diff options
| author | Tom Yu <tlyu@mit.edu> | 2009-10-31 00:48:38 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2009-10-31 00:48:38 +0000 |
| commit | 02d6bcbc98a214e7aeaaa9f45f0db8784a7b743b (patch) | |
| tree | 61b9147863cd8be3eff63903dc36cae168254bd5 /src/clients/ksu | |
| parent | 162ab371748cba0cc6f172419bd6e71fa04bb878 (diff) | |
| download | krb5-02d6bcbc98a214e7aeaaa9f45f0db8784a7b743b.tar.gz krb5-02d6bcbc98a214e7aeaaa9f45f0db8784a7b743b.tar.xz krb5-02d6bcbc98a214e7aeaaa9f45f0db8784a7b743b.zip | |
make mark-cstyle
make reindent
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/clients/ksu')
| -rw-r--r-- | src/clients/ksu/authorization.c | 539 | ||||
| -rw-r--r-- | src/clients/ksu/ccache.c | 857 | ||||
| -rw-r--r-- | src/clients/ksu/heuristic.c | 617 | ||||
| -rw-r--r-- | src/clients/ksu/krb_auth_su.c | 515 | ||||
| -rw-r--r-- | src/clients/ksu/ksu.h | 145 | ||||
| -rw-r--r-- | src/clients/ksu/main.c | 1245 | ||||
| -rw-r--r-- | src/clients/ksu/setenv.c | 161 | ||||
| -rw-r--r-- | src/clients/ksu/xmalloc.c | 21 |
8 files changed, 2054 insertions, 2046 deletions
diff --git a/src/clients/ksu/authorization.c b/src/clients/ksu/authorization.c index 0c90d2713..fcc5ca99d 100644 --- a/src/clients/ksu/authorization.c +++ b/src/clients/ksu/authorization.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 1994 by the University of Southern California * @@ -40,11 +41,11 @@ krb5_boolean fowner(fp, uid) * the user himself, or by root. Otherwise, don't grant access. */ if (fstat(fileno(fp), &sbuf)) { - return(FALSE); + return(FALSE); } if ((sbuf.st_uid != uid) && sbuf.st_uid) { - return(FALSE); + return(FALSE); } return(TRUE); @@ -59,8 +60,8 @@ krb5_boolean fowner(fp, uid) */ krb5_error_code krb5_authorization(context, principal, luser, - cmd, ok, out_fcmd) - /* IN */ + cmd, ok, out_fcmd) +/* IN */ krb5_context context; krb5_principal principal; const char *luser; @@ -82,11 +83,11 @@ krb5_error_code krb5_authorization(context, principal, luser, /* no account => no access */ if ((pwd = getpwnam(luser)) == NULL) - return 0; + return 0; retval = krb5_unparse_name(context, principal, &princname); if (retval) - return retval; + return retval; #ifdef DEBUG printf("principal to be authorized %s\n", princname); @@ -99,43 +100,43 @@ krb5_error_code krb5_authorization(context, principal, luser, /* k5login and k5users must be owned by target user or root */ if (!k5login_flag){ - if ((login_fp = fopen(k5login_path, "r")) == NULL) - return 0; - if ( fowner(login_fp, pwd->pw_uid) == FALSE) { - fclose(login_fp); - return 0; - } + if ((login_fp = fopen(k5login_path, "r")) == NULL) + return 0; + if ( fowner(login_fp, pwd->pw_uid) == FALSE) { + fclose(login_fp); + return 0; + } } if (!k5users_flag){ - if ((users_fp = fopen(k5users_path, "r")) == NULL) { - return 0; - } - if ( fowner(users_fp, pwd->pw_uid) == FALSE){ - fclose(users_fp); - return 0; - } + if ((users_fp = fopen(k5users_path, "r")) == NULL) { + return 0; + } + if ( fowner(users_fp, pwd->pw_uid) == FALSE){ + fclose(users_fp); + return 0; + } } if (auth_debug){ - fprintf(stderr, - "In krb5_authorization: if auth files exist -> can access\n"); + fprintf(stderr, + "In krb5_authorization: if auth files exist -> can access\n"); } #if 0 if (cmd){ - if(k5users_flag){ - return 0; /* if kusers does not exist -> done */ - }else{ - if(retval = k5users_lookup(users_fp,princname, - cmd,&retbool,out_fcmd)){ - auth_cleanup(users_fp, login_fp, princname); - return retval; - }else{ - *ok =retbool; - return retval; - } - } + if(k5users_flag){ + return 0; /* if kusers does not exist -> done */ + }else{ + if(retval = k5users_lookup(users_fp,princname, + cmd,&retbool,out_fcmd)){ + auth_cleanup(users_fp, login_fp, princname); + return retval; + }else{ + *ok =retbool; + return retval; + } + } } #endif @@ -144,41 +145,41 @@ krb5_error_code krb5_authorization(context, principal, luser, if it's not there check the k5users file */ if (!k5login_flag){ - if (auth_debug) - fprintf(stderr, - "In krb5_authorization: principal to be authorized %s\n", - princname); - - retval = k5login_lookup(login_fp, princname, &retbool); - if (retval) { - auth_cleanup(users_fp, login_fp, princname); - return retval; - } - if (retbool) { - if (cmd) - *out_fcmd = xstrdup(cmd); - } + if (auth_debug) + fprintf(stderr, + "In krb5_authorization: principal to be authorized %s\n", + princname); + + retval = k5login_lookup(login_fp, princname, &retbool); + if (retval) { + auth_cleanup(users_fp, login_fp, princname); + return retval; + } + if (retbool) { + if (cmd) + *out_fcmd = xstrdup(cmd); + } } if ((!k5users_flag) && (retbool == FALSE) ){ - retval = k5users_lookup (users_fp, princname, - cmd, &retbool, out_fcmd); - if(retval) { - auth_cleanup(users_fp, login_fp, princname); - return retval; - } + retval = k5users_lookup (users_fp, princname, + cmd, &retbool, out_fcmd); + if(retval) { + auth_cleanup(users_fp, login_fp, princname); + return retval; + } } if (k5login_flag && k5users_flag){ - char * kuser = (char *) xcalloc (strlen(princname), sizeof(char)); - if (!(krb5_aname_to_localname(context, principal, - strlen(princname), kuser)) - && (strcmp(kuser, luser) == 0)) { - retbool = TRUE; - } + char * kuser = (char *) xcalloc (strlen(princname), sizeof(char)); + if (!(krb5_aname_to_localname(context, principal, + strlen(princname), kuser)) + && (strcmp(kuser, luser) == 0)) { + retbool = TRUE; + } - free(kuser); + free(kuser); } *ok =retbool; @@ -208,28 +209,28 @@ krb5_error_code k5login_lookup (fp, princname, found) retval = get_line(fp, &line); if (retval) - return retval; + return retval; while (line){ - fprinc = get_first_token (line, &lp); - - if (fprinc && (!strcmp(princname, fprinc))){ - if( get_next_token (&lp) ){ - free (line); - break; /* nothing should follow princname*/ - } - else{ - loc_found = TRUE; - free (line); - break; - } - } - - free (line); - - retval = get_line(fp, &line); - if (retval) - return retval; + fprinc = get_first_token (line, &lp); + + if (fprinc && (!strcmp(princname, fprinc))){ + if( get_next_token (&lp) ){ + free (line); + break; /* nothing should follow princname*/ + } + else{ + loc_found = TRUE; + free (line); + break; + } + } + + free (line); + + retval = get_line(fp, &line); + if (retval) + return retval; } @@ -248,10 +249,10 @@ authorization alg: if princname is not found return false. if princname is found{ - if cmd == NULL then the file entry after principal - name must be nothing or * + if cmd == NULL then the file entry after principal + name must be nothing or * - if cmd !=NULL then entry must be matched (* is ok) + if cmd !=NULL then entry must be matched (* is ok) } @@ -272,62 +273,62 @@ krb5_error_code k5users_lookup (fp, princname, cmd, found, out_fcmd) retval = get_line(fp, &line); if (retval) - return retval; + return retval; while (line){ - fprinc = get_first_token (line, &lp); - - if (fprinc && (!strcmp(princname, fprinc))){ - fcmd = get_next_token (&lp); - - if ((fcmd) && (!strcmp(fcmd, PERMIT_ALL_COMMANDS))){ - if (get_next_token(&lp) == NULL){ - loc_fcmd =cmd ? xstrdup(cmd): NULL; - loc_found = TRUE; - } - free (line); - break; - } - - if (cmd == NULL){ - if (fcmd == NULL) - loc_found = TRUE; - free (line); - break; - - }else{ - if (fcmd != NULL) { - char * temp_rfcmd, *err; - krb5_boolean match; - do { - if(match_commands(fcmd,cmd,&match, - &temp_rfcmd, &err)){ - if (auth_debug){ - fprintf(stderr,"%s",err); - } - loc_fcmd = err; - break; - }else{ - if (match == TRUE){ - loc_fcmd = temp_rfcmd; - loc_found = TRUE; - break; - } - } - - }while ((fcmd = get_next_token( &lp))); - } - free (line); - break; - } - } - - free (line); - - retval = get_line(fp, &line); - if (retval) { - return retval; - } + fprinc = get_first_token (line, &lp); + + if (fprinc && (!strcmp(princname, fprinc))){ + fcmd = get_next_token (&lp); + + if ((fcmd) && (!strcmp(fcmd, PERMIT_ALL_COMMANDS))){ + if (get_next_token(&lp) == NULL){ + loc_fcmd =cmd ? xstrdup(cmd): NULL; + loc_found = TRUE; + } + free (line); + break; + } + + if (cmd == NULL){ + if (fcmd == NULL) + loc_found = TRUE; + free (line); + break; + + }else{ + if (fcmd != NULL) { + char * temp_rfcmd, *err; + krb5_boolean match; + do { + if(match_commands(fcmd,cmd,&match, + &temp_rfcmd, &err)){ + if (auth_debug){ + fprintf(stderr,"%s",err); + } + loc_fcmd = err; + break; + }else{ + if (match == TRUE){ + loc_fcmd = temp_rfcmd; + loc_found = TRUE; + break; + } + } + + }while ((fcmd = get_next_token( &lp))); + } + free (line); + break; + } + } + + free (line); + + retval = get_line(fp, &line); + if (retval) { + return retval; + } } *out_fcmd = loc_fcmd; @@ -358,54 +359,54 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err) tmp_fcmd = (char **) xcalloc (MAX_CMD, sizeof(char *)); if (*fcmd == '/'){ /* must be full path */ - tmp_fcmd[0] = xstrdup(fcmd); - tmp_fcmd[1] = NULL; - *out_fcmd = tmp_fcmd; - return TRUE; + tmp_fcmd[0] = xstrdup(fcmd); + tmp_fcmd[1] = NULL; + *out_fcmd = tmp_fcmd; + return TRUE; }else{ - /* must be either full path or just the cmd name */ - if (strchr(fcmd, '/')){ - asprintf(&err,"Error: bad entry - %s in %s file, must be either full path or just the cmd name\n", fcmd, KRB5_USERS_NAME); - *out_err = err; - return FALSE; - } + /* must be either full path or just the cmd name */ + if (strchr(fcmd, '/')){ + asprintf(&err,"Error: bad entry - %s in %s file, must be either full path or just the cmd name\n", fcmd, KRB5_USERS_NAME); + *out_err = err; + return FALSE; + } #ifndef CMD_PATH - asprintf(&err,"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH must be defined \n", fcmd, KRB5_USERS_NAME, fcmd); - *out_err = err; - return FALSE; + asprintf(&err,"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH must be defined \n", fcmd, KRB5_USERS_NAME, fcmd); + *out_err = err; + return FALSE; #else - path = xstrdup (CMD_PATH); - path_ptr = path; + path = xstrdup (CMD_PATH); + path_ptr = path; - while ((*path_ptr == ' ') || (*path_ptr == '\t')) path_ptr ++; + while ((*path_ptr == ' ') || (*path_ptr == '\t')) path_ptr ++; - tc = get_first_token (path_ptr, &lp); + tc = get_first_token (path_ptr, &lp); - if (! tc){ - asprintf(&err,"Error: bad entry - %s in %s file, CMD_PATH contains no paths \n", fcmd, KRB5_USERS_NAME); - *out_err = err; - return FALSE; - } + if (! tc){ + asprintf(&err,"Error: bad entry - %s in %s file, CMD_PATH contains no paths \n", fcmd, KRB5_USERS_NAME); + *out_err = err; + return FALSE; + } - i=0; - do{ - if (*tc != '/'){ /* must be full path */ - asprintf(&err,"Error: bad path %s in CMD_PATH for %s must start with '/' \n",tc, KRB5_USERS_NAME ); - *out_err = err; - return FALSE; - } + i=0; + do{ + if (*tc != '/'){ /* must be full path */ + asprintf(&err,"Error: bad path %s in CMD_PATH for %s must start with '/' \n",tc, KRB5_USERS_NAME ); + *out_err = err; + return FALSE; + } - tmp_fcmd[i] = xasprintf("%s/%s", tc, fcmd); + tmp_fcmd[i] = xasprintf("%s/%s", tc, fcmd); - i++; + i++; - } while((tc = get_next_token (&lp))); + } while((tc = get_next_token (&lp))); - tmp_fcmd[i] = NULL; - *out_fcmd = tmp_fcmd; - return TRUE; + tmp_fcmd[i] = NULL; + *out_fcmd = tmp_fcmd; + return TRUE; #endif /* CMD_PATH */ } @@ -413,7 +414,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err) /******************************************** cmd_single - checks if cmd consists of a path - or a single token + or a single token ********************************************/ @@ -422,9 +423,9 @@ krb5_boolean cmd_single(cmd) { if ( ( strrchr( cmd, '/')) == NULL){ - return TRUE; + return TRUE; }else{ - return FALSE; + return FALSE; } } @@ -443,17 +444,17 @@ int cmd_arr_cmp_postfix(fcmd_arr, cmd) int i = 0; while(fcmd_arr[i]){ - if ( (ptr = strrchr( fcmd_arr[i], '/')) == NULL){ - temp_fcmd = fcmd_arr[i]; - }else { - temp_fcmd = ptr + 1; - } - - result = strcmp (temp_fcmd, cmd); - if (result == 0){ - break; - } - i++; + if ( (ptr = strrchr( fcmd_arr[i], '/')) == NULL){ + temp_fcmd = fcmd_arr[i]; + }else { + temp_fcmd = ptr + 1; + } + + result = strcmp (temp_fcmd, cmd); + if (result == 0){ + break; + } + i++; } return result; @@ -475,11 +476,11 @@ int cmd_arr_cmp (fcmd_arr, cmd) int i = 0; while(fcmd_arr[i]){ - result = strcmp (fcmd_arr[i], cmd); - if (result == 0){ - break; - } - i++; + result = strcmp (fcmd_arr[i], cmd); + if (result == 0){ + break; + } + i++; } return result; } @@ -497,25 +498,25 @@ krb5_boolean find_first_cmd_that_exists(fcmd_arr, cmd_out, err_out) struct k5buf buf; while(fcmd_arr[i]){ - if (!stat (fcmd_arr[i], &st_temp )){ - *cmd_out = xstrdup(fcmd_arr[i]); - retbool = TRUE; - break; - } - i++; + if (!stat (fcmd_arr[i], &st_temp )){ + *cmd_out = xstrdup(fcmd_arr[i]); + retbool = TRUE; + break; + } + i++; } if (retbool == FALSE ){ - krb5int_buf_init_dynamic(&buf); - krb5int_buf_add(&buf, "Error: not found -> "); - for(j= 0; j < i; j ++) - krb5int_buf_add_fmt(&buf, " %s ", fcmd_arr[j]); - krb5int_buf_add(&buf, "\n"); - *err_out = krb5int_buf_data(&buf); - if (*err_out == NULL) { - perror(prog_name); - exit(1); - } + krb5int_buf_init_dynamic(&buf); + krb5int_buf_add(&buf, "Error: not found -> "); + for(j= 0; j < i; j ++) + krb5int_buf_add_fmt(&buf, " %s ", fcmd_arr[j]); + krb5int_buf_add(&buf, "\n"); + *err_out = krb5int_buf_data(&buf); + if (*err_out == NULL) { + perror(prog_name); + exit(1); + } } @@ -539,45 +540,45 @@ int match_commands (fcmd, cmd, match, cmd_out, err_out) char * cmd_temp; if(fcmd_resolve(fcmd, &fcmd_arr, &err )== FALSE ){ - *err_out = err; - return 1; + *err_out = err; + return 1; } if (cmd_single( cmd ) == TRUE){ - if (!cmd_arr_cmp_postfix(fcmd_arr, cmd)){ /* found */ - - if(find_first_cmd_that_exists( fcmd_arr,&cmd_temp,&err)== TRUE){ - *match = TRUE; - *cmd_out = cmd_temp; - return 0; - }else{ - *err_out = err; - return 1; - } - }else{ - *match = FALSE; - return 0; - } + if (!cmd_arr_cmp_postfix(fcmd_arr, cmd)){ /* found */ + + if(find_first_cmd_that_exists( fcmd_arr,&cmd_temp,&err)== TRUE){ + *match = TRUE; + *cmd_out = cmd_temp; + return 0; + }else{ + *err_out = err; + return 1; + } + }else{ + *match = FALSE; + return 0; + } }else{ - if (!cmd_arr_cmp(fcmd_arr, cmd)){ /* found */ - *match = TRUE; - *cmd_out = xstrdup(cmd); - return 0; - } else{ - *match = FALSE; - return 0; - } + if (!cmd_arr_cmp(fcmd_arr, cmd)){ /* found */ + *match = TRUE; + *cmd_out = xstrdup(cmd); + return 0; + } else{ + *match = FALSE; + return 0; + } } } /********************************************************* get_line - returns a line of any length. out_line - is set to null if eof. + is set to null if eof. *********************************************************/ krb5_error_code get_line (fp, out_line) - /* IN */ +/* IN */ FILE *fp; /* OUT */ char **out_line; @@ -590,27 +591,27 @@ krb5_error_code get_line (fp, out_line) line[0] = '\0'; while (( r = fgets(line_ptr, BUFSIZ , fp)) != NULL){ - newline = strchr(line_ptr, '\n'); - if (newline) { - *newline = '\0'; - break; - } - else { - chunk_count ++; - if(!( line = (char *) realloc( line, - chunk_count * sizeof(char) * BUFSIZ))){ - return ENOMEM; - } - - line_ptr = line + (BUFSIZ -1) *( chunk_count -1) ; - } + newline = strchr(line_ptr, '\n'); + if (newline) { + *newline = '\0'; + break; + } + else { + chunk_count ++; + if(!