diff options
| author | Nalin Dahyabhai <nalin.dahyabhai@pobox.com> | 2010-02-04 11:48:40 -0500 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin.dahyabhai@pobox.com> | 2010-02-04 11:48:40 -0500 |
| commit | c6d697fdb70b9cdf26763e09db5eaaf807237b57 (patch) | |
| tree | 1275d4a5f584e65efe61c2d47a08a5bac23ae303 /src/credmonger.c | |
| parent | 7822a0df68ca959fd4476d9b9ce9bbb6864cc201 (diff) | |
| download | credmonger-c6d697fdb70b9cdf26763e09db5eaaf807237b57.tar.gz credmonger-c6d697fdb70b9cdf26763e09db5eaaf807237b57.tar.xz credmonger-c6d697fdb70b9cdf26763e09db5eaaf807237b57.zip | |
- don't override the default for forwardable/proxiable
- do turn on canonicalization if the client library supports it
- handle get_init_creds_opt_free having different prototypes across
client library implementations
Diffstat (limited to 'src/credmonger.c')
| -rw-r--r-- | src/credmonger.c | 51 |
1 files changed, 39 insertions, 12 deletions
diff --git a/src/credmonger.c b/src/credmonger.c index df59daf..89e12fa 100644 --- a/src/credmonger.c +++ b/src/credmonger.c @@ -1,5 +1,5 @@ /* - * Copyright 2009 Red Hat, Inc. + * Copyright 2009,2010 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -34,6 +34,7 @@ #include <sys/fsuid.h> #include <dirent.h> #include <errno.h> +#include <limits.h> #include <pwd.h> #include <grp.h> #include <signal.h> @@ -265,6 +266,16 @@ entries_read(void) return list; } +static void +free_unparsed_name(krb5_context ctx, char *unparsed) +{ +#ifdef HAVE_KRB5_FREE_UNPARSED_NAME + krb5_free_unparsed_name(ctx, unparsed); +#else + free(unparsed); +#endif +} + /* Do the heavy lifting. */ static void entries_poll(void) @@ -276,7 +287,7 @@ entries_poll(void) krb5_keytab keytab; krb5_ccache ccache; krb5_principal client; - krb5_get_init_creds_opt *gic_opts; + krb5_get_init_creds_opt *gic_opts, gic_opts_st; char host[LINE_MAX], fccache[PATH_MAX + strlen(FCC_PREFIX) + 1]; char *principal_name, *oldfile; @@ -295,12 +306,20 @@ entries_poll(void) error_message(i)); } else { /* Initialize the get_init_creds options. */ +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC if (krb5_get_init_creds_opt_alloc(ctx, &gic_opts) != 0) { gic_opts = NULL; - } else { - krb5_get_init_creds_opt_set_forwardable(gic_opts, 0); - krb5_get_init_creds_opt_set_proxiable(gic_opts, 0); } +#else + gic_opts = &gic_opts_st; +#endif +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE + /* If the KDC has a better idea of the client's name, believe + * it. */ + if (gic_opts != NULL) { + krb5_get_init_creds_opt_set_canonicalize(gic_opts, 1); + } +#endif /* Walk the list of entries. */ for (i = 0; (entries != NULL) && (entries[i] != NULL); i++) { if (setreuid(0, 0) != 0) { @@ -411,7 +430,7 @@ entries_poll(void) "error getting creds for %s: %s\n", principal_name, error_message(ret)); krb5_kt_close(ctx, keytab); - krb5_free_unparsed_name(ctx, principal_name); + free_unparsed_name(ctx, principal_name); krb5_free_principal(ctx, client); continue; } @@ -435,7 +454,7 @@ entries_poll(void) "error creating temporary ccache\n"); krb5_free_cred_contents(ctx, &creds); krb5_kt_close(ctx, keytab); - krb5_free_unparsed_name(ctx, principal_name); + free_unparsed_name(ctx, principal_name); krb5_free_principal(ctx, client); continue; } @@ -450,7 +469,7 @@ entries_poll(void) unlink(fccache + strlen(FCC_PREFIX)); krb5_free_cred_contents(ctx, &creds); krb5_kt_close(ctx, keytab); - krb5_free_unparsed_name(ctx, principal_name); + free_unparsed_name(ctx, principal_name); krb5_free_principal(ctx, client); continue; } @@ -464,7 +483,7 @@ entries_poll(void) unlink(fccache + strlen(FCC_PREFIX)); krb5_free_cred_contents(ctx, &creds); krb5_kt_close(ctx, keytab); - krb5_free_unparsed_name(ctx, principal_name); + free_unparsed_name(ctx, principal_name); krb5_free_principal(ctx, client); continue; } @@ -477,7 +496,7 @@ entries_poll(void) unlink(fccache + strlen(FCC_PREFIX)); krb5_free_cred_contents(ctx, &creds); krb5_kt_close(ctx, keytab); - krb5_free_unparsed_name(ctx, principal_name); + free_unparsed_name(ctx, principal_name); krb5_free_principal(ctx, client); continue; } @@ -526,7 +545,7 @@ entries_poll(void) principal_name, entries[i]->fccache); krb5_free_cred_contents(ctx, &creds); krb5_kt_close(ctx, keytab); - krb5_free_unparsed_name(ctx, principal_name); + free_unparsed_name(ctx, principal_name); krb5_free_principal(ctx, client); } if (setreuid(0, 0) != 0) { @@ -542,7 +561,15 @@ entries_poll(void) "supplemental group list\n"); _exit(1); } - krb5_get_init_creds_opt_free(ctx, gic_opts); +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE + if (gic_opts != &gic_opts_st) { +#ifdef KRB5_GET_INIT_CREDS_OPT_ALLOC_FREE_TAKES_2_ARGS + krb5_get_init_creds_opt_free(ctx, gic_opts); +#else + krb5_get_init_creds_opt_free(gic_opts); +#endif + } +#endif krb5_free_context(ctx); } |