c042f71c80
- replace older proposed changes for ksu with backports of the changes after review and merging upstream (#1015559, #1026099, #1118347)
231 lines
7.8 KiB
Diff
231 lines
7.8 KiB
Diff
From 74e775ac6d937c9d22be4fc1d429e5e62705fb7d Mon Sep 17 00:00:00 2001
|
|
From: Nalin Dahyabhai <nalin@redhat.com>
|
|
Date: Thu, 24 Jul 2014 15:39:53 -0400
|
|
Subject: [PATCH 1/7] In ksu, merge krb5_ccache_copy() and _restricted()
|
|
|
|
Other than whether or not they limit the creds it stores to the new
|
|
ccache based on the principal name of the client for whom the creds were
|
|
issued, there's no meaningful difference between what these two
|
|
functions do. Merge them.
|
|
---
|
|
src/clients/ksu/ccache.c | 106 ++++++-----------------------------------------
|
|
src/clients/ksu/ksu.h | 6 +--
|
|
src/clients/ksu/main.c | 27 ++++--------
|
|
3 files changed, 22 insertions(+), 117 deletions(-)
|
|
|
|
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
|
|
index 9916c75..118fc53 100644
|
|
--- a/src/clients/ksu/ccache.c
|
|
+++ b/src/clients/ksu/ccache.c
|
|
@@ -47,12 +47,14 @@ void show_credential();
|
|
*/
|
|
|
|
krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
|
|
- primary_principal, cc_out, stored, target_uid)
|
|
+ primary_principal, restrict_creds, cc_out,
|
|
+ stored, target_uid)
|
|
/* IN */
|
|
krb5_context context;
|
|
krb5_ccache cc_def;
|
|
char *cc_other_tag;
|
|
krb5_principal primary_principal;
|
|
+ krb5_boolean restrict_creds;
|
|
uid_t target_uid;
|
|
/* OUT */
|
|
krb5_ccache *cc_out;
|
|
@@ -83,9 +85,6 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
|
|
}
|
|
}
|
|
|
|
- *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
|
|
- primary_principal);
|
|
-
|
|
if (!lstat( cc_other_name, &st_temp))
|
|
return EINVAL;
|
|
|
|
@@ -98,8 +97,16 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
|
|
return retval;
|
|
}
|
|
|
|
- retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr,
|
|
- cc_other_creds_arr);
|
|
+ if (restrict_creds) {
|
|
+ retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr,
|
|
+ cc_other_creds_arr, primary_principal,
|
|
+ stored);
|
|
+ } else {
|
|
+ *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
|
|
+ primary_principal);
|
|
+ retval = krb5_store_all_creds(context, *cc_other, cc_def_creds_arr,
|
|
+ cc_other_creds_arr);
|
|
+ }
|
|
|
|
if (cc_def_creds_arr){
|
|
while (cc_def_creds_arr[i]){
|
|
@@ -623,93 +630,6 @@ krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst,
|
|
*stored = temp_stored;
|
|
return 0;
|
|
}
|
|
-/******************************************************************
|
|
-krb5_cache_copy_restricted
|
|
-
|
|
-gets rid of any expired tickets in the secondary cache,
|
|
-copies the default cache into the secondary cache,
|
|
-only credentials that are for prst are copied.
|
|
-
|
|
-the algorithm may look a bit funny,
|
|
-but I had to do it this way, since cc_remove function did not come
|
|
-with k5 beta 3 release.