( line = (char *) realloc( line, + chunk_count * sizeof(char) * BUFSIZ))){ + return ENOMEM; + } + + line_ptr = line + (BUFSIZ -1) *( chunk_count -1) ; + } } if ((r == NULL) && (strlen(line) == 0)) { - *out_line = NULL; + *out_line = NULL; } else{ - *out_line = line; + *out_line = line; } return 0; @@ -635,20 +636,20 @@ char * get_first_token (line, lnext) out_ptr = line; lptr = line; - + while (( *lptr == ' ') || (*lptr == '\t')) lptr ++; - + if (strlen(lptr) == 0) return NULL; - + while (( *lptr != ' ') && (*lptr != '\t') && (*lptr != '\0')) lptr ++; - + if (*lptr == '\0'){ - *lnext = lptr; + *lnext = lptr; } else{ - *lptr = '\0'; - *lnext = lptr + 1; + *lptr = '\0'; + *lnext = lptr + 1; } - + return out_ptr; } /********************************************************** @@ -678,10 +679,10 @@ char * get_next_token (lnext) while (( *lptr != ' ') && (*lptr != '\t') && (*lptr != '\0')) lptr ++; if (*lptr == '\0'){ - *lnext = lptr; + *lnext = lptr; } else{ - *lptr = '\0'; - *lnext = lptr + 1; + *lptr = '\0'; + *lnext = lptr + 1; } return out_ptr; @@ -695,9 +696,9 @@ static void auth_cleanup(users_fp, login_fp, princname) free (princname); if (users_fp) - fclose(users_fp); + fclose(users_fp); if (login_fp) - fclose(login_fp); + fclose(login_fp); } void init_auth_names(pw_dir) @@ -708,14 +709,14 @@ void init_auth_names(pw_dir) sep = ((strlen(pw_dir) == 1) && (*pw_dir == '/')) ? "" : "/"; r1 = snprintf(k5login_path, sizeof(k5login_path), "%s%s%s", - pw_dir, sep, KRB5_LOGIN_NAME); + pw_dir, sep, KRB5_LOGIN_NAME); r2 = snprintf(k5users_path, sizeof(k5users_path), "%s%s%s", - pw_dir, sep, KRB5_USERS_NAME); + pw_dir, sep, KRB5_USERS_NAME); if (SNPRINTF_OVERFLOW(r1, sizeof(k5login_path)) || - SNPRINTF_OVERFLOW(r2, sizeof(k5users_path))) { - fprintf (stderr, - "home directory name `%s' too long, can't search for .k5login\n", - pw_dir); - exit (1); + SNPRINTF_OVERFLOW(r2, sizeof(k5users_path))) { + fprintf (stderr, + "home directory name `%s' too long, can't search for .k5login\n", + pw_dir); + exit (1); } } diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c index 8ed5fb185..2eafd0934 100644 --- a/src/clients/ksu/ccache.c +++ b/src/clients/ksu/ccache.c @@ -1,4 +1,5 @@ -/* +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* * Copyright (c) 1994 by the University of Southern California * * EXPORT OF THIS SOFTWARE from the United States of America may @@ -10,7 +11,7 @@ * this software and its documentation in source and binary forms is * hereby granted, provided that any documentation or other materials * related to such distribution or use acknowledge that the software - * was developed by the University of Southern California. + * was developed by the University of Southern California. * * DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The * University of Southern California MAKES NO REPRESENTATIONS OR @@ -25,7 +26,7 @@ * KSU was writen by: Ari Medvinsky, ari@isi.edu */ -#include "ksu.h" +#include "ksu.h" #include "adm_proto.h" #include <sys/types.h> #include <sys/stat.h> @@ -34,95 +35,95 @@ krb5_cache_copy gets rid of any expired tickets in the secondary cache, -copies the default cache into the secondary cache, +copies the default cache into the secondary cache, ************************************************************************/ void show_credential(); /* modifies only the cc_other, the algorithm may look a bit funny, - but I had to do it this way, since remove function did not come - with k5 beta 3 release. + but I had to do it this way, since remove function did not come + with k5 beta 3 release. */ -krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, - primary_principal, cc_out, stored, target_uid) - /* IN */ +krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, + primary_principal, cc_out, stored, target_uid) +/* IN */ krb5_context context; krb5_ccache cc_def; char *cc_other_tag; krb5_principal primary_principal; -uid_t target_uid; + uid_t target_uid; /* OUT */ krb5_ccache *cc_out; krb5_boolean *stored; { -int i=0; -krb5_ccache * cc_other; -const char * cc_def_name; -const char * cc_other_name; -krb5_error_code retval=0; -krb5_creds ** cc_def_creds_arr = NULL; -krb5_creds ** cc_other_creds_arr = NULL; -struct stat st_temp; + int i=0; + krb5_ccache * cc_other; + const char * cc_def_name; + const char * cc_other_name; + krb5_error_code retval=0; + krb5_creds ** cc_def_creds_arr = NULL; + krb5_creds ** cc_other_creds_arr = NULL; + struct stat st_temp; - cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); + cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){ - com_err (prog_name, retval, "resolving ccache %s", - cc_other_tag); - return retval; + com_err (prog_name, retval, "resolving ccache %s", + cc_other_tag); + return retval; } - cc_def_name = krb5_cc_get_name(context, cc_def); - cc_other_name = krb5_cc_get_name(context, *cc_other); + cc_def_name = krb5_cc_get_name(context, cc_def); + cc_other_name = krb5_cc_get_name(context, *cc_other); if ( ! stat(cc_def_name, &st_temp)){ - if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ - return retval; - } + if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ + return retval; + } } *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr, - primary_principal); + primary_principal); #ifdef HAVE_LSTAT if (!lstat( cc_other_name, &st_temp)) #else /*HAVE_LSTAT*/ - if (!stat( cc_other_name, &st_temp)) + if (!stat( cc_other_name, &st_temp)) #endif - return EINVAL; - - if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { - return errno; - } - - + return EINVAL; + + if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { + return errno; + } + + if ((retval = krb5_cc_initialize(context, *cc_other, primary_principal))){ - return retval; + return retval; } - retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr, - cc_other_creds_arr); + retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr, + cc_other_creds_arr); - if (cc_def_creds_arr){ - while (cc_def_creds_arr[i]){ - krb5_free_creds(context, cc_def_creds_arr[i]); - i++; - } - } + if (cc_def_creds_arr){ + while (cc_def_creds_arr[i]){ + krb5_free_creds(context, cc_def_creds_arr[i]); + i++; + } + } i=0; - if(cc_other_creds_arr){ - while (cc_other_creds_arr[i]){ - krb5_free_creds(context, cc_other_creds_arr[i]); - i++; - } + if(cc_other_creds_arr){ + while (cc_other_creds_arr[i]){ + krb5_free_creds(context, cc_other_creds_arr[i]); + i++; + } } - *cc_out = *cc_other; - return retval; + *cc_out = *cc_other; + return retval; } @@ -133,65 +134,65 @@ krb5_error_code krb5_store_all_creds(context, cc, creds_def, creds_other) krb5_creds **creds_other; { -int i = 0; -krb5_error_code retval = 0; -krb5_creds ** temp_creds= NULL; - - - if ((creds_def == NULL) && (creds_other == NULL)) - return 0; - - if ((creds_def == NULL) && (creds_other != NULL)) - temp_creds = creds_other; - - if ((creds_def != NULL) && (creds_other == NULL)) - temp_creds = creds_def; - - - if (temp_creds){ - while(temp_creds[i]){ - if ((retval= krb5_cc_store_cred(context, cc, - temp_creds[i]))){ - return retval; - } - i++; - } - } - else { /* both arrays have elements in them */ - - return KRB5KRB_ERR_GENERIC; - -/************ while(creds_other[i]){ - cmp = FALSE; - j = 0; - while(creds_def[j]){ - cmp = compare_creds(creds_other[i],creds_def[j]); - - if( cmp == TRUE) break; - - j++; - } - if (cmp == FALSE){ - if (retval= krb5_cc_store_cred(context, cc, - creds_other[i])){ - return retval; - } - } - i ++; - } - - i=0; - while(creds_def[i]){ - if (retval= krb5_cc_store_cred(context, cc, - creds_def[i])){ - return retval; - } - i++; - } + int i = 0; + krb5_error_code retval = 0; + krb5_creds ** temp_creds= NULL; + + + if ((creds_def == NULL) && (creds_other == NULL)) + return 0; + + if ((creds_def == NULL) && (creds_other != NULL)) + temp_creds = creds_other; + + if ((creds_def != NULL) && (creds_other == NULL)) + temp_creds = creds_def; + + + if (temp_creds){ + while(temp_creds[i]){ + if ((retval= krb5_cc_store_cred(context, cc, + temp_creds[i]))){ + return retval; + } + i++; + } + } + else { /* both arrays have elements in them */ + + return KRB5KRB_ERR_GENERIC; + +/************ while(creds_other[i]){ + cmp = FALSE; + j = 0; + while(creds_def[j]){ + cmp = compare_creds(creds_other[i],creds_def[j]); + + if( cmp == TRUE) break; + + j++; + } + if (cmp == FALSE){ + if (retval= krb5_cc_store_cred(context, cc, + creds_other[i])){ + return retval; + } + } + i ++; + } + + i=0; + while(creds_def[i]){ + if (retval= krb5_cc_store_cred(context, cc, + creds_def[i])){ + return retval; + } + i++; + } **************/ - } - return 0; + } + return 0; } krb5_boolean compare_creds(context, cred1, cred2) @@ -199,86 +200,86 @@ krb5_boolean compare_creds(context, cred1, cred2) krb5_creds *cred1; krb5_creds *cred2; { -krb5_boolean retval; + krb5_boolean retval; - retval = krb5_principal_compare (context, cred1->client, cred2->client); + retval = krb5_principal_compare (context, cred1->client, cred2->client); - if (retval == TRUE) - retval = krb5_principal_compare (context, cred1->server, cred2->server); + if (retval == TRUE) + retval = krb5_principal_compare (context, cred1->server, cred2->server); - return retval; + return retval; } - + krb5_error_code krb5_get_nonexp_tkts(context, cc, creds_array) krb5_context context; krb5_ccache cc; krb5_creds ***creds_array; { -krb5_creds creds, temp_tktq, temp_tkt; -krb5_creds **temp_creds; -krb5_error_code retval=0; -krb5_cc_cursor cur; -int count = 0; -int chunk_count = 1; - - if ( ! ( temp_creds = (krb5_creds **) malloc( CHUNK * sizeof(krb5_creds *)))){ - return ENOMEM; - } + krb5_creds creds, temp_tktq, temp_tkt; + krb5_creds **temp_creds; + krb5_error_code retval=0; + krb5_cc_cursor cur; + int count = 0; + int chunk_count = 1; + + if ( ! ( temp_creds = (krb5_creds **) malloc( CHUNK * sizeof(krb5_creds *)))){ + return ENOMEM; + } - memset(&temp_tktq, 0, sizeof(temp_tktq)); - memset(&temp_tkt, 0, sizeof(temp_tkt)); - memset(&creds, 0, sizeof(creds)); + memset(&temp_tktq, 0, sizeof(temp_tktq)); + memset(&temp_tkt, 0, sizeof(temp_tkt)); + memset(&creds, 0, sizeof(creds)); - /* initialize the cursor */ + /* initialize the cursor */ if ((retval = krb5_cc_start_seq_get(context, cc, &cur))) { - return retval; + return retval; } while (!(retval = krb5_cc_next_cred(context, cc, &cur, &creds))){ - if ((retval = krb5_check_exp(context, creds.times))){ - if (retval != KRB5KRB_AP_ERR_TKT_EXPIRED){ - return retval; - } - if (auth_debug){ - fprintf(stderr,"krb5_ccache_copy: CREDS EXPIRED:\n"); - fputs(" Valid starting Expires Service principal\n",stdout); - show_credential(context, &creds, cc); - fprintf(stderr,"\n"); - } - } - else { /* these credentials didn't expire */ - - if ((retval = krb5_copy_creds(context, &creds, - &temp_creds[count]))){ - return retval; - } - count ++; - - if (count == (chunk_count * CHUNK -1)){ - chunk_count ++; - if (!(temp_creds = (krb5_creds **) realloc(temp_creds, - chunk_count * CHUNK * sizeof(krb5_creds *)))){ - return ENOMEM; - } - } - } - - } - - temp_creds[count] = NULL; - *creds_array = temp_creds; + if ((retval = krb5_check_exp(context, creds.times))){ + if (retval != KRB5KRB_AP_ERR_TKT_EXPIRED){ + return retval; + } + if (auth_debug){ + fprintf(stderr,"krb5_ccache_copy: CREDS EXPIRED:\n"); + fputs(" Valid starting Expires Service principal\n",stdout); + show_credential(context, &creds, cc); + fprintf(stderr,"\n"); + } + } + else { /* these credentials didn't expire */ + + if ((retval = krb5_copy_creds(context, &creds, + &temp_creds[count]))){ + return retval; + } + count ++; + + if (count == (chunk_count * CHUNK -1)){ + chunk_count ++; + if (!(temp_creds = (krb5_creds **) realloc(temp_creds, + chunk_count * CHUNK * sizeof(krb5_creds *)))){ + return ENOMEM; + } + } + } + + } + + temp_creds[count] = NULL; + *creds_array = temp_creds; if (retval == KRB5_CC_END) { - retval = krb5_cc_end_seq_get(context, cc, &cur); - } + retval = krb5_cc_end_seq_get(context, cc, &cur); + } - return retval; + return retval; } @@ -287,27 +288,27 @@ krb5_error_code krb5_check_exp(context, tkt_time) krb5_context context; krb5_ticket_times tkt_time; { -krb5_error_code retval =0; -krb5_timestamp currenttime; - - if ((retval = krb5_timeofday (context, ¤ttime))){ - return retval; - } - if (auth_debug){ - fprintf(stderr,"krb5_check_exp: the krb5_clockskew is %d \n", - context->clockskew); - - fprintf(stderr,"krb5_check_exp: currenttime - endtime %d \n", - (currenttime - tkt_time.endtime )); - - } - - if (currenttime - tkt_time.endtime > context->clockskew){ - retval = KRB5KRB_AP_ERR_TKT_EXPIRED ; - return retval; - } - - return 0; + krb5_error_code retval =0; + krb5_timestamp currenttime; + + if ((retval = krb5_timeofday (context, ¤ttime))){ + return retval; + } + if (auth_debug){ + fprintf(stderr,"krb5_check_exp: the krb5_clockskew is %d \n", + context->clockskew); + + fprintf(stderr,"krb5_check_exp: currenttime - endtime %d \n", + (currenttime - tkt_time.endtime )); + + } + + if (currenttime - tkt_time.endtime > context->clockskew){ + retval = KRB5KRB_AP_ERR_TKT_EXPIRED ; + return retval; + } + + return 0; } @@ -316,7 +317,7 @@ char *flags_string(cred) { static char buf[32]; int i = 0; - + if (cred->ticket_flags & TKT_FLG_FORWARDABLE) buf[i++] = 'F'; if (cred->ticket_flags & TKT_FLG_FORWARDED) @@ -355,10 +356,10 @@ void printtime(tv) tstamp = tv; fill = ' '; if (!krb5_timestamp_to_sfstring(tstamp, - fmtbuf, - sizeof(fmtbuf), - &fill)) - printf(fmtbuf); + fmtbuf, + sizeof(fmtbuf), + &fill)) + printf(fmtbuf); } @@ -376,39 +377,39 @@ krb5_get_login_princ(luser, princ_list) int gobble, result; char ** buf_out; struct stat st_temp; - int count = 0, chunk_count = 1; + int count = 0, chunk_count = 1; /* no account => no access */ if ((pwd = getpwnam(luser)) == NULL) { - return 0; + return 0; } result = snprintf(pbuf, sizeof(pbuf), "%s/.k5login", pwd->pw_dir); if (SNPRINTF_OVERFLOW(result, sizeof(pbuf))) { - fprintf (stderr, "home directory path for %s too long\n", luser); - exit (1); + fprintf (stderr, "home directory path for %s too long\n", luser); + exit (1); } - if (stat(pbuf, &st_temp)) { /* not accessible */ - return 0; + if (stat(pbuf, &st_temp)) { /* not accessible */ + return 0; } /* open ~/.k5login */ if ((fp = fopen(pbuf, "r")) == NULL) { - return 0; + return 0; } /* * For security reasons, the .k5login file must be owned either by * the user himself, or by root. Otherwise, don't grant access. */ if (fstat(fileno(fp), &sbuf)) { - fclose(fp); - return 0; + fclose(fp); + return 0; } if ((sbuf.st_uid != pwd->pw_uid) && sbuf.st_uid) { - fclose(fp); - return 0; + fclose(fp); + return 0; } /* check each line */ @@ -419,33 +420,33 @@ krb5_get_login_princ(luser, princ_list) if (!(buf_out = (char **) malloc( CHUNK * sizeof(char *)))) return ENOMEM; while ( fgets(linebuf, BUFSIZ, fp) != NULL) { - /* null-terminate the input string */ - linebuf[BUFSIZ-1] = '\0'; - newline = NULL; - /* nuke the newline if it exists */ - if ((newline = strchr(linebuf, '\n'))) - *newline = '\0'; - - buf_out[count] = linebuf; + /* null-terminate the input string */ + linebuf[BUFSIZ-1] = '\0'; + newline = NULL; + /* nuke the newline if it exists */ + if ((newline = strchr(linebuf, '\n'))) + *newline = '\0'; + + buf_out[count] = linebuf; count ++; if (count == (chunk_count * CHUNK -1)){ chunk_count ++; if (!(buf_out = (char **) realloc(buf_out, - chunk_count * CHUNK * sizeof(char *)))){ - return ENOMEM; + chunk_count * CHUNK * sizeof(char *)))){ + return ENOMEM; } } - /* clean up the rest of the line if necessary */ - if (!newline) - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); + /* clean up the rest of the line if necessary */ + if (!newline) + while (((gobble = getc(fp)) != EOF) && gobble != '\n'); - if( !(linebuf = (char *) calloc (BUFSIZ, sizeof(char)))) return ENOMEM; + if( !