krb5/0004-Make-ksu-respect-the-default_ccache_name-setting.patch
Nalin Dahyabhai c042f71c80 Update collection cache patch set for ksu
- replace older proposed changes for ksu with backports of the changes
  after review and merging upstream (#1015559, #1026099, #1118347)
2014-08-15 14:00:14 -04:00

379 lines
13 KiB
Diff

From 3a456898af626dcab4e1ab0749ca2ccb9ad6162b Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Wed, 30 Oct 2013 21:47:14 -0400
Subject: [PATCH 4/7] Make ksu respect the default_ccache_name setting
Move the logic for resolving and initializing a cache that we're
copying creds into out of krb5_ccache_copy(), and let the caller deal
with it. Add a helper functions to select/resolve an output ccache in
the default location for the target user after we've switched to the
target user's privileges. If the destination is a collection, take
care not to change which subsidiary is its primary, and reuse a
subsidiary cache if we can. If the destination is not a collection,
append a unique value to its name to make a new ccache.
[ghudson@mit.edu: some changes to variable names and comments; move
responsibility for getting target ccache name from
resolve_target_ccache to main]
ticket: 7984 (new)
---
src/clients/ksu/ccache.c | 35 +++------
src/clients/ksu/ksu.h | 6 +-
src/clients/ksu/main.c | 181 ++++++++++++++++++++++++++++++++++++++---------
3 files changed, 157 insertions(+), 65 deletions(-)
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index d0fc389..4693bd4 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -46,59 +46,41 @@ void show_credential();
with k5 beta 3 release.
*/
-krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
- primary_principal, restrict_creds,
- target_principal, cc_out, stored, target_uid)
+krb5_error_code krb5_ccache_copy(context, cc_def, target_principal, cc_target,
+ restrict_creds, primary_principal, stored)
/* IN */
krb5_context context;
krb5_ccache cc_def;
- char *cc_other_tag;
- krb5_principal primary_principal;
- krb5_boolean restrict_creds;
krb5_principal target_principal;
- uid_t target_uid;
+ krb5_ccache cc_target;
+ krb5_boolean restrict_creds;
+ krb5_principal primary_principal;
/* OUT */
- krb5_ccache *cc_out;
krb5_boolean *stored;
{
int i=0;
- krb5_ccache * cc_other;
krb5_error_code retval=0;
krb5_creds ** cc_def_creds_arr = NULL;
krb5_creds ** cc_other_creds_arr = NULL;
- cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache));
-
- if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){
- com_err(prog_name, retval, _("resolving ccache %s"), cc_other_tag);
- return retval;
- }
-
if (ks_ccache_is_initialized(context, cc_def)) {
if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
return retval;
}
}
- if (ks_ccache_name_is_initialized(context, cc_other_tag))
- return EINVAL;
-
- if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
- return errno;
- }
-
- retval = krb5_cc_initialize(context, *cc_other, target_principal);
+ retval = krb5_cc_initialize(context, cc_target, target_principal);
if (retval)
return retval;
if (restrict_creds) {
- retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr,
+ retval = krb5_store_some_creds(context, cc_target, cc_def_creds_arr,
cc_other_creds_arr, primary_principal,
stored);
} else {
*stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
primary_principal);
- retval = krb5_store_all_creds(context, *cc_other, cc_def_creds_arr,
+ retval = krb5_store_all_creds(context, cc_target, cc_def_creds_arr,
cc_other_creds_arr);
}
@@ -118,7 +100,6 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
}
}
- *cc_out = *cc_other;
return retval;
}
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index 08bf01b..fbbf217 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -44,8 +44,6 @@
#define KRB5_DEFAULT_OPTIONS 0
#define KRB5_DEFAULT_TKT_LIFE 60*60*12 /* 12 hours */
-#define KRB5_SECONDARY_CACHE "FILE:/tmp/krb5cc_"
-
#define KRB5_LOGIN_NAME ".k5login"
#define KRB5_USERS_NAME ".k5users"
#define USE_DEFAULT_REALM_NAME "."
@@ -106,8 +104,8 @@ extern krb5_error_code get_best_principal
/* ccache.c */
extern krb5_error_code krb5_ccache_copy
-(krb5_context, krb5_ccache, char *, krb5_principal, krb5_boolean,
- krb5_principal, krb5_ccache *, krb5_boolean *, uid_t);
+(krb5_context, krb5_ccache, krb5_principal, krb5_ccache,
+ krb5_boolean, krb5_principal, krb5_boolean *);
extern krb5_error_code krb5_store_all_creds
(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **);
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index d1bb8ca..41a3bf8 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -54,6 +54,10 @@ static void print_status( const char *fmt, ...)
