5_ccache *)  xcalloc(1, sizeof (krb5_ccache));
-
-    if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){
-        com_err(prog_name, retval, _("resolving ccache %s"), cc_other_tag);
-        return retval;
-    }
-
-    cc_def_name = krb5_cc_get_name(context, cc_def);
-    cc_other_name = krb5_cc_get_name(context, *cc_other);
-
-    if ( ! stat(cc_def_name, &st_temp)){
-        if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
-            return retval;
-        }
-
-    }
-
-    if (!lstat( cc_other_name, &st_temp)) {
-        return EINVAL;
-    }
-
-    if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
-        return errno;
-    }
-
-
-    if ((retval = krb5_cc_initialize(context, *cc_other, prst))){
-        return retval;
-    }
-
-    retval = krb5_store_some_creds(context, * cc_other,
-                                   cc_def_creds_arr, cc_other_creds_arr, prst, stored);
-
-
-
-    if (cc_def_creds_arr){
-        while (cc_def_creds_arr[i]){
-            krb5_free_creds(context, cc_def_creds_arr[i]);
-            i++;
-        }
-    }
-
-    i=0;
-
-    if(cc_other_creds_arr){
-        while (cc_other_creds_arr[i]){
-            krb5_free_creds(context, cc_other_creds_arr[i]);
-            i++;
-        }
-    }
-
-    *cc_out = *cc_other;
-    return retval;
-}
 
 krb5_error_code krb5_ccache_filter (context, cc, prst)
     krb5_context context;
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index f2c0811..9e0c613 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -107,7 +107,7 @@ extern krb5_error_code get_best_principal
 /* ccache.c */
 extern krb5_error_code krb5_ccache_copy
 (krb5_context, krb5_ccache, char *, krb5_principal,
- krb5_ccache *, krb5_boolean *, uid_t);
+ krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t);
 
 extern krb5_error_code krb5_store_all_creds
 (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **);
@@ -141,10 +141,6 @@ extern krb5_error_code krb5_store_some_creds
 (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **,
  krb5_principal, krb5_boolean *);
 
-extern krb5_error_code krb5_ccache_copy_restricted
-(krb5_context, krb5_ccache, char *, krb5_principal,
- krb5_ccache *, krb5_boolean *, uid_t);
-
 extern krb5_error_code krb5_ccache_refresh
 (krb5_context, krb5_ccache);
 
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 233eb52..62f3bc0 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -117,6 +117,7 @@ main (argc, argv)
     krb5_principal  kdc_server;
     krb5_boolean zero_password;
     char * dir_of_cc_target;
+    krb5_boolean restrict_creds;
 
     options.opt = KRB5_DEFAULT_OPTIONS;
     options.lifetime = KRB5_DEFAULT_TKT_LIFE;
@@ -464,25 +465,13 @@ main (argc, argv)
        then only the credentials for that particular user
        should be copied */
 
-    if ((source_uid == 0) && (target_uid != 0)) {
-
-        if ((retval = krb5_ccache_copy_restricted(ksu_context,  cc_source,
-                                                  cc_target_tag, client,
-                                                  &cc_target, &stored,
-                                                  target_uid))){
-            com_err(prog_name, retval, _("while copying cache %s to %s"),
-                    krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
-            exit(1);
-        }
-
-    } else {
-        if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag,
-                                       client,&cc_target, &stored, target_uid))) {
-            com_err(prog_name, retval, _("while copying cache %s to %s"),
-                    krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
-            exit(1);
-        }
-
+    restrict_creds = (source_uid == 0) && (target_uid != 0);
+    retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, client,
+                              restrict_creds, &cc_target, &stored, target_uid);
+    if (retval) {
+        com_err(prog_name, retval, _("while copying cache %s to %s"),
+                krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
+        exit(1);
     }
 
     /* Become root for authentication*/
-- 
2.0.4