(linebuf = (char *) calloc (BUFSIZ, sizeof(char)))) return ENOMEM; } buf_out[count] = NULL; - *princ_list = buf_out; + *princ_list = buf_out; fclose(fp); return 0; } @@ -460,34 +461,34 @@ show_credential(context, cred, cc) { krb5_error_code retval; char *name, *sname, *flags; - int first = 1; + int first = 1; krb5_principal princ; - char * defname; + char * defname; int show_flags =1; retval = krb5_unparse_name(context, cred->client, &name); if (retval) { - com_err(prog_name, retval, "while unparsing client name"); - return; + com_err(prog_name, retval, "while unparsing client name"); + return; } retval = krb5_unparse_name(context, cred->server, &sname); if (retval) { - com_err(prog_name, retval, "while unparsing server name"); - free(name); - return; + com_err(prog_name, retval, "while unparsing server name"); + free(name); + return; } if ((retval = krb5_cc_get_principal(context, cc, &princ))) { com_err(prog_name, retval, "while retrieving principal name"); - return; + return; } if ((retval = krb5_unparse_name(context, princ, &defname))) { com_err(prog_name, retval, "while unparsing principal name"); - return; - } + return; + } if (!cred->times.starttime) - cred->times.starttime = cred->times.authtime; + cred->times.starttime = cred->times.authtime; printtime(cred->times.starttime); putchar(' '); putchar(' '); @@ -497,27 +498,27 @@ show_credential(context, cred, cc) printf("%s\n", sname); if (strcmp(name, defname)) { - printf("\tfor client %s", name); - first = 0; + printf("\tfor client %s", name); + first = 0; } - + if (cred->times.renew_till) { - if (first) - fputs("\t",stdout); - else - fputs(", ",stdout); - fputs("renew until ", stdout); + if (first) + fputs("\t",stdout); + else + fputs(", ",stdout); + fputs("renew until ", stdout); printtime(cred->times.renew_till); } if (show_flags) { - flags = flags_string(cred); - if (flags && *flags) { - if (first) - fputs("\t",stdout); - else - fputs(", ",stdout); - printf("Flags: %s", flags); - first = 0; + flags = flags_string(cred); + if (flags && *flags) { + if (first) + fputs("\t",stdout); + else + fputs(", ",stdout); + printf("Flags: %s", flags); + first = 0; } } putchar('\n'); @@ -526,9 +527,9 @@ show_credential(context, cred, cc) } int gen_sym(){ - static int i = 0; - i ++; - return i; + static int i = 0; + i ++; + return i; } krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal) @@ -537,49 +538,49 @@ krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal) krb5_ccache cct; krb5_principal primary_principal; { -const char * cct_name; -const char * ccs_name; -krb5_error_code retval=0; -krb5_principal temp_principal; -krb5_creds ** ccs_creds_arr = NULL; -int i=0; -struct stat st_temp; + const char * cct_name; + const char * ccs_name; + krb5_error_code retval=0; + krb5_principal temp_principal; + krb5_creds ** ccs_creds_arr = NULL; + int i=0; + struct stat st_temp; - ccs_name = krb5_cc_get_name(context, ccs); - cct_name = krb5_cc_get_name(context, cct); + ccs_name = krb5_cc_get_name(context, ccs); + cct_name = krb5_cc_get_name(context, cct); if ( ! stat(ccs_name, &st_temp)){ - if ((retval = krb5_get_nonexp_tkts(context, ccs, &ccs_creds_arr))){ - return retval; - } - } + if ((retval = krb5_get_nonexp_tkts(context, ccs, &ccs_creds_arr))){ + return retval; + } + } if ( ! stat(cct_name, &st_temp)){ - if ((retval = krb5_cc_get_principal(context, cct, &temp_principal))){ - return retval; - } + if ((retval = krb5_cc_get_principal(context, cct, &temp_principal))){ + return retval; + } }else{ - temp_principal = primary_principal; + temp_principal = primary_principal; } if ((retval = krb5_cc_initialize(context, cct, temp_principal))){ - return retval; + return retval; } - retval = krb5_store_all_creds(context, cct, ccs_creds_arr, NULL); + retval = krb5_store_all_creds(context, cct, ccs_creds_arr, NULL); - if (ccs_creds_arr){ - while (ccs_creds_arr[i]){ - krb5_free_creds(context, ccs_creds_arr[i]); - i++; - } - } + if (ccs_creds_arr){ + while (ccs_creds_arr[i]){ + krb5_free_creds(context, ccs_creds_arr[i]); + i++; + } + } - return retval; + return retval; } krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst, - stored) + stored) krb5_context context; krb5_ccache cc; krb5_creds **creds_def; @@ -588,231 +589,231 @@ krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst, krb5_boolean *stored; { -int i = 0; -krb5_error_code retval = 0; -krb5_creds ** temp_creds= NULL; -krb5_boolean temp_stored = FALSE; + int i = 0; + krb5_error_code retval = 0; + krb5_creds ** temp_creds= NULL; + krb5_boolean temp_stored = FALSE; - - if ((creds_def == NULL) && (creds_other == NULL)) - return 0; - if ((creds_def == NULL) && (creds_other != NULL)) - temp_creds = creds_other; + if ((creds_def == NULL) && (creds_other == NULL)) + return 0; - if ((creds_def != NULL) && (creds_other == NULL)) - temp_creds = creds_def; + if ((creds_def == NULL) && (creds_other != NULL)) + temp_creds = creds_other; + if ((creds_def != NULL) && (creds_other == NULL)) + temp_creds = creds_def; - if (temp_creds){ - while(temp_creds[i]){ - if (krb5_principal_compare(context, - temp_creds[i]->client, - prst)== TRUE) { - if ((retval = krb5_cc_store_cred(context, - cc,temp_creds[i]))){ - return retval; - } - temp_stored = TRUE; - } + if (temp_creds){ + while(temp_creds[i]){ + if (krb5_principal_compare(context, + temp_creds[i]->client, + prst)== TRUE) { - i++; - } - } - else { /* both arrays have elements in them */ - return KRB5KRB_ERR_GENERIC; - } + if ((retval = krb5_cc_store_cred(context, + cc,temp_creds[i]))){ + return retval; + } + temp_stored = TRUE; + } -*stored = temp_stored; -return 0; + i++; + } + } + else { /* both arrays have elements in them */ + return KRB5KRB_ERR_GENERIC; + } + + *stored = temp_stored; + return 0; } /****************************************************************** krb5_cache_copy_restricted gets rid of any expired tickets in the secondary cache, -copies the default cache into the secondary cache, -only credentials that are for prst are copied. +copies the default cache into the secondary cache, +only credentials that are for prst are copied. the algorithm may look a bit funny, -but I had to do it this way, since cc_remove function did not come -with k5 beta 3 release. +but I had to do it this way, since cc_remove function did not come +with k5 beta 3 release. ************************************************************************/ -krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag, - prst, cc_out, stored, target_uid) +krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag, + prst, cc_out, stored, target_uid) krb5_context context; krb5_ccache cc_def; char *cc_other_tag; krb5_principal prst; -uid_t target_uid; + uid_t target_uid; /* OUT */ krb5_ccache *cc_out; krb5_boolean *stored; { -int i=0; -krb5_ccache * cc_other; -const char * cc_def_name; -const char * cc_other_name; -krb5_error_code retval=0; -krb5_creds ** cc_def_creds_arr = NULL; -krb5_creds ** cc_other_creds_arr = NULL; -struct stat st_temp; + int i=0; + krb5_ccache * cc_other; + const char * cc_def_name; + const char * cc_other_name; + krb5_error_code retval=0; + krb5_creds ** cc_def_creds_arr = NULL; + krb5_creds ** cc_other_creds_arr = NULL; + struct stat st_temp; - cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); + cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){ - com_err (prog_name, retval, "resolving ccache %s", - cc_other_tag); - return retval; + com_err (prog_name, retval, "resolving ccache %s", + cc_other_tag); + return retval; } - cc_def_name = krb5_cc_get_name(context, cc_def); - cc_other_name = krb5_cc_get_name(context, *cc_other); + cc_def_name = krb5_cc_get_name(context, cc_def); + cc_other_name = krb5_cc_get_name(context, *cc_other); if ( ! stat(cc_def_name, &st_temp)){ - if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ - return retval; - } + if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ + return retval; + } } #ifdef HAVE_LSTAT if (!lstat( cc_other_name, &st_temp)) { #else /*HAVE_LSTAT*/ - if (!stat( cc_other_name, &st_temp)) { + if (!stat( cc_other_name, &st_temp)) { #endif - return EINVAL; - } - - if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { - return errno; - } - - - if ((retval = krb5_cc_initialize(context, *cc_other, prst))){ - return retval; - } + return EINVAL; + } - retval = krb5_store_some_creds(context, * cc_other, - cc_def_creds_arr, cc_other_creds_arr, prst, stored); + if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { + return errno; + } + if ((retval = krb5_cc_initialize(context, *cc_other, prst))){ + return retval; + } - if (cc_def_creds_arr){ - while (cc_def_creds_arr[i]){ - krb5_free_creds(context, cc_def_creds_arr[i]); - i++; - } - } + retval = krb5_store_some_creds(context, * cc_other, + cc_def_creds_arr, cc_other_creds_arr, prst, stored); - i=0; - if(cc_other_creds_arr){ - while (cc_other_creds_arr[i]){ - krb5_free_creds(context, cc_other_creds_arr[i]); - i++; - } - } - *cc_out = *cc_other; - return retval; -} + if (cc_def_creds_arr){ + while (cc_def_creds_arr[i]){ + krb5_free_creds(context, cc_def_creds_arr[i]); + i++; + } + } -krb5_error_code krb5_ccache_filter (context, cc, prst) - krb5_context context; + i=0; + + if(cc_other_creds_arr){ + while (cc_other_creds_arr[i]){ + krb5_free_creds(context, cc_other_creds_arr[i]); + i++; + } + } + + *cc_out = *cc_other; + return retval; + } + + krb5_error_code krb5_ccache_filter (context, cc, prst) + krb5_context context; krb5_ccache cc; krb5_principal prst; -{ + { -int i=0; -krb5_error_code retval=0; -krb5_principal temp_principal; -krb5_creds ** cc_creds_arr = NULL; -const char * cc_name; -krb5_boolean stored; -struct stat st_temp; + int i=0; + krb5_error_code retval=0; + krb5_principal temp_principal; + krb5_creds ** cc_creds_arr = NULL; + const char * cc_name; + krb5_boolean stored; + struct stat st_temp; - cc_name = krb5_cc_get_name(context, cc); + cc_name = krb5_cc_get_name(context, cc); - if ( ! stat(cc_name, &st_temp)){ + if ( ! stat(cc_name, &st_temp)){ - if (auth_debug) { - fprintf(stderr,"putting cache %s through a filter for -z option\n", cc_name); - } + if (auth_debug) { + fprintf(stderr,"putting cache %s through a filter for -z option\n", cc_name); + } - if ((retval = krb5_get_nonexp_tkts(context, cc, &cc_creds_arr))){ - return retval; - } + if ((retval = krb5_get_nonexp_tkts(context, cc, &cc_creds_arr))){ + return retval; + } - if ((retval = krb5_cc_get_principal(context, cc, &temp_principal))){ - return retval; - } + if ((retval = krb5_cc_get_principal(context, cc, &temp_principal))){ + return retval; + } - if ((retval = krb5_cc_initialize(context, cc, temp_principal))){ - return retval; - } + if ((retval = krb5_cc_initialize(context, cc, temp_principal))){ + return retval; + } - if ((retval = krb5_store_some_creds(context, cc, cc_creds_arr, - NULL, prst, &stored))){ - return retval; - } + if ((retval = krb5_store_some_creds(context, cc, cc_creds_arr, + NULL, prst, &stored))){ + return retval; + } - if (cc_creds_arr){ - while (cc_creds_arr[i]){ - krb5_free_creds(context, cc_creds_arr[i]); - i++; - } - } + if (cc_creds_arr){ + while (cc_creds_arr[i]){ + krb5_free_creds(context, cc_creds_arr[i]); + i++; + } + } + } + return 0; } - return 0; -} -krb5_boolean krb5_find_princ_in_cred_list (context, creds_list, princ) - krb5_context context; + krb5_boolean krb5_find_princ_in_cred_list (context, creds_list, princ) + krb5_context context; krb5_creds **creds_list; krb5_principal princ; -{ + { -int i = 0; -krb5_boolean temp_stored = FALSE; + int i = 0; + krb5_boolean temp_stored = FALSE; - if (creds_list){ - while(creds_list[i]){ - if (krb5_principal_compare(context, - creds_list[i]->client, - princ)== TRUE){ - temp_stored = TRUE; - break; - } + if (creds_list){ + while(creds_list[i]){ + if (krb5_principal_compare(context, + creds_list[i]->client, + princ)== TRUE){ + temp_stored = TRUE; + break; + } - i++; - } - } + i++; + } + } -return temp_stored; -} + return temp_stored; + } -krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found) - krb5_context context; + krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found) + krb5_context context; krb5_ccache cc; krb5_principal princ; krb5_boolean *found; -{ -krb5_error_code retval; -krb5_creds ** creds_list = NULL; -const char * cc_name; -struct stat st_temp; + { + krb5_error_code retval; + krb5_creds ** creds_list = NULL; + const char * cc_name; + struct stat st_temp; - cc_name = krb5_cc_get_name(context, cc); + cc_name = krb5_cc_get_name(context, cc); - if ( ! stat(cc_name, &st_temp)){ - if ((retval = krb5_get_nonexp_tkts(context, cc, &creds_list))){ - return retval; - } - } + if ( ! stat(cc_name, &st_temp)){ + if ((retval = krb5_get_nonexp_tkts(context, cc, &creds_list))){ + return retval; + } + } - *found = krb5_find_princ_in_cred_list(context, creds_list, princ); -return 0; -} + *found = krb5_find_princ_in_cred_list(context, creds_list, princ); + return 0; + } diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c index 65d44a39b..c7e691cd6 100644 --- a/src/clients/ksu/heuristic.c +++ b/src/clients/ksu/heuristic.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 1994 by the University of Southern California * @@ -34,7 +35,7 @@ /******************************************************************* get_all_princ_from_file - retrieves all principal names - from file pointed to by fp. + from file pointed to by fp. *******************************************************************/ static void close_time (int, FILE *, int, FILE *); @@ -50,33 +51,33 @@ krb5_error_code get_all_princ_from_file (fp, plist) int count = 0, chunk_count = 1; if (!(temp_list = (char **) malloc( CHUNK * sizeof(char *)))) - return ENOMEM; + return ENOMEM; retval = get_line(fp, &line); if (retval) - return retval; + return retval; while (line){ - fprinc = get_first_token (line, &lp); - - if (fprinc ){ - temp_list[count] = xstrdup(fprinc); - count ++; - } - - if(count == (chunk_count * CHUNK -1)){ - chunk_count ++; - if (!(temp_list = (char **) realloc(temp_list, - chunk_count * CHUNK * sizeof(char *)))){ - return ENOMEM; - } - } - - - free (line); - retval = get_line(fp, &line); - if (retval) - return retval; + fprinc = get_first_token (line, &lp); + + if (fprinc ){ + temp_list[count] = xstrdup(fprinc); + count ++; + } + + if(count == (chunk_count * CHUNK -1)){ + chunk_count ++; + if (!(temp_list = (char **) realloc(temp_list, + chunk_count * CHUNK * sizeof(char *)))){ + return ENOMEM; + } + } + + + free (line); + retval = get_line(fp, &line); + if (retval) + return retval; } temp_list[count] = NULL; @@ -87,8 +88,8 @@ krb5_error_code get_all_princ_from_file (fp, plist) /************************************************************* list_union - combines list1 and list2 into combined_list. - the space for list1 and list2 is either freed - or used by combined_list. + the space for list1 and list2 is either freed + or used by combined_list. **************************************************************/ krb5_error_code list_union(list1, list2, combined_list) @@ -100,39 +101,39 @@ krb5_error_code list_union(list1, list2, combined_list) unsigned int c1 =0, c2 = 0, i=0, j=0; char ** tlist; - if (! list1){ - *combined_list = list2; - return 0; + if (! list1){ + *combined_list = list2; + return 0; } - if (! list2){ - *combined_list = list1; - return 0; + if (! list2){ + *combined_list = list1; + return 0; } while (list1[c1]) c1++; while (list2[c2]) c2++; - + if (!