|
|
-************************************************************************/
|
|
-
|
|
-krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag,
|
|
- prst, cc_out, stored, target_uid)
|
|
- krb5_context context;
|
|
- krb5_ccache cc_def;
|
|
- char *cc_other_tag;
|
|
- krb5_principal prst;
|
|
- uid_t target_uid;
|
|
- /* OUT */
|
|
- krb5_ccache *cc_out;
|
|
- krb5_boolean *stored;
|
|
-{
|
|
-
|
|
- int i=0;
|
|
- krb5_ccache * cc_other;
|
|
- const char * cc_def_name;
|
|
- const char * cc_other_name;
|
|
- krb5_error_code retval=0;
|
|
- krb5_creds ** cc_def_creds_arr = NULL;
|
|
- krb5_creds ** cc_other_creds_arr = NULL;
|
|
- struct stat st_temp;
|
|
-
|
|
- cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache));
|
|
-
|
|
- if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){
|
|
- com_err(prog_name, retval, _("resolving ccache %s"), cc_other_tag);
|
|
- return retval;
|
|
- }
|
|
-
|
|
- cc_def_name = krb5_cc_get_name(context, cc_def);
|
|
- cc_other_name = krb5_cc_get_name(context, *cc_other);
|
|
-
|
|
- if ( ! stat(cc_def_name, &st_temp)){
|
|
- if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
|
|
- return retval;
|
|
- }
|
|
-
|
|
- }
|
|
-
|
|
- if (!lstat( cc_other_name, &st_temp)) {
|
|
- return EINVAL;
|
|
- }
|
|
-
|
|
- if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
|
|
- return errno;
|
|
- }
|
|
-
|
|
-
|
|
- if ((retval = krb5_cc_initialize(context, *cc_other, prst))){
|
|
- return retval;
|
|
- }
|
|
-
|
|
- retval = krb5_store_some_creds(context, * cc_other,
|
|
- cc_def_creds_arr, cc_other_creds_arr, prst, stored);
|
|
-
|
|
-
|
|
-
|
|
- if (cc_def_creds_arr){
|
|
- while (cc_def_creds_arr[i]){
|
|
- krb5_free_creds(context, cc_def_creds_arr[i]);
|
|
- i++;
|
|
- }
|
|
- }
|
|
-
|
|
- i=0;
|
|
-
|
|
- if(cc_other_creds_arr){
|
|
- while (cc_other_creds_arr[i]){
|
|
- krb5_free_creds(context, cc_other_creds_arr[i]);
|
|
- i++;
|
|
- }
|
|
- }
|
|
-
|
|
- *cc_out = *cc_other;
|
|
- return retval;
|
|
-}
|
|
|
|
krb5_error_code krb5_ccache_filter (context, cc, prst)
|
|
krb5_context context;
|
|
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
|
|
index f2c0811..9e0c613 100644
|
|
--- a/src/clients/ksu/ksu.h
|
|
+++ b/src/clients/ksu/ksu.h
|
|
@@ -107,7 +107,7 @@ extern krb5_error_code get_best_principal
|
|
/* ccache.c */
|
|
extern krb5_error_code krb5_ccache_copy
|
|
(krb5_context, krb5_ccache, char *, krb5_principal,
|
|
- krb5_ccache *, krb5_boolean *, uid_t);
|
|
+ krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t);
|
|
|
|
extern krb5_error_code krb5_store_all_creds
|
|
(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **);
|
|
@@ -141,10 +141,6 @@ extern krb5_error_code krb5_store_some_creds
|
|
(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **,
|
|
krb5_principal, krb5_boolean *);
|
|
|
|
-extern krb5_error_code krb5_ccache_copy_restricted
|
|
-(krb5_context, krb5_ccache, char *, krb5_principal,
|
|
- krb5_ccache *, krb5_boolean *, uid_t);
|
|
-
|
|
extern krb5_error_code krb5_ccache_refresh
|
|
(krb5_context, krb5_ccache);
|
|
|
|
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
|
|
index 233eb52..62f3bc0 100644
|
|
--- a/src/clients/ksu/main.c
|
|
+++ b/src/clients/ksu/main.c
|
|
@@ -117,6 +117,7 @@ main (argc, argv)
|
|
krb5_principal kdc_server;
|
|
krb5_boolean zero_password;
|
|
char * dir_of_cc_target;
|
|
+ krb5_boolean restrict_creds;
|
|
|
|
options.opt = KRB5_DEFAULT_OPTIONS;
|
|
options.lifetime = KRB5_DEFAULT_TKT_LIFE;
|
|
@@ -464,25 +465,13 @@ main (argc, argv)
|
|
then only the credentials for that particular user
|
|
should be copied */
|
|
|
|
- if ((source_uid == 0) && (target_uid != 0)) {
|
|
-
|
|
- if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source,
|
|
- cc_target_tag, client,
|
|
- &cc_target, &stored,
|
|
- target_uid))){
|
|
- com_err(prog_name, retval, _("while copying cache %s to %s"),
|
|
- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
|
|
- exit(1);
|
|
- }
|
|
-
|
|
- } else {
|
|
- if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag,
|
|
- client,&cc_target, &stored, target_uid))) {
|
|
- com_err(prog_name, retval, _("while copying cache %s to %s"),
|
|
- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
|
|
- exit(1);
|
|
- }
|
|
-
|
|
+ restrict_creds = (source_uid == 0) && (target_uid != 0);
|
|
+ retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, client,
|
|
+ restrict_creds, &cc_target, &stored, target_uid);
|
|
+ if (retval) {
|
|
+ com_err(prog_name, retval, _("while copying cache %s to %s"),
|
|
+ krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
|
|
+ exit(1);
|
|
}
|
|
|
|
/* Become root for authentication*/
|
|
--
|
|
2.0.4
|
|
|