__attribute__ ((__format__ (__printf__, 1, 2)))
#endif
;
+static krb5_error_code resolve_target_cache(krb5_context ksu_context,
+ krb5_principal princ,
+ krb5_ccache *ccache_out,
+ krb5_boolean *ccache_reused);
/* Note -e and -a options are mutually exclusive */
/* insure the proper specification of target user as well as catching
@@ -112,7 +116,7 @@ main (argc, argv)
extern char * getpass(), *crypt();
int pargc;
char ** pargv;
- krb5_boolean stored = FALSE;
+ krb5_boolean stored = FALSE, cc_reused = FALSE;
krb5_principal kdc_server;
krb5_boolean zero_password;
krb5_boolean restrict_creds;
@@ -416,23 +420,8 @@ main (argc, argv)
exit(1);
}
- /*
- * Make sure that the new ticket file does not already exist.
- * This is run as source_uid because it is reasonable to
- * require the source user to have write to where the target
- * cache will be created.
- */
- cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE, sizeof(char));
- do {
- snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d",
- KRB5_SECONDARY_CACHE,
- (long)target_uid, gen_sym());
- } while (ks_ccache_name_is_initialized(ksu_context, cc_target_tag));
-
- if (auth_debug){
+ if (auth_debug)
fprintf(stderr, " source cache = %s\n", cc_source_tag);
- fprintf(stderr, " target cache = %s\n", cc_target_tag);
- }
/*
* After proper authentication and authorization, populate a cache for the
@@ -455,14 +444,19 @@ main (argc, argv)
com_err(prog_name, retval, _("while parsing temporary name"));
exit(1);
}
- retval = krb5_ccache_copy(ksu_context, cc_source, KS_TEMPORARY_CACHE,
- client, restrict_creds, tmp_princ, &cc_tmp,
- &stored, 0);
+ retval = krb5_cc_resolve(ksu_context, KS_TEMPORARY_CACHE, &cc_tmp);
+ if (retval) {
+ com_err(prog_name, retval, _("while creating temporary cache"));
+ exit(1);
+ }
+ retval = krb5_ccache_copy(ksu_context, cc_source, tmp_princ, cc_tmp,
+ restrict_creds, client, &stored);
if (retval) {
com_err(prog_name, retval, _("while copying cache %s to %s"),
krb5_cc_get_name(ksu_context, cc_source), KS_TEMPORARY_CACHE);
exit(1);
}
+ krb5_cc_close(ksu_context, cc_source);
/* Become root for authentication*/
@@ -686,23 +680,38 @@ main (argc, argv)
exit(1);
}
- retval = krb5_ccache_copy(ksu_context, cc_tmp, cc_target_tag,
- client, FALSE, client, &cc_target, &stored,
- target_pwd->pw_uid);
+ retval = resolve_target_cache(ksu_context, client, &cc_target, &cc_reused);
+ if (retval)
+ exit(1);
+ retval = krb5_cc_get_full_name(ksu_context, cc_target, &cc_target_tag);
if (retval) {
- com_err(prog_name, retval, _("while copying cache %s to %s"),
- KS_TEMPORARY_CACHE, cc_target_tag);
+ com_err(prog_name, retval, _("while getting name of target ccache"));
+ sweep_up(ksu_context, cc_target);
exit(1);
}
+ if (auth_debug)
+ fprintf(stderr, " target cache = %s\n", cc_target_tag);
+ if (cc_reused)
+ keep_target_cache = TRUE;
- if (stored && !ks_ccache_is_initialized(ksu_context, cc_target)) {
- com_err(prog_name, errno,
- _("%s does not have correct permissions for %s, %s aborted"),
- target_user, cc_target_tag, prog_name);
- exit(1);
+ if (stored) {
+ retval = krb5_ccache_copy(ksu_context, cc_tmp, client, cc_target,
+ FALSE, client, &stored);
+ if (retval) {
+ com_err(prog_name, retval, _("while copying cache %s to %s"),
+ KS_TEMPORARY_CACHE, cc_target_tag);
+ exit(1);
+ }
+
+ if (!ks_ccache_is_initialized(ksu_context, cc_target)) {
+ com_err(prog_name, errno,
+ _("%s does not have correct permissions for %s, "
+ "%s aborted"), target_user, cc_target_tag, prog_name);
+ exit(1);
+ }
}
- free(cc_target_tag);
+ krb5_free_string(ksu_context, cc_target_tag);
/* Set the cc env name to target. */
retval = set_ccname_env(ksu_context, cc_target);
@@ -711,9 +720,6 @@ main (argc, argv)
exit(1);
}
- if ( cc_source)
- krb5_cc_close(ksu_context, cc_source);
-
if (cmd){
if ((source_uid == 0) || (source_uid == target_uid )){
exec_cmd = cmd;
@@ -803,6 +809,113 @@ set_ccname_env(krb5_context ksu_context, krb5_ccache ccache)
return retval;
}
+/*
+ * Get the configured default ccache name. Unset KRB5CCNAME and force a
+ * recomputation so we don't use values for the source user. Print an error
+ * message on failure.