(tlist = (char **) calloc( c1 + c2 + 1, sizeof ( char *)))) - return ENOMEM; + return ENOMEM; i = 0; while(list1[i]) { - tlist[i] = list1[i]; - i++; + tlist[i] = list1[i]; + i++; } j = 0; while(list2[j]){ - if(find_str_in_list(list1, list2[j])==FALSE){ - tlist[i] = list2[j]; - i++; - } - j++; + if(find_str_in_list(list1, list2[j])==FALSE){ + tlist[i] = list2[j]; + i++; + } + j++; } - free (list1); - free (list2); - + free (list1); + free (list2); + tlist[i]= NULL; *combined_list = tlist; @@ -150,44 +151,44 @@ filter(fp, cmd, k5users_list, k5users_filt_list) krb5_error_code retval =0; krb5_boolean found = FALSE; char * out_cmd = NULL; - unsigned int i=0, j=0, found_count = 0, k=0; + unsigned int i=0, j=0, found_count = 0, k=0; char ** temp_filt_list; *k5users_filt_list = NULL; - if (! k5users_list){ - return 0; + if (! k5users_list){ + return 0; } - while(k5users_list[i]){ + while(k5users_list[i]){ - retval= k5users_lookup(fp, k5users_list[i], cmd, &found, &out_cmd); - if (retval) - return retval; + retval= k5users_lookup(fp, k5users_list[i], cmd, &found, &out_cmd); + if (retval) + return retval; - if (found == FALSE){ - free (k5users_list[i]); - k5users_list[i] = NULL; - if (out_cmd) gb_err = out_cmd; - } else - found_count ++; + if (found == FALSE){ + free (k5users_list[i]); + k5users_list[i] = NULL; + if (out_cmd) gb_err = out_cmd; + } else + found_count ++; - i++; + i++; } if (! (temp_filt_list = (char **) calloc(found_count +1, sizeof (char*)))) - return ENOMEM; + return ENOMEM; - for(j= 0, k=0; j < i; j++ ) { - if (k5users_list[j]){ - temp_filt_list[k] = k5users_list[j]; - k++; - } + for(j= 0, k=0; j < i; j++ ) { + if (k5users_list[j]){ + temp_filt_list[k] = k5users_list[j]; + k++; + } } temp_filt_list[k] = NULL; - free (k5users_list); + free (k5users_list); *k5users_filt_list = temp_filt_list; return 0; @@ -208,74 +209,74 @@ get_authorized_princ_names(luser, cmd, princ_list) char ** k5users_filt_list = NULL; char ** combined_list = NULL; struct stat tb; - krb5_error_code retval; + krb5_error_code retval; - *princ_list = NULL; + *princ_list = NULL; /* no account => no access */ if ((pwd = getpwnam(luser)) == NULL) - return 0; + return 0; k5login_flag = stat(k5login_path, &tb); k5users_flag = stat(k5users_path, &tb); if (!k5login_flag){ if ((login_fp = fopen(k5login_path, "r")) == NULL) - return 0; + return 0; if ( fowner(login_fp, pwd->pw_uid) == FALSE){ - close_time(1 /*k5users_flag*/, (FILE *) 0 /*users_fp*/, - k5login_flag,login_fp); - return 0; + close_time(1 /*k5users_flag*/, (FILE *) 0 /*users_fp*/, + k5login_flag,login_fp); + return 0; } } if (!k5users_flag){ if ((users_fp = fopen(k5users_path, "r")) == NULL) - return 0; + return 0; if ( fowner(users_fp, pwd->pw_uid) == FALSE){ - close_time(k5users_flag,users_fp, k5login_flag,login_fp); - return 0; + close_time(k5users_flag,users_fp, k5login_flag,login_fp); + return 0; + } + + retval = get_all_princ_from_file (users_fp, &k5users_list); + if(retval) { + close_time(k5users_flag,users_fp, k5login_flag,login_fp); + return retval; } - retval = get_all_princ_from_file (users_fp, &k5users_list); - if(retval) { - close_time(k5users_flag,users_fp, k5login_flag,login_fp); - return retval; - } - - rewind(users_fp); - - retval = filter(users_fp,cmd, k5users_list, &k5users_filt_list); - if(retval) { - close_time(k5users_flag,users_fp, k5login_flag, login_fp); - return retval; - } + rewind(users_fp); + + retval = filter(users_fp,cmd, k5users_list, &k5users_filt_list); + if(retval) { + close_time(k5users_flag,users_fp, k5login_flag, login_fp); + return retval; + } } - + if (!k5login_flag){ - retval = get_all_princ_from_file (login_fp, &k5login_list); - if(retval) { - close_time(k5users_flag,users_fp, k5login_flag,login_fp); - return retval; - } - } + retval = get_all_princ_from_file (login_fp, &k5login_list); + if(retval) { + close_time(k5users_flag,users_fp, k5login_flag,login_fp); + return retval; + } + } close_time(k5users_flag,users_fp, k5login_flag, login_fp); if (cmd) { - retval = list_union(k5login_list, k5users_filt_list, &combined_list); - if (retval){ - close_time(k5users_flag,users_fp, k5login_flag,login_fp); - return retval; - } - *princ_list = combined_list; - return 0; + retval = list_union(k5login_list, k5users_filt_list, &combined_list); + if (retval){ + close_time(k5users_flag,users_fp, k5login_flag,login_fp); + return retval; + } + *princ_list = combined_list; + return 0; } else { - if (k5users_filt_list != NULL) - free(k5users_filt_list); - *princ_list = k5login_list; - return 0; + if (k5users_filt_list != NULL) + free(k5users_filt_list); + *princ_list = k5login_list; + return 0; } } @@ -303,8 +304,8 @@ static krb5_boolean find_str_in_list(list , elm) while (list[i] ){ if (!strcmp(list[i], elm)){ - found = TRUE; - break; + found = TRUE; + break; } i++; } @@ -331,7 +332,7 @@ krb5_error_code get_closest_principal(context, plist, client, found) krb5_principal temp_client, best_client = NULL; int i = 0, j=0, cnelem, pnelem; krb5_boolean got_one; - + *found = FALSE; if (! plist ) return 0; @@ -340,48 +341,48 @@ krb5_error_code get_closest_principal(context, plist, client, found) while(plist[i]){ - retval = krb5_parse_name(context, plist[i], &temp_client); - if (retval) - return retval; - - pnelem = krb5_princ_size(context, temp_client); - - if ( cnelem > pnelem){ - i++; - continue; - } - - if (data_eq(*krb5_princ_realm(context, *client), - *krb5_princ_realm(context, temp_client))) { - - got_one = TRUE; - for(j =0; j < cnelem; j ++){ - krb5_data *p1 = - krb5_princ_component(context, *client, j); - krb5_data *p2 = - krb5_princ_component(context, temp_client, j); - - if (!p1 || !p2 || !data_eq(*p1, *p2)) { - got_one = FALSE; - break; - } - } - if (got_one == TRUE){ - if(best_client){ - if(krb5_princ_size(context, best_client) > - krb5_princ_size(context, temp_client)){ - best_client = temp_client; - } - }else - best_client = temp_client; - } - } - i++; + retval = krb5_parse_name(context, plist[i], &temp_client); + if (retval) + return retval; + + pnelem = krb5_princ_size(context, temp_client); + + if ( cnelem > pnelem){ + i++; + continue; + } + + if (data_eq(*krb5_princ_realm(context, *client), + *krb5_princ_realm(context, temp_client))) { + + got_one = TRUE; + for(j =0; j < cnelem; j ++){ + krb5_data *p1 = + krb5_princ_component(context, *client, j); + krb5_data *p2 = + krb5_princ_component(context, temp_client, j); + + if (!p1 || !p2 || !data_eq(*p1, *p2)) { + got_one = FALSE; + break; + } + } + if (got_one == TRUE){ + if(best_client){ + if(krb5_princ_size(context, best_client) > + krb5_princ_size(context, temp_client)){ + best_client = temp_client; + } + }else + best_client = temp_client; + } + } + i++; } - + if (best_client) { - *found = TRUE; - *client = best_client; + *found = TRUE; + *client = best_client; } return 0; @@ -410,24 +411,24 @@ krb5_error_code find_either_ticket (context, cc, client, end_server, found) if ( ! stat(cc_source_name, &st_temp)){ - retval = find_ticket(context, cc, client, end_server, &temp_found); - if (retval) - return retval; - - if (temp_found == FALSE){ - retval = ksu_tgtname(context, - krb5_princ_realm(context, client), - krb5_princ_realm(context, client), - &kdc_server); - if (retval) - return retval; - - retval = find_ticket(context, cc,client, kdc_server, &temp_found); - if(retval) - return retval; - } - else if (auth_debug) - printf("find_either_ticket: found end server ticket\n"); + retval = find_ticket(context, cc, client, end_server, &temp_found); + if (retval) + return retval; + + if (temp_found == FALSE){ + retval = ksu_tgtname(context, + krb5_princ_realm(context, client), + krb5_princ_realm(context, client), + &kdc_server); + if (retval) + return retval; + + retval = find_ticket(context, cc,client, kdc_server, &temp_found); + if(retval) + return retval; + } + else if (auth_debug) + printf("find_either_ticket: found end server ticket\n"); } *found = temp_found; @@ -446,7 +447,7 @@ krb5_error_code find_ticket (context, cc, client, server, found) krb5_creds tgt, tgtq; krb5_error_code retval; - + *found = FALSE; memset(&tgtq, 0, sizeof(tgtq)); @@ -454,25 +455,25 @@ krb5_error_code find_ticket (context, cc, client, server, found) retval= krb5_copy_principal(context, client, &tgtq.client); if (retval) - return retval; + return retval; retval= krb5_copy_principal(context, server, &tgtq.server); if (retval) - return retval ; + return retval ; retval = krb5_cc_retrieve_cred(context, cc, KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES, - &tgtq, &tgt); + &tgtq, &tgt); if (! retval) retval = krb5_check_exp(context, tgt.times); if (retval){ - if ((retval != KRB5_CC_NOTFOUND) && - (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){ - return retval ; - } + if ((retval != KRB5_CC_NOTFOUND) && + (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){ + return retval ; + } } else{ - *found = TRUE; - return 0; + *found = TRUE; + return 0; } free(tgtq.server); @@ -500,14 +501,14 @@ krb5_error_code find_princ_in_list (context, princ, plist, found) retval = krb5_unparse_name(context, princ, &princname); if (retval) - return retval; + return retval; while (plist[i] ){ - if (!strcmp(plist[i], princname)){ - *found = TRUE; - break; - } - i++; + if (!strcmp(plist[i], princname)){ + *found = TRUE; + break; + } + i++; } return 0; @@ -515,8 +516,8 @@ krb5_error_code find_princ_in_list (context, princ, plist, found) } typedef struct princ_info { - krb5_principal p; - krb5_boolean found; + krb5_principal p; + krb5_boolean found; }princ_info; /********************************************************************** @@ -528,9 +529,9 @@ path_out gets set to ... ***********************************************************************/ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, - source_user, target_user, - cc_source, options, cmd, - hostname, client, path_out) + source_user, target_user, + cc_source, options, cmd, + hostname, client, path_out) krb5_context context; uid_t source_uid; uid_t target_uid; @@ -563,88 +564,88 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, /* -n option was specified client is set we are done */ if (options->princ) - return 0; + return 0; cc_source_name = krb5_cc_get_name(context, cc_source); - + if (! stat(cc_source_name, &st_temp)) { - retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ); - if (retval) - return retval; + retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ); + if (retval) + return retval; } retval=krb5_parse_name(context, target_user, &target_client); if (retval) - return retval; + return retval; retval=krb5_parse_name(context, source_user, &source_client); if (retval) - return retval; + return retval; if (source_uid == 0){ - if (target_uid != 0) - *client = target_client; /* this will be used to restrict - the cache copty */ - else { - if(cc_def_princ) - *client = cc_def_princ; - else - *client = target_client; - } - - if (auth_debug) - printf(" GET_best_princ_for_target: via source_uid == 0\n"); - - return 0; + if (target_uid != 0) + *client = target_client; /* this will be used to restrict + the cache copty */ + else { + if(cc_def_princ) + *client = cc_def_princ; + else + *client = target_client; + } + + if (auth_debug) + printf(" GET_best_princ_for_target: via source_uid == 0\n"); + + return 0; } /* from here on, the code is for source_uid != 0 */ if (source_uid && (source_uid == target_uid)){ - if(cc_def_princ) - *client = cc_def_princ; - else - *client = target_client; - if (auth_debug) - printf("GET_best_princ_for_target: via source_uid == target_uid\n"); - return 0; + if(cc_def_princ) + *client = cc_def_princ; + else + *client = target_client; + if (auth_debug) + printf("GET_best_princ_for_target: via source_uid == target_uid\n"); + return 0; } /* Become root, then target for looking at .k5login.*/ if (krb5_seteuid(0) || krb5_seteuid(target_uid) ) { - return errno; + return errno; } - - /* if .k5users and .k5login do not exist */ + + /* if .k5users and .k5login do not exist */ if (stat(k5login_path, &tb) && stat(k5users_path, &tb) ){ - *client = target_client; + *client = target_client; - if (cmd) - *path_out = NOT_AUTHORIZED; + if (cmd) + *path_out = NOT_AUTHORIZED; - if (auth_debug) - printf(" GET_best_princ_for_target: via no auth files path\n"); + if (auth_debug) + printf(" GET_best_princ_for_target: via no auth files path\n"); - return 0; + return 0; }else{ - retval = get_authorized_princ_names(target_user, cmd, &aplist); - if (retval) - return retval; - - /* .k5users or .k5login exist, but no authorization */ - if ((!aplist) || (!aplist[0])) { - *path_out = NOT_AUTHORIZED; - if (auth_debug) - printf("GET_best_princ_for_target: via empty auth files path\n"); - return 0; - } + retval = get_authorized_princ_names(target_user, cmd, &aplist); + if (retval) + return retval; + + /* .k5users or .k5login exist, but no authorization */ + if ((!aplist) || (!aplist[0])) { + *path_out = NOT_AUTHORIZED; + if (auth_debug) + printf("GET_best_princ_for_target: via empty auth files path\n"); + return 0; + } } retval = krb5_sname_to_principal(context, hostname, NULL, - KRB5_NT_SRV_HST, &end_server); + KRB5_NT_SRV_HST, &end_server); if (retval) - return retval; + return retval; /* first see if default principal of the source cache @@ -653,39 +654,39 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, * other ticket in the cache. */ if (cc_def_princ) - princ_trials[count ++].p = cc_def_princ; + princ_trials[count ++].p = cc_def_princ; else - princ_trials[count ++].p = NULL; + princ_trials[count ++].p = NULL; princ_trials[count ++].p = target_client; princ_trials[count ++].p = source_client; for (i= 0; i < count; i ++) - princ_trials[i].found = FALSE; + princ_trials[i].found = FALSE; for (i= 0; i < count; i ++){ - if(princ_trials[i].p) { - retval= find_princ_in_list(context, princ_trials[i].p, aplist, - &found); - if (retval) - return retval; - - if (found == TRUE){ - princ_trials[i].found = TRUE; - - retval = find_either_ticket (context, cc_source, - princ_trials[i].p, - end_server, &found); - if (retval) - return retval; - if (found == TRUE){ - *client = princ_trials[i].p; - if (auth_debug) - printf("GET_best_princ_for_target: via ticket file, choice #%d\n", i); - return 0; - } - } - } + if(princ_trials[i].p) { + retval= find_princ_in_list(context, princ_trials[i].p, aplist, + &found); + if (retval) + return retval; + + if (found == TRUE){ + princ_trials[i].found = TRUE; + + retval = find_either_ticket (context, cc_source, + princ_trials[i].p, + end_server, &found); + if (retval) + return retval; + if (found == TRUE){ + *client = princ_trials[i].p; + if (auth_debug) + printf("GET_best_princ_for_target: via ticket file, choice #%d\n", i); + return 0; + } + } + } } /* out of preferred principals, see if there is any ticket that will @@ -693,25 +694,25 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, i=0; while (aplist[i]){ - retval = krb5_parse_name(context, aplist[i], &temp_client); - if (retval) - return retval; - - retval = find_either_ticket (context, cc_source, temp_client, - end_server, &found); - if (retval) - return retval; - - if (found == TRUE){ - if (auth_debug) - printf("GET_best_princ_for_target: via ticket file, choice: any ok ticket \n" ); - *client = temp_client; - return 0; - } + retval = krb5_parse_name(context, aplist[i], &temp_client); + if (retval) + return retval; + + retval = find_either_ticket (context, cc_source, temp_client, + end_server, &found); + if (retval) + return retval; + + if (found == TRUE){ + if (auth_debug) + printf("GET_best_princ_for_target: via ticket file, choice: any ok ticket \n" ); + *client = temp_client; + return 0; + } - krb5_free_principal(context, temp_client); + krb5_free_principal(context, temp_client); - i++; + i++; } /* no tickets qualified, select a principal, that may be used @@ -719,46 +720,46 