80 lines
2.5 KiB
Diff
80 lines
2.5 KiB
Diff
From 59f2a9dd6a83a3721cdffe852343d96ffaa5c18a Mon Sep 17 00:00:00 2001
|
|
From: Greg Hudson <ghudson@mit.edu>
|
|
Date: Mon, 6 Apr 2020 20:45:10 -0400
|
|
Subject: [PATCH] Make ksu honor KRB5CCNAME again
|
|
|
|
Commit d439e370b70f7af4ed2da9c692a3be7dcf7b4ac6 (ticket 8800) caused
|
|
ksu to ignore KRB5CCNAME from the environment. ksu uses euid
|
|
switching to access the source cache, and should honor KRB5CCNAME to
|
|
find the ccache to potentially authorize the su operation.
|
|
|
|
Add a helper function init_ksu_context() to create the ksu context,
|
|
with explicit code to honor KRB5CCNAME using
|
|
krb5_cc_set_default_name().
|
|
|
|
ticket: 8895
|
|
tags: pullup
|
|
target_version: 1.18-next
|
|
|
|
(cherry picked from commit f040a3ac73947312e1b08c76f75f3389ffb4ba75)
|
|
---
|
|
src/clients/ksu/main.c | 31 ++++++++++++++++++++++++++++++-
|
|
1 file changed, 30 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
|
|
index 21a4d02bb..508242e0e 100644
|
|
--- a/src/clients/ksu/main.c
|
|
+++ b/src/clients/ksu/main.c
|
|
@@ -54,6 +54,7 @@ int force_fork = 0;
|
|
static int set_env_var (char *, char *);
|
|
static void sweep_up (krb5_context, krb5_ccache);
|
|
static char * ontty (void);
|
|
+static krb5_error_code init_ksu_context(krb5_context *);
|
|
static krb5_error_code set_ccname_env(krb5_context, krb5_ccache);
|
|
static void print_status( const char *fmt, ...)
|
|
#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7)
|
|
@@ -135,7 +136,7 @@ main (argc, argv)
|
|
|
|
unsetenv ("KRB5_CONFIG");
|
|
|
|
- retval = krb5_init_secure_context(&ksu_context);
|
|
+ retval = init_ksu_context(&ksu_context);
|
|
if (retval) {
|
|
com_err(argv[0], retval, _("while initializing krb5"));
|
|
exit(1);
|
|
@@ -878,6 +879,34 @@ main (argc, argv)
|
|
}
|
|
}
|
|
|
|
+static krb5_error_code
|
|
+init_ksu_context(krb5_context *context_out)
|
|
+{
|
|
+ krb5_error_code retval;
|
|
+ const char *env_ccname;
|
|
+ krb5_context context;
|
|
+
|
|
+ *context_out = NULL;
|
|
+
|
|
+ retval = krb5_init_secure_context(&context);
|
|
+ if (retval)
|
|
+ return retval;
|
|
+
|
|
+ /* We want to obey KRB5CCNAME in this context even though this is a setuid
|
|
+ * program. (It will only be used when operating as the real uid.) */
|
|
+ env_ccname = getenv(KRB5_ENV_CCNAME);
|
|
+ if (env_ccname != NULL) {
|
|
+ retval = krb5_cc_set_default_name(context, env_ccname);
|
|
+ if (retval) {
|
|
+ krb5_free_context(context);
|
|
+ return retval;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ *context_out = context;
|
|
+ return 0;
|
|
+}
|
|
+
|
|
/* Set KRB5CCNAME in the environment to point to ccache. Print an error
|
|
* message on failure. */
|
|
static krb5_error_code
|