+ */
+static krb5_error_code
+get_configured_defccname(krb5_context context, char **target_out)
+{
+ krb5_error_code retval;
+ const char *defname;
+ char *target;
+
+ *target_out = NULL;
+
+ if (unsetenv(KRB5_ENV_CCNAME) != 0) {
+ retval = errno;
+ com_err(prog_name, retval, _("while clearing the value of %s"),
+ KRB5_ENV_CCNAME);
+ return retval;
+ }
+
+ /* Make sure we don't have a cached value for a different uid. */
+ retval = krb5_cc_set_default_name(context, NULL);
+ if (retval != 0) {
+ com_err(prog_name, retval, _("while resetting target ccache name"));
+ return retval;
+ }
+
+ defname = krb5_cc_default_name(context);
+ target = (defname == NULL) ? NULL : strdup(defname);
+ if (target == NULL) {
+ com_err(prog_name, ENOMEM, _("while determining target ccache name"));
+ return ENOMEM;
+ }
+ *target_out = target;
+ return 0;
+}
+
+/* Determine where the target user's creds should be stored. Print an error
+ * message on failure. */
+static krb5_error_code
+resolve_target_cache(krb5_context context, krb5_principal princ,
+ krb5_ccache *ccache_out, krb5_boolean *ccache_reused)
+{
+ krb5_error_code retval;
+ krb5_boolean switchable, reused = FALSE;
+ krb5_ccache ccache = NULL;
+ char *sep, *ccname = NULL, *target;
+
+ *ccache_out = NULL;
+ *ccache_reused = FALSE;
+
+ retval = get_configured_defccname(context, &target);
+ if (retval != 0)
+ return retval;
+
+ /* Check if the configured default name uses a switchable type. */
+ sep = strchr(target, ':');
+ *sep = '\0';
+ switchable = krb5_cc_support_switch(context, target);
+ *sep = ':';
+
+ if (!switchable) {
+ /* Try to avoid destroying an in-use target ccache by coming up with
+ * the name of a cache that doesn't exist yet. */
+ do {
+ free(ccname);
+ if (asprintf(&ccname, "%s.%d", target, gen_sym()) < 0) {
+ retval = ENOMEM;
+ com_err(prog_name, ENOMEM,
+ _("while allocating memory for target ccache name"));
+ goto cleanup;
+ }
+ } while (ks_ccache_name_is_initialized(context, ccname));
+ retval = krb5_cc_resolve(context, ccname, &ccache);
+ } else {
+ /* Look for a cache in the collection that we can reuse. */
+ retval = krb5_cc_cache_match(context, princ, &ccache);
+ if (retval == 0) {
+ reused = TRUE;
+ } else {
+ /* There isn't one, so create a new one. */
+ *sep = '\0';
+ retval = krb5_cc_new_unique(context, target, NULL, &ccache);
+ *sep = ':';
+ if (retval) {
+ com_err(prog_name, retval,
+ _("while creating new target ccache"));
+ goto cleanup;
+ }
+ retval = krb5_cc_initialize(context, ccache, princ);
+ if (retval) {
+ com_err(prog_name, retval,
+ _("while initializing target cache"));
+ goto cleanup;
+ }
+ }
+ }
+
+ *ccache_out = ccache;
+ *ccache_reused = reused;
+
+cleanup:
+ free(target);
+ return retval;
+}
+
#ifdef HAVE_GETUSERSHELL
int standard_shell(sh)
--
2.0.4