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, for (i=0; i < count; i ++){ - if (princ_trials[i].found == TRUE){ - *client = princ_trials[i].p; + if (princ_trials[i].found == TRUE){ + *client = princ_trials[i].p; - if (auth_debug) - printf("GET_best_princ_for_target: via prompt passwd list choice #%d \n",i); - return 0; - } + if (auth_debug) + printf("GET_best_princ_for_target: via prompt passwd list choice #%d \n",i); + return 0; + } } #ifdef PRINC_LOOK_AHEAD for (i=0; i < count; i ++){ - if (princ_trials[i].p){ - retval=krb5_copy_principal(context, princ_trials[i].p, - &temp_client); - if(retval) - return retval; - - /* get the client name that is the closest - to the three princ in trials */ - - retval=get_closest_principal(context, aplist, &temp_client, - &found); - if(retval) - return retval; - - if (found == TRUE){ - *client = temp_client; - if (auth_debug) - printf("GET_best_princ_for_target: via prompt passwd list choice: approximation of princ in trials # %d \n",i); - return 0; - } - krb5_free_principal(context, temp_client); - } + if (princ_trials[i].p){ + retval=krb5_copy_principal(context, princ_trials[i].p, + &temp_client); + if(retval) + return retval; + + /* get the client name that is the closest + to the three princ in trials */ + + retval=get_closest_principal(context, aplist, &temp_client, + &found); + if(retval) + return retval; + + if (found == TRUE){ + *client = temp_client; + if (auth_debug) + printf("GET_best_princ_for_target: via prompt passwd list choice: approximation of princ in trials # %d \n",i); + return 0; + } + krb5_free_principal(context, temp_client); + } } #endif /* PRINC_LOOK_AHEAD */ if(auth_debug) - printf( "GET_best_princ_for_target: out of luck, can't get appropriate default principal\n"); + printf( "GET_best_princ_for_target: out of luck, can't get appropriate default principal\n"); *path_out = NOT_AUTHORIZED; return 0; diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c index 230a1b399..39b85473f 100644 --- a/src/clients/ksu/krb_auth_su.c +++ b/src/clients/ksu/krb_auth_su.c @@ -1,4 +1,5 @@ -/* +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* * Copyright (c) 1994 by the University of Southern California * * EXPORT OF THIS SOFTWARE from the United States of America may @@ -10,7 +11,7 @@ * this software and its documentation in source and binary forms is * hereby granted, provided that any documentation or other materials * related to such distribution or use acknowledge that the software - * was developed by the University of Southern California. + * was developed by the University of Southern California. * * DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The * University of Southern California MAKES NO REPRESENTATIONS OR @@ -26,7 +27,7 @@ */ #include "ksu.h" - + void plain_dump_principal (); @@ -38,7 +39,7 @@ krb5_preauthtype * preauth_ptr = NULL; krb5_boolean krb5_auth_check(context, client_pname, hostname, options, - target_user, cc, path_passwd, target_uid) + target_user, cc, path_passwd, target_uid) krb5_context context; krb5_principal client_pname; char *hostname; @@ -51,183 +52,183 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options, krb5_principal client, server; krb5_verify_init_creds_opt vfy_opts; krb5_creds tgt, tgtq, in_creds, * out_creds; - krb5_creds **tgts = NULL; /* list of ticket granting tickets */ - - krb5_ticket * target_tkt; /* decrypted ticket for server */ + krb5_creds **tgts = NULL; /* list of ticket granting tickets */ + + krb5_ticket * target_tkt; /* decrypted ticket for server */ krb5_error_code retval =0; - int got_it = 0; + int got_it = 0; krb5_boolean zero_password; - + *path_passwd = 0; - memset(&tgtq, 0, sizeof(tgtq)); - memset(&tgt, 0, sizeof(tgt)); - memset(&in_creds, 0, sizeof(krb5_creds)); - - + memset(&tgtq, 0, sizeof(tgtq)); + memset(&tgt, 0, sizeof(tgt)); + memset(&in_creds, 0, sizeof(krb5_creds)); + + if ((retval= krb5_copy_principal(context, client_pname, &client))){ - com_err(prog_name, retval,"while copying client principal"); - return (FALSE) ; + com_err(prog_name, retval,"while copying client principal"); + return (FALSE) ; } - + if (auth_debug) { - dump_principal(context, "krb5_auth_check: Client principal name", - client); + dump_principal(context, "krb5_auth_check: Client principal name", + client); } - + if ((retval = krb5_sname_to_principal(context, hostname, NULL, - KRB5_NT_SRV_HST, &server))){ - com_err(prog_name, retval, - "while creating server %s principal name", hostname); - krb5_free_principal(context, client); - return (FALSE) ; + KRB5_NT_SRV_HST, &server))){ + com_err(prog_name, retval, + "while creating server %s principal name", hostname); + krb5_free_principal(context, client); + return (FALSE) ; } - + if (auth_debug) { - dump_principal(context, "krb5_auth_check: Server principal name", - server); + dump_principal(context, "krb5_auth_check: Server principal name", + server); } - - - + + + /* check if ticket is already in the cache, if it is - then use it. - */ + then use it. + */ if( krb5_fast_auth(context, client, server, target_user, cc) == TRUE){ - if (auth_debug ){ - fprintf (stderr,"Authenticated via fast_auth \n"); - } - return TRUE; + if (auth_debug ){ + fprintf (stderr,"Authenticated via fast_auth \n"); + } + return TRUE; } - - /* check to see if the local tgt is in the cache */ - + + /* check to see if the local tgt is in the cache */ + if ((retval= krb5_copy_principal(context, client, &tgtq.client))){ - com_err(prog_name, retval,"while copying client principal"); - return (FALSE) ; + com_err(prog_name, retval,"while copying client principal"); + return (FALSE) ; } - + if ((retval = ksu_tgtname(context, krb5_princ_realm(context, client), - krb5_princ_realm(context, client), - &tgtq.server))){ - com_err(prog_name, retval, "while creating tgt for local realm"); - krb5_free_principal(context, client); - krb5_free_principal(context, server); - return (FALSE) ; - } - - if (auth_debug){ dump_principal(context, "local tgt principal name", tgtq.server ); } + krb5_princ_realm(context, client), + &tgtq.server))){ + com_err(prog_name, retval, "while creating tgt for local realm"); + krb5_free_principal(context, client); + krb5_free_principal(context, server); + return (FALSE) ; + } + + if (auth_debug){ dump_principal(context, "local tgt principal name", tgtq.server ); } retval = krb5_cc_retrieve_cred(context, cc, - KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES, - &tgtq, &tgt); - + KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES, + &tgtq, &tgt); + if (! retval) retval = krb5_check_exp(context, tgt.times); - - if (retval){ - if ((retval != KRB5_CC_NOTFOUND) && - (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){ - com_err(prog_name, retval, - "while retrieving creds from cache"); - return (FALSE) ; - } + + if (retval){ + if ((retval != KRB5_CC_NOTFOUND) && + (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){ + com_err(prog_name, retval, + "while retrieving creds from cache"); + return (FALSE) ; + } } else{ - got_it = 1; + got_it = 1; } - + if (! got_it){ - + #ifdef GET_TGT_VIA_PASSWD - if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { - com_err("ksu", errno, "while switching to target uid"); - return FALSE; - } - - - fprintf(stderr,"WARNING: Your password may be exposed if you enter it here and are logged \n"); - fprintf(stderr," in remotely using an unsecure (non-encrypted) channel. \n"); - - /*get the ticket granting ticket, via passwd(promt for passwd)*/ - if (krb5_get_tkt_via_passwd (context, &cc, client, tgtq.server, - options, & zero_password) == FALSE){ - krb5_seteuid(0); - - return FALSE; - } - *path_passwd = 1; - if (krb5_seteuid(0)) { - com_err("ksu", errno, "while reclaiming root uid"); - return FALSE; - } - + if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { + com_err("ksu", errno, "while switching to target uid"); + return FALSE; + } + + + fprintf(stderr,"WARNING: Your password may be exposed if you enter it here and are logged \n"); + fprintf(stderr," in remotely using an unsecure (non-encrypted) channel. \n"); + + /*get the ticket granting ticket, via passwd(promt for passwd)*/ + if (krb5_get_tkt_via_passwd (context, &cc, client, tgtq.server, + options, & zero_password) == FALSE){ + krb5_seteuid(0); + + return FALSE; + } + *path_passwd = 1; + if (krb5_seteuid(0)) { + com_err("ksu", errno, "while reclaiming root uid"); + return FALSE; + } + #else - plain_dump_principal (context, client); - fprintf(stderr,"does not have any appropriate tickets in the cache.\n"); - return FALSE; - -#endif /* GET_TGT_VIA_PASSWD */ + plain_dump_principal (context, client); + fprintf(stderr,"does not have any appropriate tickets in the cache.\n"); + return FALSE; + +#endif /* GET_TGT_VIA_PASSWD */ } - + if ((retval= krb5_copy_principal(context, client, &in_creds.client))){ - com_err(prog_name, retval,"while copying client principal"); - return (FALSE) ; + com_err(prog_name, retval,"while copying client principal"); + return (FALSE) ; } - + if ((retval= krb5_copy_principal(context, server, &in_creds.server))){ - com_err(prog_name, retval,"while copying client principal"); - return (FALSE) ; + com_err(prog_name, retval,"while copying client principal"); + return (FALSE) ; } - - if ((retval = krb5_get_cred_from_kdc(context, cc, &in_creds, - &out_creds, &tgts))){ - com_err(prog_name, retval, "while getting credentials from kdc"); - return (FALSE); + + if ((retval = krb5_get_cred_from_kdc(context, cc, &in_creds, + &out_creds, &tgts))){ + com_err(prog_name, retval, "while getting credentials from kdc"); + return (FALSE); } - - - if (auth_debug){ - fprintf(stderr,"krb5_auth_check: got ticket for end server \n"); - dump_principal(context, "out_creds->server", out_creds->server ); - } - - - if (tgts){ - register int i =0; - - if (auth_debug){ - fprintf(stderr, "krb5_auth_check: went via multiple realms"); - } - while (tgts[i]){ - if ((retval=krb5_cc_store_cred(context,cc,tgts[i]))) { - com_err(prog_name, retval, - "while storing credentials from cross-realm walk"); - return (FALSE); - } - i++; - } - krb5_free_tgt_creds(context, tgts); + + + if (auth_debug){ + fprintf(stderr,"krb5_auth_check: got ticket for end server \n"); + dump_principal(context, "out_creds->server", out_creds->server ); } - + + + if (tgts){ + register int i =0; + + if (auth_debug){ + fprintf(stderr, "krb5_auth_check: went via multiple realms"); + } + while (tgts[i]){ + if ((retval=krb5_cc_store_cred(context,cc,tgts[i]))) { + com_err(prog_name, retval, + "while storing credentials from cross-realm walk"); + return (FALSE); + } + i++; + } + krb5_free_tgt_creds(context, tgts); + } + krb5_verify_init_creds_opt_init(&vfy_opts); krb5_verify_init_creds_opt_set_ap_req_nofail( &vfy_opts, 1); - retval = krb5_verify_init_creds(context, out_creds, server, NULL /*keytab*/, - NULL /*output ccache*/, - &vfy_opts); + retval = krb5_verify_init_creds(context, out_creds, server, NULL /*keytab*/, + NULL /*output ccache*/, + &vfy_opts); if (retval) { - com_err(prog_name, retval, "while verifying ticket for server"); - return (FALSE); + com_err(prog_name, retval, "while verifying ticket for server"); + return (FALSE); } - + if ((retval = krb5_cc_store_cred(context, cc, out_creds))){ - com_err(prog_name, retval, - "While storing credentials"); - return (FALSE); + com_err(prog_name, retval, + "While storing credentials"); + return (FALSE); } return (TRUE); } /* krb5_fast_auth checks if ticket for the end server is already in - the cache, if it is, we don't need a tgt */ + the cache, if it is, we don't need a tgt */ krb5_boolean krb5_fast_auth(context, client, server, target_user, cc) krb5_context context; @@ -236,49 +237,49 @@ krb5_boolean krb5_fast_auth(context, client, server, target_user, cc) char *target_user; krb5_ccache cc; { - + krb5_creds tgt, tgtq; krb5_verify_init_creds_opt vfy_opts; krb5_error_code retval; - - memset(&tgtq, 0, sizeof(tgtq)); - memset(&tgt, 0, sizeof(tgt)); - + + memset(&tgtq, 0, sizeof(tgtq)); + memset(&tgt, 0, sizeof(tgt)); + if ((retval= krb5_copy_principal(context, client, &tgtq.client))){ - com_err(prog_name, retval,"while copying client principal"); - return (FALSE) ; + com_err(prog_name, retval,"while copying client principal"); + return (FALSE) ; } - + if ((retval= krb5_copy_principal(context, server, &tgtq.server))){ - com_err(prog_name, retval,"while copying client principal"); - return (FALSE) ; + com_err(prog_name, retval,"while copying client principal"); + return (FALSE) ; } - + if ((retval = krb5_cc_retrieve_cred(context, cc, - KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES, - &tgtq, &tgt))){ - if (auth_debug) - com_err(prog_name, retval,"While Retrieving credentials"); - return (FALSE) ; - + KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES, + &tgtq, &tgt))){ + if (auth_debug) + com_err(prog_name, retval,"While Retrieving credentials"); + return (FALSE) ; + } krb5_verify_init_creds_opt_init(&vfy_opts); krb5_verify_init_creds_opt_set_ap_req_nofail( &vfy_opts, 1); - retval = krb5_verify_init_creds(context, &tgt, server, NULL /*keytab*/, - NULL /*output ccache*/, - &vfy_opts); - if (retval){ - com_err(prog_name, retval, "while verifing ticket for server"); - return (FALSE); + retval = krb5_verify_init_creds(context, &tgt, server, NULL /*keytab*/, + NULL /*output ccache*/, + &vfy_opts); + if (retval){ + com_err(prog_name, retval, "while verifing ticket for server"); + return (FALSE); } - + return TRUE; } krb5_boolean krb5_get_tkt_via_passwd (context, ccache, client, server, - options, zero_password) + options, zero_password) krb5_context context; krb5_ccache *ccache; krb5_principal client; @@ -293,77 +294,77 @@ krb5_boolean krb5_get_tkt_via_passwd (context, ccache, client, server, char password[255], *client_name, prompt[255]; int result; - *zero_password = FALSE; - + *zero_password = FALSE; + if ((code = krb5_unparse_name(context, client, &client_name))) { com_err (prog_name, code, "when unparsing name"); return (FALSE); } memset(&my_creds, 0, sizeof(my_creds)); - - if ((code = krb5_copy_principal(context, client, &my_creds.client))){ + + if ((code = krb5_copy_principal(context, client, &my_creds.client))){ com_err (prog_name, code, "while copying principal"); - return (FALSE); - } + return (FALSE); + } - if ((code = krb5_copy_principal(context, server, &my_creds.server))){ + if ((code = krb5_copy_principal(context, server, &my_creds.server))){ com_err (prog_name, code, "while copying principal"); - return (FALSE); - } + return (FALSE); + } if ((code = krb5_timeofday(context, &now))) { - com_err(prog_name, code, "while getting time of day"); - return (FALSE); + com_err(prog_name, code, "while getting time of day"); + return (FALSE); } - my_creds.times.starttime = 0; /* start timer when request - gets to KDC */ - + my_creds.times.starttime = 0; /* start timer when request + gets to KDC */ + my_creds.times.endtime = now + options->lifetime; if (options->opt & KDC_OPT_RENEWABLE) { - my_creds.times.renew_till = now + options->rlife; + my_creds.times.renew_till = now + options->rlife; } else - my_creds.times.renew_till = 0; + my_creds.times.renew_till = 0; result = snprintf(prompt, sizeof(prompt), "Kerberos password for %s: ", - client_name); + client_name); if (SNPRINTF_OVERFLOW(result, sizeof(prompt))) { - fprintf (stderr, - "principal name %s too long for internal buffer space\n", - client_name); - return FALSE; + fprintf (stderr, + "principal name %s too long for internal buffer space\n", + client_name); + return FALSE; } - + pwsize = sizeof(password); - + code = krb5_read_password(context, prompt, 0, password, &pwsize); if (code ) { - com_err(prog_name, code, "while reading password for '%s'\n", - client_name); - memset(password, 0, sizeof(password)); - return (FALSE); + com_err(prog_name, code, "while reading password for '%s'\n", + client_name); + memset(password, 0, sizeof(password)); + return (FALSE); } - + if ( pwsize == 0) { - fprintf(stderr, "No password given\n"); - *zero_password = TRUE; - memset(password, 0, sizeof(password)); - return (FALSE); + fprintf(stderr, "No password given\n"); + *zero_password = TRUE; + memset(password, 0, sizeof(password)); + return (FALSE); } - - code = krb5_get_in_tkt_with_password(context, options->opt, - 0, NULL, preauth_ptr, - password, *ccache, &my_creds, 0); + + code = krb5_get_in_tkt_with_password(context, options->opt, + 0, NULL, preauth_ptr, + password, *ccache, &my_creds, 0); memset(password, 0, sizeof(password)); - - + + if (code) { - if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) - fprintf (stderr, "%s: Password incorrect\n", prog_name); - else - com_err (prog_name, code, "while getting initial credentials"); - return (FALSE); + if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) + fprintf (stderr, "%s: Password incorrect\n", prog_name); + else + com_err (prog_name, code, "while getting initial credentials"); + return (FALSE); } return (TRUE); } @@ -375,10 +376,10 @@ void dump_principal (context, str, p) krb5_principal p; { char * stname; - krb5_error_code retval; + krb5_error_code retval; if ((retval = krb5_unparse_name(context, p, &stname))) { - fprintf(stderr, " %s while unparsing name\n", error_message(retval)); + fprintf(stderr, " %s while unparsing name\n", error_message(retval)); } fprintf(stderr, " %s: %s\n", str, stname); } @@ -386,21 +387,21 @@ void dump_principal (context, str, p) void plain_dump_principal (context, p) krb5_context context; krb5_principal p; -{ +{ char * stname; - krb5_error_code retval; + krb5_error_code retval; if ((retval = krb5_unparse_name(context, p, &stname))) - fprintf(stderr, " %s while unparsing name\n", error_message(retval)); + fprintf(stderr, " %s while unparsing name\n", error_message(retval)); fprintf(stderr, "%s ", stname); } /********************************************************************** returns the principal that is closest to client. plist contains -a principal list obtained from .k5login and parhaps .k5users file. -This routine gets called before getting the password for a tgt. -A principal is picked that has the best chance of getting in. +a principal list obtained from .k5login and parhaps .k5users file. +This routine gets called before getting the password for a tgt. +A principal is picked that has the best chance of getting in. **********************************************************************/ @@ -410,55 +411,55 @@ krb5_error_code get_best_principal(context, plist, client) char **plist; krb5_principal *client; { - krb5_error_code retval =0; + krb5_error_code retval =0; krb5_principal temp_client, best_client = NULL; - + int i = 0, nelem; - + if (! plist ) return 0; - + nelem = krb5_princ_size(context, *client); - + while(plist[i]){ - - if ((retval = krb5_parse_name(context, plist[i], &temp_client))){ - return retval; - } - - if (data_eq(*krb5_princ_realm(context, *client), - *krb5_princ_realm(context, temp_client))) { - - if (nelem && - krb5_princ_size(context, *client) > 0 && - krb5_princ_size(context, temp_client) > 0) { - krb5_data *p1 = - krb5_princ_component(context, *client, 0); - krb5_data *p2 = - krb5_princ_component(context, temp_client, 0); - - if (data_eq(*p1, *p2)) { - - if (auth_debug){ - fprintf(stderr, - "get_best_principal: compare with %s\n", - plist[i]); - } - - if(best_client){ - if(krb5_princ_size(context, best_client) > - krb5_princ_size(context, temp_client)){ - best_client = temp_client; - } - }else{ - best_client = temp_client; - } - } - } - - } - i++; + + if ((retval = krb5_parse_name(context, plist[i], &temp_client))){ + return retval; + } + + if (data_eq(*krb5_princ_realm(context, *client), + *krb5_princ_realm(context, temp_client))) { + + if (nelem && + krb5_princ_size(context, *client) > 0 && + krb5_princ_size(context, temp_client) > 0) { + krb5_data *p1 = + krb5_princ_component(context, *client, 0); + krb5_data *p2 = + krb5_princ_component(context, temp_client, 0); + + if (data_eq(*p1, *p2)) { + + if (auth_debug){ + fprintf(stderr, + "get_best_principal: compare with %s\n", + plist[i]); + } + + if(best_client){ + if(krb5_princ_size(context, best_client) > + krb5_princ_size(context, temp_client)){ + best_client = temp_client; + } + }else{ + best_client = temp_client; + } + } + } + + } + i++; } - + if (best_client) *client = best_client; return 0; } diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h index 76ed7032d..f2c0811fc 100644 --- a/src/clients/ksu/ksu.h +++ b/src/clients/ksu/ksu.h @@ -1,4 +1,5 @@ -/* +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* * Copyright (c) 1994 by the University of Southern California * * EXPORT OF THIS SOFTWARE from the United States of America may @@ -10,7 +11,7 @@ * this software and its documentation in source and binary forms is * hereby granted, provided that any documentation or other materials * related to such distribution or use acknowledge that the software - * was developed by the University of Southern California. + * was developed by the University of Southern California. * * DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The * University of Southern California MAKES NO REPRESENTATIONS OR @@ -29,7 +30,7 @@ #include "k5-util.h" #include <stdio.h> #include "com_err.h" -#include <sys/types.h> +#include <sys/types.h> #include <sys/param.h> #include <pwd.h> #include <unistd.h> @@ -48,15 +49,15 @@ #define KRB5_LOGIN_NAME ".k5login" #define KRB5_USERS_NAME ".k5users" #define USE_DEFAULT_REALM_NAME "." -#define PERMIT_ALL_COMMANDS "*" +#define PERMIT_ALL_COMMANDS "*" #define KRB5_SEC_BUFFSIZE 80 #define NOT_AUTHORIZED 1 #define CHUNK 3 #define CACHE_MODE 0600 -#define MAX_CMD 2048 /* this is temp, should use realloc instead, - as done in most of the code */ - +#define MAX_CMD 2048 /* this is temp, should use realloc instead, + as done in most of the code */ + extern int optind; extern char * optarg; @@ -71,90 +72,90 @@ extern char * gb_err; /***********/ typedef struct opt_info{ - int opt; - krb5_deltat lifetime; - krb5_deltat rlife; - int princ; + int opt; + krb5_deltat lifetime; + krb5_deltat rlife; + int princ; }opt_info; /* krb_auth_su.c */ extern krb5_boolean krb5_auth_check - (krb5_context, krb5_principal, char *, opt_info *, - char *, krb5_ccache, int *, uid_t); +(krb5_context, krb5_principal, char *, opt_info *, + char *, krb5_ccache, int *, uid_t); extern krb5_boolean krb5_fast_auth - (krb5_context, krb5_principal, krb5_principal, char *, - krb5_ccache); +(krb5_context, krb5_principal, krb5_principal, char *, + krb5_ccache); -extern krb5_boolean krb5_get_tkt_via_passwd - (krb5_context, krb5_ccache *, krb5_principal, - krb5_principal, opt_info *, krb5_boolean *); +extern krb5_boolean krb5_get_tkt_via_passwd +(krb5_context, krb5_ccache *, krb5_principal, + krb5_principal, opt_info *, krb5_boolean *); -extern void dump_principal - (krb5_context, char *, krb5_principal); +extern void dump_principal +(krb5_context, char *, krb5_principal); -extern void plain_dump_principal - (krb5_context, krb5_principal); +extern void plain_dump_principal +(krb5_context, krb5_principal); extern krb5_error_code krb5_parse_lifetime - (char *, long *); +(char *, long *); extern krb5_error_code get_best_principal - (krb5_context, char **, krb5_principal *); +(krb5_context, char **, krb5_principal *); /* ccache.c */ extern krb5_error_code krb5_ccache_copy - (krb5_context, krb5_ccache, char *, krb5_principal, - krb5_ccache *, krb5_boolean *, uid_t); +(krb5_context, krb5_ccache, char *, krb5_principal, + krb5_ccache *, krb5_boolean *, uid_t); extern krb5_error_code krb5_store_all_creds - (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **); +(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **); extern krb5_error_code krb5_store_all_creds - (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **); +(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **); extern krb5_boolean compare_creds - (krb5_context, krb5_creds *, krb5_creds *); +(krb5_context, krb5_creds *, krb5_creds *); extern krb5_error_code krb5_get_nonexp_tkts - (krb5_context, krb5_ccache, krb5_creds ***); +(krb5_context, krb5_ccache, krb5_creds ***); extern krb5_error_code krb5_check_exp - (krb5_context, krb5_ticket_times); +(krb5_context, krb5_ticket_times); extern char *flags_string (krb5_creds *); extern krb5_error_code krb5_get_login_princ - (const char *, char ***); +(const char *, char ***); extern void show_credential - (krb5_context, krb5_creds *, krb5_ccache); +(krb5_context, krb5_creds *, krb5_ccache); extern int gen_sym (void); extern krb5_error_code krb5_ccache_overwrite - (krb5_context, krb5_ccache, krb5_ccache, krb5_principal); +(krb5_context, krb5_ccache, krb5_ccache, krb5_principal); extern krb5_error_code krb5_store_some_creds - (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **, - krb5_principal, krb5_boolean *); +(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **, + krb5_principal, krb5_boolean *); extern krb5_error_code krb5_ccache_copy_restricted - (krb5_context, krb5_ccache, char *, krb5_principal, - krb5_ccache *, krb5_boolean *, uid_t); +(krb5_context, krb5_ccache, char *, krb5_principal, + krb5_ccache *, krb5_boolean *, uid_t); extern krb5_error_code krb5_ccache_refresh - (krb5_context, krb5_ccache); +(krb5_context, krb5_ccache); extern krb5_error_code krb5_ccache_filter - (krb5_context, krb5_ccache, krb5_principal); +(krb5_context, krb5_ccache, krb5_principal); extern krb5_boolean krb5_find_princ_in_cred_list - (krb5_context, krb5_creds **, krb5_principal); +(krb5_context, krb5_creds **, krb5_principal); extern krb5_error_code krb5_find_princ_in_cache - (krb5_context, krb5_ccache, krb5_principal, krb5_boolean *); +(krb5_context, krb5_ccache, krb5_principal, krb5_boolean *); extern void printtime (time_t); @@ -162,17 +163,17 @@ extern void printtime (time_t); extern krb5_boolean fowner (FILE *, uid_t); extern krb5_error_code krb5_authorization - (krb5_context, krb5_principal, const char *, char *, - krb5_boolean *, char **); +(krb5_context, krb5_principal, const char *, char *, + krb5_boolean *, char **); extern krb5_error_code k5login_lookup (FILE *, char *, - krb5_boolean *); + krb5_boolean *); -extern krb5_error_code k5users_lookup - (FILE *, char *, char *, krb5_boolean *, char **); +extern krb5_error_code k5users_lookup +(FILE *, char *, char *, krb5_boolean *, char **); extern krb5_boolean fcmd_resolve - (char *, char ***, char **); +(char *, char ***, char **); extern krb5_boolean cmd_single (char *); @@ -180,11 +181,11 @@ extern int cmd_arr_cmp_postfix (char **, char *); extern int cmd_arr_cmp (char **, char *); -extern krb5_boolean find_first_cmd_that_exists - (char **, char **, char **); +extern krb5_boolean find_first_cmd_that_exists +(char **, char **, char **); -extern int match_commands - (char *, char *, krb5_boolean *, char **, char **); +extern int match_commands +(char *, char *, krb5_boolean *, char **, char **); extern krb5_error_code get_line (FILE *, char **); @@ -211,30 +212,30 @@ extern krb5_error_code list_union (char **, char **, char ***); extern krb5_error_code filter (FILE *, char *, char **, char ***); extern krb5_error_code get_authorized_princ_names - (const char *, char *, char ***); +(const char *, char *, char ***); -extern krb5_error_code get_closest_principal - (krb5_context, char **, krb5_principal *, krb5_boolean *); +extern krb5_error_code get_closest_principal +(krb5_context, char **, krb5_principal *, krb5_boolean *); -extern krb5_error_code find_either_ticket - (krb5_context, krb5_ccache, krb5_principal, - krb5_principal, krb5_boolean *); +extern krb5_error_code find_either_ticket +(krb5_context, krb5_ccache, krb5_principal, + krb5_principal, krb5_boolean *); -extern krb5_error_code find_ticket - (krb5_context, krb5_ccache, krb5_principal, - krb5_principal, krb5_boolean *); +extern krb5_error_code find_ticket +(krb5_context, krb5_ccache, krb5_principal, + krb5_principal, krb5_boolean *); extern krb5_error_code find_princ_in_list - (krb5_context, krb5_principal, char **, krb5_boolean *); +(krb5_context, krb5_principal, char **, krb5_boolean *); extern krb5_error_code get_best_princ_for_target - (krb5_context, uid_t, uid_t, char *, char *, krb5_ccache, - opt_info *, char *, char *, krb5_principal *, int *); +(krb5_context, uid_t, uid_t, char *, char *, krb5_ccache, + opt_info *, char *, char *, krb5_principal *, int *); extern krb5_error_code ksu_tgtname (krb5_context, const krb5_data *, - const krb5_data *, - krb5_principal *tgtprinc); + const krb5_data *, + krb5_principal *tgtprinc); #ifndef min #define min(a,b) ((a) > (b) ? (b) : (a)) @@ -242,14 +243,14 @@ extern krb5_error_code ksu_tgtname (krb5_context, const krb5_data *, extern char *krb5_lname_file; /* Note: print this out just be sure - that it gets set */ + that it gets set */ -extern void *xmalloc (size_t), - *xrealloc (void *, size_t), +extern void *xmalloc (size_t), + *xrealloc (void *, size_t), *xcalloc (size_t, size_t); -extern char *xstrdup (const char *); -extern char *xasprintf (const char *format, ...); + extern char *xstrdup (const char *); + extern char *xasprintf (const char *format, ...); #ifndef HAVE_UNSETENV -void unsetenv (char *); + void unsetenv (char *); #endif diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c index 0aba56933..b7dcdadc6 100644 --- a/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c @@ -1,4 +1,5 @@ -/* +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* * Copyright (c) 1994 by the University of Southern California * * EXPORT OF THIS SOFTWARE from the United States of America may @@ -10,7 +11,7 @@ * this software and its documentation in source and binary forms is * hereby granted, provided that any documentation or other materials * related to such distribution or use acknowledge that the software - * was developed by the University of Southern California. + * was developed by the University of Southern California. * * DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The * University of Southern California MAKES NO REPRESENTATIONS OR @@ -34,31 +35,31 @@ /* globals */ char * prog_name; -int auth_debug =0; +int auth_debug =0; char k5login_path[MAXPATHLEN]; char k5users_path[MAXPATHLEN]; char * gb_err = NULL; int quiet = 0; /***********/ -#define _DEF_CSH "/bin/csh" +#define _DEF_CSH "/bin/csh" static int set_env_var (char *, char *); static void sweep_up (krb5_context, krb5_ccache); static char * ontty (void); #ifdef HAVE_STDARG_H static void print_status( const char *fmt, ...) #if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7) - __attribute__ ((__format__ (__printf__, 1, 2))) + __attribute__ ((__format__ (__printf__, 1, 2))) #endif - ; + ; #else static void print_status(); #endif -char * get_dir_of_file(); +char * get_dir_of_file(); /* Note -e and -a options are mutually exclusive */ -/* insure the proper specification of target user as well as catching - ill specified arguments to commands */ +/* insure the proper specification of target user as well as catching + ill specified arguments to commands */ void usage (){ fprintf(stderr, "Usage: %s [target user] [-n principal] [-c source cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name); @@ -76,31 +77,31 @@ int main (argc, argv) int argc; char ** argv; -{ +{ int hp =0; - int some_rest_copy = 0; - int all_rest_copy = 0; + int some_rest_copy = 0; + int all_rest_copy = 0; char *localhostname = NULL; opt_info options; int option=0; int statusp=0; - krb5_error_code retval = 0; + krb5_error_code retval = 0; krb5_principal client = NULL; krb5_ccache cc_target = NULL; krb5_context ksu_context; - char * cc_target_tag = NULL; + char * cc_target_tag = NULL; char * target_user = NULL; char * source_user; - + krb5_ccache cc_source = NULL; - const char * cc_source_tag = NULL; + const char * cc_source_tag = NULL; uid_t source_gid, target_gid; const char * cc_source_tag_tmp = NULL; - char * cc_target_tag_tmp=NULL; + char * cc_target_tag_tmp=NULL; char * cmd = NULL, * exec_cmd = NULL; int errflg = 0; - krb5_boolean auth_val; - krb5_boolean authorization_val = FALSE; + krb5_boolean auth_val; + krb5_boolean authorization_val = FALSE; int path_passwd = 0; int done =0,i,j; uid_t ruid = getuid (); @@ -116,12 +117,12 @@ main (argc, argv) krb5_boolean stored = FALSE; krb5_principal kdc_server; krb5_boolean zero_password; - char * dir_of_cc_target; - + char * dir_of_cc_target; + options.opt = KRB5_DEFAULT_OPTIONS; options.lifetime = KRB5_DEFAULT_TKT_LIFE; - options.rlife =0; - options.princ =0; + options.rlife =0; + options.princ =0; params = (char **) xcalloc (2, sizeof (char *)); params[1] = NULL; @@ -132,157 +133,157 @@ main (argc, argv) retval = krb5_init_secure_context(&ksu_context); if (retval) { com_err(argv[0], retval, "while initializing krb5"); - exit(1); + exit(1); } if (strrchr(argv[0], '/')) - argv[0] = strrchr(argv[0], '/')+1; + argv[0] = strrchr(argv[0], '/')+1; prog_name = argv[0]; if (strlen (prog_name) > 50) { - /* this many chars *after* last / ?? */ - com_err(prog_name, 0, "program name too long - quitting to avoid triggering system logging bugs"); - exit (1); + /* this many chars *after* last / ?? */ + com_err(prog_name, 0, "program name too long - quitting to avoid triggering system logging bugs"); + exit (1); } #ifndef LOG_NDELAY #define LOG_NDELAY 0 #endif - + #ifndef LOG_AUTH /* 4.2 syslog */ openlog(prog_name, LOG_PID|LOG_NDELAY); #else openlog(prog_name, LOG_PID | LOG_NDELAY, LOG_AUTH); #endif /* 4.2 syslog */ - - + + if (( argc == 1) || (argv[1][0] == '-')){ - target_user = xstrdup("root"); - pargc = argc; - pargv = argv; + target_user = xstrdup("root"); + pargc = argc; + pargv = argv; } else { - target_user = xstrdup(argv[1]); - pargc = argc -1; - - if ((pargv =(char **) calloc(pargc +1,sizeof(char *)))==NULL){ - com_err(prog_name, errno, "while allocating memory"); - exit(1); - } - - pargv[pargc] = NULL; - pargv[0] = argv[0]; - - for(i =1; i< pargc; i ++){ - pargv[i] = argv[i + 1]; - } - } - + target_user = xstrdup(argv[1]); + pargc = argc -1; + + if ((pargv =(char **) calloc(pargc +1,sizeof(char *)))==NULL){ + com_err(prog_name, errno, "while allocating memory"); + exit(1); + } + + pargv[pargc] = NULL; + pargv[0] = argv[0]; + + for(i =1; i< pargc; i ++){ + pargv[i] = argv[i + 1]; + } + } + if (krb5_seteuid (ruid)) { - com_err (prog_name, errno, "while setting euid to source user"); - exit (1); + com_err (prog_name, errno, "while setting euid to source user"); + exit (1); } while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkql:e:")) != -1)){ - switch (option) { - case 'r': - options.opt |= KDC_OPT_RENEWABLE; - if (strlen (optarg) >= 14) - optarg = "bad-time"; - retval = krb5_string_to_deltat(optarg, &options.rlife); - if (retval != 0 || options.rlife == 0) { - fprintf(stderr, "Bad lifetime value (%s hours?)\n", optarg); - errflg++; - } - break; - case 'a': + switch (option) { + case 'r': + options.opt |= KDC_OPT_RENEWABLE; + if (strlen (optarg) >= 14) + optarg = "bad-time"; + retval = krb5_string_to_deltat(optarg, &options.rlife); + if (retval != 0 || options.rlife == 0) { + fprintf(stderr, "Bad lifetime value (%s hours?)\n", optarg); + errflg++; + } + break; + case 'a': /* when integrating this remember to pass in pargc, pargv and take care of params argument */ - optind --; - if (auth_debug){printf("Before get_params optind=%d\n", optind);} - + optind --; + if (auth_debug){printf("Before get_params optind=%d\n", optind);} + if ((retval = get_params( & optind, pargc, pargv, ¶ms))){ com_err(prog_name, retval, "when gathering parameters"); errflg++; } if(auth_debug){ printf("After get_params optind=%d\n", optind);} - done = 1; + done = 1; + break; + case 'p': + options.opt |= KDC_OPT_PROXIABLE; + break; + case 'f': + options.opt |= KDC_OPT_FORWARDABLE; + break; + case 'k': + keep_target_cache =1; + break; + case 'q': + quiet =1; break; - case 'p': - options.opt |= KDC_OPT_PROXIABLE; - break; - case 'f': - options.opt |= KDC_OPT_FORWARDABLE; - break; - case 'k': - keep_target_cache =1; - break; - case 'q': - quiet =1; - break; case 'l': - if (strlen (optarg) >= 14) - optarg = "bad-time"; - retval = krb5_string_to_deltat(optarg, &options.lifetime); - if (retval != 0 || options.lifetime == 0) { - fprintf(stderr, "Bad lifetime value (%s hours?)\n", optarg); - errflg++; - } - break; - case 'n': - if ((retval = krb5_parse_name(ksu_context, optarg, &client))){ - com_err(prog_name, retval, "when parsing name %s", optarg); - errflg++; - } - - options.princ = 1; - - break; + if (strlen (optarg) >= 14) + optarg = "bad-time"; + retval = krb5_string_to_deltat(optarg, &options.lifetime); + if (retval != 0 || options.lifetime == 0) { + fprintf(stderr, "Bad lifetime value (%s hours?)\n", optarg); + errflg++; + } + break; + case 'n': + if ((retval = krb5_parse_name(ksu_context, optarg, &client))){ + com_err(prog_name, retval, "when parsing name %s", optarg); + errflg++; + } + + options.princ = 1; + + break; #ifdef DEBUG - case 'D': - auth_debug = 1; - break; + case 'D': + auth_debug = 1; + break; #endif - case 'z': - some_rest_copy = 1; - if(all_rest_copy) { - fprintf(stderr, - "-z option is mutually exclusive with -Z.\n"); - errflg++; - } - break; - case 'Z': - all_rest_copy = 1; - if(some_rest_copy) { - fprintf(stderr, - "-Z option is mutually exclusive with -z.\n"); - errflg++; - } - break; - case 'c': - if (cc_source_tag == NULL) { - cc_source_tag = xstrdup(optarg); - if ( strchr(cc_source_tag, ':')){ - cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1; - - if( stat( cc_source_tag_tmp, &st_temp)){ - com_err (prog_name, errno, - "while looking for credentials file %s", - cc_source_tag_tmp); - exit (1); - } - } - else { - fprintf(stderr,"malformed credential cache name %s\n", - cc_source_tag); - errflg++; - } - - } else { - fprintf(stderr, "Only one -c option allowed\n"); - errflg++; - } - break; - case 'e': - cmd = xstrdup(optarg); + case 'z': + some_rest_copy = 1; + if(all_rest_copy) { + fprintf(stderr, + "-z option is mutually exclusive with -Z.\n"); + errflg++; + } + break; + case 'Z': + all_rest_copy = 1; + if(some_rest_copy) { + fprintf(stderr, + "-Z option is mutually exclusive with -z.\n"); + errflg++; + } + break; + case 'c': + if (cc_source_tag == NULL) { + cc_source_tag = xstrdup(optarg); + if ( strchr(cc_source_tag, ':')){ + cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1; + + if( stat( cc_source_tag_tmp, &st_temp)){ + com_err (prog_name, errno, + "while looking for credentials file %s", + cc_source_tag_tmp); + exit (1); + } + } + else { + fprintf(stderr,"malformed credential cache name %s\n", + cc_source_tag); + errflg++; + } + + } else { + fprintf(stderr, "Only one -c option allowed\n"); + errflg++; + } + break; + case 'e': + cmd = xstrdup(optarg); if(auth_debug){printf("Before get_params optind=%d\n", optind);} if ((retval = get_params( & optind, pargc, pargv, ¶ms))){ com_err(prog_name, retval, "when gathering parameters"); @@ -295,16 +296,16 @@ main (argc, argv) fprintf(stderr,"Command to be executed: %s\n", cmd); } break; - case '?': - default: - errflg++; - break; - } + case '?': + default: + errflg++; + break; + } } if (errflg) { - usage(); - exit(2); + usage(); + exit(2); } if (optind != pargc ){ @@ -312,544 +313,544 @@ main (argc, argv) exit(2); } - if (auth_debug){ - for(j=1; params[j] != NULL; j++){ - fprintf (stderr,"params[%d]= %s\n", j,params[j]); - } - } + if (auth_debug){ + for(j=1; params[j] != NULL; j++){ + fprintf (stderr,"params[%d]= %s\n", j,params[j]); + } + } /***********************************/ source_user = getlogin(); /*checks for the the login name in /etc/utmp*/ - + /* verify that that the user exists and get his passwd structure */ - + if (source_user == NULL ||(pwd = getpwnam(source_user)) == NULL || - pwd->pw_uid != ruid){ - pwd = getpwuid(ruid); + pwd->pw_uid != ruid){ + pwd = getpwuid(ruid); } - + if (pwd == NULL) { - fprintf(stderr, "ksu: who are you?\n"); - exit(1); + fprintf(stderr, "ksu: who are you?\n"); + exit(1); } if (pwd->pw_uid != ruid) { - fprintf (stderr, "Your uid doesn't match your passwd entry?!\n"); - exit (1); + fprintf (stderr, "Your uid doesn't match your passwd entry?!\n"); + exit (1); } /* Okay, now we have *some* passwd entry that matches the current real uid. */ - - /* allocate space and copy the usernamane there */ + + /* allocate space and copy the usernamane there */ source_user = xstrdup(pwd->pw_name); source_uid = pwd->pw_uid; source_gid = pwd->pw_gid; - - + + if (!strcmp(SOURCE_USER_LOGIN, target_user)){ - target_user = xstrdup (source_user); + target_user = xstrdup (source_user); } - - if ((target_pwd = getpwnam(target_user)) == NULL){ - fprintf(stderr, "ksu: unknown login %s\n", target_user); - exit(1); + + if ((target_pwd = getpwnam(target_user)) == NULL){ + fprintf(stderr, "ksu: unknown login %s\n", target_user); + exit(1); } target_uid = target_pwd->pw_uid; target_gid = target_pwd->pw_gid; - + init_auth_names(target_pwd->pw_dir); - + /***********************************/ - + if (cc_source_tag == NULL){ - cc_source_tag = krb5_cc_default_name(ksu_context); - cc_source_tag_tmp = strchr(cc_source_tag, ':'); - if (cc_source_tag_tmp == 0) - cc_source_tag_tmp = cc_source_tag; - else - cc_source_tag_tmp++; - } - - /* get a handle for the cache */ + cc_source_tag = krb5_cc_default_name(ksu_context); + cc_source_tag_tmp = strchr(cc_source_tag, ':'); + if (cc_source_tag_tmp == 0) + cc_source_tag_tmp = cc_source_tag; + else + cc_source_tag_tmp++; + } + + /* get a handle for the cache */ if ((retval = krb5_cc_resolve(ksu_context, cc_source_tag, &cc_source))){ - com_err(prog_name, retval,"while getting source cache"); - exit(1); + com_err(prog_name, retval,"while getting source cache"); + exit(1); } - + if (((retval = krb5_cc_set_flags(ksu_context, cc_source, 0x0)) != 0) - && (retval != KRB5_FCC_NOFILE)) { - com_err(prog_name, retval, "while opening ccache"); - exit(1); + && (retval != KRB5_FCC_NOFILE)) { + com_err(prog_name, retval, "while opening ccache"); + exit(1); } if ((retval = get_best_princ_for_target(ksu_context, source_uid, - target_uid, source_user, - target_user, cc_source, - &options, cmd, localhostname, - &client, &hp))){ - com_err(prog_name,retval, "while selecting the best principal"); - exit(1); - } - + target_uid, source_user, + target_user, cc_source, + &options, cmd, localhostname, + &client, &hp))){ + com_err(prog_name,retval, "while selecting the best principal"); + exit(1); + } + /* We may be running as either source or target, depending on what happened; become source.*/ if ( geteuid() != source_uid) { - if (krb5_seteuid(0) || krb5_seteuid(source_uid) ) { - com_err(prog_name, errno, "while returning to source uid after finding best principal"); - exit(1); - } + if (krb5_seteuid(0) || krb5_seteuid(source_uid) ) { + com_err(prog_name, errno, "while returning to source uid after finding best principal"); + exit(1); + } } - + if (auth_debug){ - if (hp){ - fprintf(stderr, - "GET_best_princ_for_target result: NOT AUTHORIZED\n"); - }else{ - fprintf(stderr, - "GET_best_princ_for_target result-best principal "); - plain_dump_principal (ksu_context, client); - fprintf(stderr,"\n"); - } - } - - if (hp){ - if (gb_err) fprintf(stderr, "%s", gb_err); - fprintf(stderr,"account %s: authorization failed\n",target_user); - exit(1); - } - + if (hp){ + fprintf(stderr, + "GET_best_princ_for_target result: NOT AUTHORIZED\n"); + }else{ + fprintf(stderr, + "GET_best_princ_for_target result-best principal "); + plain_dump_principal (ksu_context, client); + fprintf(stderr,"\n"); + } + } + + if (hp){ + if (gb_err) fprintf(stderr, "%s", gb_err); + fprintf(stderr,"account %s: authorization failed\n",target_user); + exit(1); + } + if (cc_target_tag == NULL) { - - cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE ,sizeof(char)); - /* make sure that the new ticket file does not already exist - This is run as source_uid because it is reasonable to - require the source user to have write to where the target - cache will be created.*/ - - do { - snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d", - KRB5_SECONDARY_CACHE, - (long) target_uid, gen_sym()); - cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1; - - }while ( !stat ( cc_target_tag_tmp, &st_temp)); - } - - + + cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE ,sizeof(char)); + /* make sure that the new ticket file does not already exist + This is run as source_uid because it is reasonable to + require the source user to have write to where the target + cache will be created.*/ + + do { + snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d", + KRB5_SECONDARY_CACHE, + (long) target_uid, gen_sym()); + cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1; + + }while ( !stat ( cc_target_tag_tmp, &st_temp)); + } + + dir_of_cc_target = get_dir_of_file(cc_target_tag_tmp); - + if (access(dir_of_cc_target, R_OK | W_OK )){ - fprintf(stderr, - "%s does not have correct permissions for %s\n", - source_user, cc_target_tag); - exit(1); - } - - if (auth_debug){ - fprintf(stderr, " source cache = %s\n", cc_source_tag); - fprintf(stderr, " target cache = %s\n", cc_target_tag); - } - - /* + fprintf(stderr, + "%s does not have correct permissions for %s\n", + source_user, cc_target_tag); + exit(1); + } + + if (auth_debug){ + fprintf(stderr, " source cache = %s\n", cc_source_tag); + fprintf(stderr, " target cache = %s\n", cc_target_tag); + } + + /* Only when proper authentication and authorization - takes place, the target user becomes the owner of the cache. - */ - + takes place, the target user becomes the owner of the cache. + */ + /* we continue to run as source uid until the middle of the copy, when becomewe become the target user The cache is owned by the target user.