diff options
author | Nalin Dahyabhai <nalin.dahyabhai@pobox.com> | 2010-02-04 11:48:40 -0500 |
---|---|---|
committer | Nalin Dahyabhai <nalin.dahyabhai@pobox.com> | 2010-02-04 11:48:40 -0500 |
commit | c6d697fdb70b9cdf26763e09db5eaaf807237b57 (patch) | |
tree | 1275d4a5f584e65efe61c2d47a08a5bac23ae303 | |
parent | 7822a0df68ca959fd4476d9b9ce9bbb6864cc201 (diff) | |
download | credmonger-c6d697fdb70b9cdf26763e09db5eaaf807237b57.tar.gz credmonger-c6d697fdb70b9cdf26763e09db5eaaf807237b57.tar.xz credmonger-c6d697fdb70b9cdf26763e09db5eaaf807237b57.zip |
- don't override the default for forwardable/proxiable
- do turn on canonicalization if the client library supports it
- handle get_init_creds_opt_free having different prototypes across
client library implementations
-rw-r--r-- | configure.ac | 18 | ||||
-rw-r--r-- | src/Makefile.am | 2 | ||||
-rw-r--r-- | src/credmonger.c | 51 |
3 files changed, 57 insertions, 14 deletions
diff --git a/configure.ac b/configure.ac index f05941f..ef82eb7 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT(credmonger,0.0) +AC_INIT(credmonger,0.1) AM_INIT_AUTOMAKE(foreign) AC_PROG_CC AC_MSG_CHECKING([for Kerberos 5 CFLAGS]) @@ -9,6 +9,22 @@ KRB5_LIBS=`krb5-config --libs` AC_MSG_RESULT($KRB5_LIBS) AC_SUBST(KRB5_CFLAGS) AC_SUBST(KRB5_LIBS) + +ldflags_save="$LDFLAGS" +LDFLAGS="$KRB5_LIBS" +AC_CHECK_FUNCS(krb5_get_init_creds_opt_set_canonicalize krb5_get_init_creds_opt_alloc krb5_get_init_creds_opt_free krb5_free_unparsed_name) +LDFLAGS="$ldflags_save" + +if test x$ac_cv_func_krb5_get_init_creds_opt_free = xyes ; then + AC_MSG_CHECKING([if krb5_get_init_creds_opt_free() takes a context]) + AC_COMPILE_IFELSE(AC_LANG_PROGRAM([#include <krb5.h>],[ + krb5_get_init_creds_opt_free(NULL, + NULL);]), + [AC_DEFINE(KRB5_GET_INIT_CREDS_OPT_ALLOC_FREE_TAKES_2_ARGS,1, + [Define if krb5_get_init_creds_opt_free() takes two arguments.]) + AC_MSG_RESULT([yes])], + AC_MSG_RESULT([no])) +fi AC_CONFIG_HEADER(src/config.h) mysysconfdir=`eval echo "$sysconfdir" | sed s,^NONE,"$prefix",` mysysconfdir=`eval echo "$mysysconfdir" | sed s,^NONE,"$ac_default_prefix",` diff --git a/src/Makefile.am b/src/Makefile.am index a4934b5..fc7352f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,6 +1,6 @@ EXTRA_DIST = credmonger.init $(myconfig_DATA) AM_CFLAGS = @KRB5_CFLAGS@ -LDFLAGS = @KRB5_LIBS@ +LIBS = @KRB5_LIBS@ sbin_PROGRAMS = credmonger man_MANS = credmonger.8 credmonger_SOURCES = credmonger.c diff --git a/src/credmonger.c b/src/credmonger.c index df59daf..89e12fa 100644 --- a/src/credmonger.c +++ b/src/credmonger.c @@ -1,5 +1,5 @@ /* - * Copyright 2009 Red Hat, Inc. + * Copyright 2009,2010 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -34,6 +34,7 @@ #include <sys/fsuid.h> #include <dirent.h> #include <errno.h> +#include <limits.h> #include <pwd.h> #include <grp.h> #include <signal.h> @@ -265,6 +266,16 @@ entries_read(void) return list; } +static void +free_unparsed_name(krb5_context ctx, char *unparsed) +{ +#ifdef HAVE_KRB5_FREE_UNPARSED_NAME + krb5_free_unparsed_name(ctx, unparsed); +#else + free(unparsed); +#endif +} + /* Do the heavy lifting. */ static void entries_poll(void) @@ -276,7 +287,7 @@ entries_poll(void) krb5_keytab keytab; krb5_ccache ccache; krb5_principal client; - krb5_get_init_creds_opt *gic_opts; + krb5_get_init_creds_opt *gic_opts, gic_opts_st; char host[LINE_MAX], fccache[PATH_MAX + strlen(FCC_PREFIX) + 1]; char *principal_name, *oldfile; @@ -295,12 +306,20 @@ entries_poll(void) error_message(i)); } else { /* Initialize the get_init_creds options. */ +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC if (krb5_get_init_creds_opt_alloc(ctx, &gic_opts) != 0) { gic_opts = NULL; - } else { - krb5_get_init_creds_opt_set_forwardable(gic_opts, 0); - krb5_get_init_creds_opt_set_proxiable(gic_opts, 0); } +#else + gic_opts = &gic_opts_st; +#endif +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE + /* If the KDC has a better idea of the client's name, believe + * it. */ + if (gic_opts != NULL) { + krb5_get_init_creds_opt_set_canonicalize(gic_opts, 1); + } +#endif /* Walk the list of entries. */ for (i = 0; (entries != NULL) && (entries[i] != NULL); i++) { if (setreuid(0, 0) != 0) { @@ -411,7 +430,7 @@ entries_poll(void) "error getting creds for %s: %s\n", principal_name, error_message(ret)); krb5_kt_close(ctx, keytab); - krb5_free_unparsed_name(ctx, principal_name); + free_unparsed_name(ctx, principal_name); krb5_free_principal(ctx, client); continue; } @@ -435,7 +454,7 @@ entries_poll(void) "error creating temporary ccache\n"); krb5_free_cred_contents(ctx, &creds); krb5_kt_close(ctx, keytab); - krb5_free_unparsed_name(ctx, principal_name); + free_unparsed_name(ctx, principal_name); krb5_free_principal(ctx, client); continue; } @@ -450,7 +469,7 @@ entries_poll(void) unlink(fccache + strlen(FCC_PREFIX)); krb5_free_cred_contents(ctx, &creds); krb5_kt_close(ctx, keytab); - krb5_free_unparsed_name(ctx, principal_name); + free_unparsed_name(ctx, principal_name); krb5_free_principal(ctx, client); continue; } @@ -464,7 +483,7 @@ entries_poll(void) unlink(fccache + strlen(FCC_PREFIX)); krb5_free_cred_contents(ctx, &creds); krb5_kt_close(ctx, keytab); - krb5_free_unparsed_name(ctx, principal_name); + free_unparsed_name(ctx, principal_name); krb5_free_principal(ctx, client); continue; } @@ -477,7 +496,7 @@ entries_poll(void) unlink(fccache + strlen(FCC_PREFIX)); krb5_free_cred_contents(ctx, &creds); krb5_kt_close(ctx, keytab); - krb5_free_unparsed_name(ctx, principal_name); + free_unparsed_name(ctx, principal_name); krb5_free_principal(ctx, client); continue; } @@ -526,7 +545,7 @@ entries_poll(void) principal_name, entries[i]->fccache); krb5_free_cred_contents(ctx, &creds); krb5_kt_close(ctx, keytab); - krb5_free_unparsed_name(ctx, principal_name); + free_unparsed_name(ctx, principal_name); krb5_free_principal(ctx, client); } if (setreuid(0, 0) != 0) { @@ -542,7 +561,15 @@ entries_poll(void) "supplemental group list\n"); _exit(1); } - krb5_get_init_creds_opt_free(ctx, gic_opts); +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE + if (gic_opts != &gic_opts_st) { +#ifdef KRB5_GET_INIT_CREDS_OPT_ALLOC_FREE_TAKES_2_ARGS + krb5_get_init_creds_opt_free(ctx, gic_opts); +#else + krb5_get_init_creds_opt_free(gic_opts); +#endif + } +#endif krb5_free_context(ctx); } |