summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNalin Dahyabhai <nalin.dahyabhai@pobox.com>2010-02-04 11:48:40 -0500
committerNalin Dahyabhai <nalin.dahyabhai@pobox.com>2010-02-04 11:48:40 -0500
commitc6d697fdb70b9cdf26763e09db5eaaf807237b57 (patch)
tree1275d4a5f584e65efe61c2d47a08a5bac23ae303
parent7822a0df68ca959fd4476d9b9ce9bbb6864cc201 (diff)
downloadcredmonger-c6d697fdb70b9cdf26763e09db5eaaf807237b57.tar.gz
credmonger-c6d697fdb70b9cdf26763e09db5eaaf807237b57.tar.xz
credmonger-c6d697fdb70b9cdf26763e09db5eaaf807237b57.zip
- don't override the default for forwardable/proxiable
- do turn on canonicalization if the client library supports it - handle get_init_creds_opt_free having different prototypes across client library implementations
-rw-r--r--configure.ac18
-rw-r--r--src/Makefile.am2
-rw-r--r--src/credmonger.c51
3 files changed, 57 insertions, 14 deletions
diff --git a/configure.ac b/configure.ac
index f05941f..ef82eb7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT(credmonger,0.0)
+AC_INIT(credmonger,0.1)
AM_INIT_AUTOMAKE(foreign)
AC_PROG_CC
AC_MSG_CHECKING([for Kerberos 5 CFLAGS])
@@ -9,6 +9,22 @@ KRB5_LIBS=`krb5-config --libs`
AC_MSG_RESULT($KRB5_LIBS)
AC_SUBST(KRB5_CFLAGS)
AC_SUBST(KRB5_LIBS)
+
+ldflags_save="$LDFLAGS"
+LDFLAGS="$KRB5_LIBS"
+AC_CHECK_FUNCS(krb5_get_init_creds_opt_set_canonicalize krb5_get_init_creds_opt_alloc krb5_get_init_creds_opt_free krb5_free_unparsed_name)
+LDFLAGS="$ldflags_save"
+
+if test x$ac_cv_func_krb5_get_init_creds_opt_free = xyes ; then
+ AC_MSG_CHECKING([if krb5_get_init_creds_opt_free() takes a context])
+ AC_COMPILE_IFELSE(AC_LANG_PROGRAM([#include <krb5.h>],[
+ krb5_get_init_creds_opt_free(NULL,
+ NULL);]),
+ [AC_DEFINE(KRB5_GET_INIT_CREDS_OPT_ALLOC_FREE_TAKES_2_ARGS,1,
+ [Define if krb5_get_init_creds_opt_free() takes two arguments.])
+ AC_MSG_RESULT([yes])],
+ AC_MSG_RESULT([no]))
+fi
AC_CONFIG_HEADER(src/config.h)
mysysconfdir=`eval echo "$sysconfdir" | sed s,^NONE,"$prefix",`
mysysconfdir=`eval echo "$mysysconfdir" | sed s,^NONE,"$ac_default_prefix",`
diff --git a/src/Makefile.am b/src/Makefile.am
index a4934b5..fc7352f 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,6 +1,6 @@
EXTRA_DIST = credmonger.init $(myconfig_DATA)
AM_CFLAGS = @KRB5_CFLAGS@
-LDFLAGS = @KRB5_LIBS@
+LIBS = @KRB5_LIBS@
sbin_PROGRAMS = credmonger
man_MANS = credmonger.8
credmonger_SOURCES = credmonger.c
diff --git a/src/credmonger.c b/src/credmonger.c
index df59daf..89e12fa 100644
--- a/src/credmonger.c
+++ b/src/credmonger.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2009 Red Hat, Inc.
+ * Copyright 2009,2010 Red Hat, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -34,6 +34,7 @@
#include <sys/fsuid.h>
#include <dirent.h>
#include <errno.h>
+#include <limits.h>
#include <pwd.h>
#include <grp.h>
#include <signal.h>
@@ -265,6 +266,16 @@ entries_read(void)
return list;
}
+static void
+free_unparsed_name(krb5_context ctx, char *unparsed)
+{
+#ifdef HAVE_KRB5_FREE_UNPARSED_NAME
+ krb5_free_unparsed_name(ctx, unparsed);
+#else
+ free(unparsed);
+#endif
+}
+
/* Do the heavy lifting. */
static void
entries_poll(void)
@@ -276,7 +287,7 @@ entries_poll(void)
krb5_keytab keytab;
krb5_ccache ccache;
krb5_principal client;
- krb5_get_init_creds_opt *gic_opts;
+ krb5_get_init_creds_opt *gic_opts, gic_opts_st;
char host[LINE_MAX], fccache[PATH_MAX + strlen(FCC_PREFIX) + 1];
char *principal_name, *oldfile;
@@ -295,12 +306,20 @@ entries_poll(void)
error_message(i));
} else {
/* Initialize the get_init_creds options. */
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
if (krb5_get_init_creds_opt_alloc(ctx, &gic_opts) != 0) {
gic_opts = NULL;
- } else {
- krb5_get_init_creds_opt_set_forwardable(gic_opts, 0);
- krb5_get_init_creds_opt_set_proxiable(gic_opts, 0);
}
+#else
+ gic_opts = &gic_opts_st;
+#endif
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE
+ /* If the KDC has a better idea of the client's name, believe
+ * it. */
+ if (gic_opts != NULL) {
+ krb5_get_init_creds_opt_set_canonicalize(gic_opts, 1);
+ }
+#endif
/* Walk the list of entries. */
for (i = 0; (entries != NULL) && (entries[i] != NULL); i++) {
if (setreuid(0, 0) != 0) {
@@ -411,7 +430,7 @@ entries_poll(void)
"error getting creds for %s: %s\n",
principal_name, error_message(ret));
krb5_kt_close(ctx, keytab);
- krb5_free_unparsed_name(ctx, principal_name);
+ free_unparsed_name(ctx, principal_name);
krb5_free_principal(ctx, client);
continue;
}
@@ -435,7 +454,7 @@ entries_poll(void)
"error creating temporary ccache\n");
krb5_free_cred_contents(ctx, &creds);
krb5_kt_close(ctx, keytab);
- krb5_free_unparsed_name(ctx, principal_name);
+ free_unparsed_name(ctx, principal_name);
krb5_free_principal(ctx, client);
continue;
}
@@ -450,7 +469,7 @@ entries_poll(void)
unlink(fccache + strlen(FCC_PREFIX));
krb5_free_cred_contents(ctx, &creds);
krb5_kt_close(ctx, keytab);
- krb5_free_unparsed_name(ctx, principal_name);
+ free_unparsed_name(ctx, principal_name);
krb5_free_principal(ctx, client);
continue;
}
@@ -464,7 +483,7 @@ entries_poll(void)
unlink(fccache + strlen(FCC_PREFIX));
krb5_free_cred_contents(ctx, &creds);
krb5_kt_close(ctx, keytab);
- krb5_free_unparsed_name(ctx, principal_name);
+ free_unparsed_name(ctx, principal_name);
krb5_free_principal(ctx, client);
continue;
}
@@ -477,7 +496,7 @@ entries_poll(void)
unlink(fccache + strlen(FCC_PREFIX));
krb5_free_cred_contents(ctx, &creds);
krb5_kt_close(ctx, keytab);
- krb5_free_unparsed_name(ctx, principal_name);
+ free_unparsed_name(ctx, principal_name);
krb5_free_principal(ctx, client);
continue;
}
@@ -526,7 +545,7 @@ entries_poll(void)
principal_name, entries[i]->fccache);
krb5_free_cred_contents(ctx, &creds);
krb5_kt_close(ctx, keytab);
- krb5_free_unparsed_name(ctx, principal_name);
+ free_unparsed_name(ctx, principal_name);
krb5_free_principal(ctx, client);
}
if (setreuid(0, 0) != 0) {
@@ -542,7 +561,15 @@ entries_poll(void)
"supplemental group list\n");
_exit(1);
}
- krb5_get_init_creds_opt_free(ctx, gic_opts);
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE
+ if (gic_opts != &gic_opts_st) {
+#ifdef KRB5_GET_INIT_CREDS_OPT_ALLOC_FREE_TAKES_2_ARGS
+ krb5_get_init_creds_opt_free(ctx, gic_opts);
+#else
+ krb5_get_init_creds_opt_free(gic_opts);
+#endif
+ }
+#endif
krb5_free_context(ctx);
}