*/ - - - /* if root ksu's to a regular user, then - then only the credentials for that particular user - should be copied */ - + + + /* if root ksu's to a regular user, then + then only the credentials for that particular user + should be copied */ + if ((source_uid == 0) && (target_uid != 0)) { - - if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source, - cc_target_tag, client, - &cc_target, &stored, - target_uid))){ - com_err (prog_name, retval, - "while copying cache %s to %s", - krb5_cc_get_name(ksu_context, cc_source),cc_target_tag); - exit(1); - } - + + if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source, + cc_target_tag, client, + &cc_target, &stored, + target_uid))){ + com_err (prog_name, retval, + "while copying cache %s to %s", + krb5_cc_get_name(ksu_context, cc_source),cc_target_tag); + exit(1); + } + } else { - if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, - client,&cc_target, &stored, target_uid))) { - com_err (prog_name, retval, - "while copying cache %s to %s", - krb5_cc_get_name(ksu_context, cc_source), - cc_target_tag); - exit(1); - } - - } - + if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, + client,&cc_target, &stored, target_uid))) { + com_err (prog_name, retval, + "while copying cache %s to %s", + krb5_cc_get_name(ksu_context, cc_source), + cc_target_tag); + exit(1); + } + + } + /* Become root for authentication*/ - + if (krb5_seteuid(0)) { - com_err(prog_name, errno, "while reclaiming root uid"); - exit(1); + com_err(prog_name, errno, "while reclaiming root uid"); + exit(1); } - + if ((source_uid == 0) || (target_uid == source_uid)){ #ifdef GET_TGT_VIA_PASSWD - if ((!all_rest_copy) && options.princ && (stored == FALSE)){ - if ((retval = ksu_tgtname(ksu_context, - krb5_princ_realm (ksu_context, client), - krb5_princ_realm(ksu_context, client), - &kdc_server))){ - com_err(prog_name, retval, - "while creating tgt for local realm"); - sweep_up(ksu_context, cc_target); - exit(1); - } - - fprintf(stderr,"WARNING: Your password may be exposed if you enter it here and are logged\n"); - fprintf(stderr," in remotely using an unsecure (non-encrypted) channel.\n"); - if (krb5_get_tkt_via_passwd (ksu_context, &cc_target, client, - kdc_server, &options, - &zero_password) == FALSE){ - - if (zero_password == FALSE){ - fprintf(stderr,"Goodbye\n"); - sweep_up(ksu_context, cc_target); - exit(1); - } - - fprintf(stderr, - "Could not get a tgt for "); - plain_dump_principal (ksu_context, client); - fprintf(stderr, "\n"); - - } - } + if ((!all_rest_copy) && options.princ && (stored == FALSE)){ + if ((retval = ksu_tgtname(ksu_context, + krb5_princ_realm (ksu_context, client), + krb5_princ_realm(ksu_context, client), + &kdc_server))){ + com_err(prog_name, retval, + "while creating tgt for local realm"); + sweep_up(ksu_context, cc_target); + exit(1); + } + + fprintf(stderr,"WARNING: Your password may be exposed if you enter it here and are logged\n"); + fprintf(stderr," in remotely using an unsecure (non-encrypted) channel.\n"); + if (krb5_get_tkt_via_passwd (ksu_context, &cc_target, client, + kdc_server, &options, + &zero_password) == FALSE){ + + if (zero_password == FALSE){ + fprintf(stderr,"Goodbye\n"); + sweep_up(ksu_context, cc_target); + exit(1); + } + + fprintf(stderr, + "Could not get a tgt for "); + plain_dump_principal (ksu_context, client); + fprintf(stderr, "\n"); + + } + } #endif /* GET_TGT_VIA_PASSWD */ } - + /* if the user is root or same uid then authentication is not neccesary, - root gets in automatically */ - + root gets in automatically */ + if (source_uid && (source_uid != target_uid)) { - char * client_name; - - auth_val = krb5_auth_check(ksu_context, client, localhostname, &options, - target_user,cc_target, &path_passwd, target_uid); - - /* if Kerberos authentication failed then exit */ - if (auth_val ==FALSE){ - fprintf(stderr, "Authentication failed.\n"); - syslog(LOG_WARNING, - "'%s %s' authentication failed for %s%s", - prog_name,target_user,source_user,ontty()); - sweep_up(ksu_context, cc_target); - exit(1); - } - + char * client_name; + + auth_val = krb5_auth_check(ksu_context, client, localhostname, &options, + target_user,cc_target, &path_passwd, target_uid); + + /* if Kerberos authentication failed then exit */ + if (auth_val ==FALSE){ + fprintf(stderr, "Authentication failed.\n"); + syslog(LOG_WARNING, + "'%s %s' authentication failed for %s%s", + prog_name,target_user,source_user,ontty()); + sweep_up(ksu_context, cc_target); + exit(1); + } + #if 0 - /* At best, this avoids a single kdc request - It is hard to implement dealing with file permissions and - is unnecessary. It is important - to properly handle races in chown if this code is ever re-enabled. - */ - /* cache the tickets if possible in the source cache */ - if (!path_passwd){ - - if ((retval = krb5_ccache_overwrite(ksu_context, cc_target, cc_source, - client))){ - com_err (prog_name, retval, - "while copying cache %s to %s", - krb5_cc_get_name(ksu_context, cc_target), - krb5_cc_get_name(ksu_context, cc_source)); - sweep_up(ksu_context, cc_target); - exit(1); - } - if (chown(cc_source_tag_tmp, source_uid, source_gid)){ - com_err(prog_name, errno, - "while changing owner for %s", - cc_source_tag_tmp); - exit(1); - } - } + /* At best, this avoids a single kdc request + It is hard to implement dealing with file permissions and + is unnecessary. It is important + to properly handle races in chown if this code is ever re-enabled. + */ + /* cache the tickets if possible in the source cache */ + if (!path_passwd){ + + if ((retval = krb5_ccache_overwrite(ksu_context, cc_target, cc_source, + client))){ + com_err (prog_name, retval, + "while copying cache %s to %s", + krb5_cc_get_name(ksu_context, cc_target), + krb5_cc_get_name(ksu_context, cc_source)); + sweep_up(ksu_context, cc_target); + exit(1); + } + if (chown(cc_source_tag_tmp, source_uid, source_gid)){ + com_err(prog_name, errno, + "while changing owner for %s", + cc_source_tag_tmp); + exit(1); + } + } #endif /*0*/ - if ((retval = krb5_unparse_name(ksu_context, client, &client_name))) { - com_err (prog_name, retval, "When unparsing name"); - sweep_up(ksu_context, cc_target); - exit(1); - } - - print_status("Authenticated %s\n", client_name); - syslog(LOG_NOTICE,"'%s %s' authenticated %s for %s%s", - prog_name,target_user,client_name, - source_user,ontty()); - - /* Run authorization as target.*/ - if (krb5_seteuid(target_uid)) { - com_err(prog_name, errno, "while switching to target for authorization check"); - sweep_up(ksu_context, cc_target); - exit(1); - } - - if ((retval = krb5_authorization(ksu_context, client,target_user, - cmd, &authorization_val, &exec_cmd))){ - com_err(prog_name,retval,"while checking authorization"); - krb5_seteuid(0); /*So we have some chance of sweeping up*/ - sweep_up(ksu_context, cc_target); - exit(1); - } - - if (krb5_seteuid(0)) { - com_err(prog_name, errno, "while switching back from target after authorization check"); - sweep_up(ksu_context, cc_target); - exit(1); - } - if (authorization_val == TRUE){ - - if (cmd) { - print_status( - "Account %s: authorization for %s for execution of\n", - target_user, client_name); - print_status(" %s successful\n",exec_cmd); - syslog(LOG_NOTICE, - "Account %s: authorization for %s for execution of %s successful", - target_user, client_name, exec_cmd); - - }else{ - print_status( - "Account %s: authorization for %s successful\n", - target_user, client_name); - syslog(LOG_NOTICE, - "Account %s: authorization for %s successful", - target_user, client_name); - } - }else { - if (cmd){ - if (exec_cmd){ /* was used to pass back the error msg */ - fprintf(stderr, "%s", exec_cmd ); - syslog(LOG_WARNING, "%s",exec_cmd); - } - fprintf(stderr, - "Account %s: authorization for %s for execution of %s failed\n", - target_user, client_name, cmd ); - syslog(LOG_WARNING, - "Account %s: authorization for %s for execution of %s failed", - target_user, client_name, cmd ); - - }else{ - fprintf(stderr, - "Account %s: authorization of %s failed\n", - target_user, client_name); - syslog(LOG_WARNING, - "Account %s: authorization of %s failed", - target_user, client_name); - - } - - sweep_up(ksu_context, cc_target); - exit(1); - } - } - - if( some_rest_copy){ - if ((retval = krb5_ccache_filter(ksu_context, cc_target, client))){ - com_err(prog_name,retval,"while calling cc_filter"); - sweep_up(ksu_context, cc_target); - exit(1); - } - } - + if ((retval = krb5_unparse_name(ksu_context, client, &client_name))) { + com_err (prog_name, retval, "When unparsing name"); + sweep_up(ksu_context, cc_target); + exit(1); + } + + print_status("Authenticated %s\n", client_name); + syslog(LOG_NOTICE,"'%s %s' authenticated %s for %s%s", + prog_name,target_user,client_name, + source_user,ontty()); + + /* Run authorization as target.*/ + if (krb5_seteuid(target_uid)) { + com_err(prog_name, errno, "while switching to target for authorization check"); + sweep_up(ksu_context, cc_target); + exit(1); + } + + if ((retval = krb5_authorization(ksu_context, client,target_user, + cmd, &authorization_val, &exec_cmd))){ + com_err(prog_name,retval,"while checking authorization"); + krb5_seteuid(0); /*So we have some chance of sweeping up*/ + sweep_up(ksu_context, cc_target); + exit(1); + } + + if (krb5_seteuid(0)) { + com_err(prog_name, errno, "while switching back from target after authorization check"); + sweep_up(ksu_context, cc_target); + exit(1); + } + if (authorization_val == TRUE){ + + if (cmd) { + print_status( + "Account %s: authorization for %s for execution of\n", + target_user, client_name); + print_status(" %s successful\n",exec_cmd); + syslog(LOG_NOTICE, + "Account %s: authorization for %s for execution of %s successful", + target_user, client_name, exec_cmd); + + }else{ + print_status( + "Account %s: authorization for %s successful\n", + target_user, client_name); + syslog(LOG_NOTICE, + "Account %s: authorization for %s successful", + target_user, client_name); + } + }else { + if (cmd){ + if (exec_cmd){ /* was used to pass back the error msg */ + fprintf(stderr, "%s", exec_cmd ); + syslog(LOG_WARNING, "%s",exec_cmd); + } + fprintf(stderr, + "Account %s: authorization for %s for execution of %s failed\n", + target_user, client_name, cmd ); + syslog(LOG_WARNING, + "Account %s: authorization for %s for execution of %s failed", + target_user, client_name, cmd ); + + }else{ + fprintf(stderr, + "Account %s: authorization of %s failed\n", + target_user, client_name); + syslog(LOG_WARNING, + "Account %s: authorization of %s failed", + target_user, client_name); + + } + + sweep_up(ksu_context, cc_target); + exit(1); + } + } + + if( some_rest_copy){ + if ((retval = krb5_ccache_filter(ksu_context, cc_target, client))){ + com_err(prog_name,retval,"while calling cc_filter"); + sweep_up(ksu_context, cc_target); + exit(1); + } + } + if (all_rest_copy){ - if ((retval = krb5_cc_initialize(ksu_context, cc_target, client))){ - com_err(prog_name, retval, - "while erasing target cache"); - exit(1); - } - - } - - /* get the shell of the user, this will be the shell used by su */ + if ((retval = krb5_cc_initialize(ksu_context, cc_target, client))){ + com_err(prog_name, retval, + "while erasing target cache"); + exit(1); + } + + } + + /* get the shell of the user, this will be the shell used by su */ target_pwd = getpwnam(target_user); - + if (target_pwd->pw_shell) - shell = xstrdup(target_pwd->pw_shell); + shell = xstrdup(target_pwd->pw_shell); else { - shell = _DEF_CSH; /* default is cshell */ + shell = _DEF_CSH; /* default is cshell */ } - + #ifdef HAVE_GETUSERSHELL - - /* insist that the target login uses a standard shell (root is omited) */ - + + /* insist that the target login uses a standard shell (root is omited) */ + if (!standard_shell(target_pwd->pw_shell) && source_uid) { - fprintf(stderr, "ksu: permission denied (shell).\n"); - sweep_up(ksu_context, cc_target); - exit(1); + fprintf(stderr, "ksu: permission denied (shell).\n"); + sweep_up(ksu_context, cc_target); + exit(1); } #endif /* HAVE_GETUSERSHELL */ - + if (target_pwd->pw_uid){ - - if(set_env_var("USER", target_pwd->pw_name)){ - fprintf(stderr,"ksu: couldn't set environment variable USER\n"); - sweep_up(ksu_context, cc_target); - exit(1); - } - } - + + if(set_env_var("USER", target_pwd->pw_name)){ + fprintf(stderr,"ksu: couldn't set environment variable USER\n"); + sweep_up(ksu_context, cc_target); + exit(1); + } + } + if(set_env_var( "HOME", target_pwd->pw_dir)){ - fprintf(stderr,"ksu: couldn't set environment variable USER\n"); - sweep_up(ksu_context, cc_target); - exit(1); - } - + fprintf(stderr,"ksu: couldn't set environment variable USER\n"); + sweep_up(ksu_context, cc_target); + exit(1); + } + if(set_env_var( "SHELL", shell)){ - fprintf(stderr,"ksu: couldn't set environment variable USER\n"); - sweep_up(ksu_context, cc_target); - exit(1); - } - - /* set the cc env name to target */ - + fprintf(stderr,"ksu: couldn't set environment variable USER\n"); + sweep_up(ksu_context, cc_target); + exit(1); + } + + /* set the cc env name to target */ + if(set_env_var( KRB5_ENV_CCNAME, cc_target_tag)){ - fprintf(stderr,"ksu: couldn't set environment variable %s\n", - KRB5_ENV_CCNAME); - sweep_up(ksu_context, cc_target); - exit(1); - } - + fprintf(stderr,"ksu: couldn't set environment variable %s\n", + KRB5_ENV_CCNAME); + sweep_up(ksu_context, cc_target); + exit(1); + } + /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { - perror("ksu: setgid"); - sweep_up(ksu_context, cc_target); - exit(1); + perror("ksu: setgid"); + sweep_up(ksu_context, cc_target); + exit(1); } - - + + if (initgroups(target_user, target_pwd->pw_gid)) { - fprintf(stderr, "ksu: initgroups failed.\n"); - sweep_up(ksu_context, cc_target); - exit(1); - } - - if ( ! strcmp(target_user, source_user)){ - print_status("Leaving uid as %s (%ld)\n", - target_user, (long) target_pwd->pw_uid); + fprintf(stderr, "ksu: initgroups failed.\n"); + sweep_up(ksu_context, cc_target); + exit(1); + } + + if ( ! strcmp(target_user, source_user)){ + print_status("Leaving uid as %s (%ld)\n", + target_user, (long) target_pwd->pw_uid); }else{ - print_status("Changing uid to %s (%ld)\n", - target_user, (long) target_pwd->pw_uid); + print_status("Changing uid to %s (%ld)\n", + target_user, (long) target_pwd->pw_uid); } - -#ifdef HAVE_SETLUID + +#ifdef HAVE_SETLUID /* * If we're on a system which keeps track of login uids, then * set the login uid. If this fails this opens up a problem on DEC OSF * with C2 enabled. */ if (setluid((uid_t) pwd->pw_uid) < 0) { - perror("setluid"); - sweep_up(ksu_context, cc_target); - exit(1); + perror("setluid"); + sweep_up(ksu_context, cc_target); + exit(1); } -#endif /* HAVE_SETLUID */ - +#endif /* HAVE_SETLUID */ + if (setuid(target_pwd->pw_uid) < 0) { - perror("ksu: setuid"); - sweep_up(ksu_context, cc_target); - exit(1); - } - + perror("ksu: setuid"); + sweep_up(ksu_context, cc_target); + exit(1); + } + if (access( cc_target_tag_tmp, R_OK | W_OK )){ - com_err(prog_name, errno, - "%s does not have correct permissions for %s, %s aborted", - target_user, cc_target_tag_tmp, prog_name); - exit(1); + com_err(prog_name, errno, + "%s does not have correct permissions for %s, %s aborted", + target_user, cc_target_tag_tmp, prog_name); + exit(1); } - + if ( cc_source) - krb5_cc_close(ksu_context, cc_source); - + krb5_cc_close(ksu_context, cc_source); + if (cmd){ - if ((source_uid == 0) || (source_uid == target_uid )){ - exec_cmd = cmd; - } - - if( !exec_cmd){ - fprintf(stderr, - "Internal error: command %s did not get resolved\n",cmd); - exit(1); - } - - params[0] = exec_cmd; + if ((source_uid == 0) || (source_uid == target_uid )){ + exec_cmd = cmd; + } + + if( !exec_cmd){ + fprintf(stderr, + "Internal error: command %s did not get resolved\n",cmd); + exit(1); + } + + params[0] = exec_cmd; } else{ - params[0] = shell; + params[0] = shell; } - - if (auth_debug){ - fprintf(stderr, "program to be execed %s\n",params[0]); + + if (auth_debug){ + fprintf(stderr, "program to be execed %s\n",params[0]); } - + if( keep_target_cache ) { - execv(params[0], params); - com_err(prog_name, errno, "while trying to execv %s", - params[0]); - sweep_up(ksu_context, cc_target); - exit(1); + execv(params[0], params); + com_err(prog_name, errno, "while trying to execv %s", + params[0]); + sweep_up(ksu_context, cc_target); + exit(1); }else{ - statusp = 1; - switch ((child_pid = fork())) { - default: - if (auth_debug){ - printf(" The child pid is %ld\n", (long) child_pid); - printf(" The parent pid is %ld\n", (long) getpid()); - } + statusp = 1; + switch ((child_pid = fork())) { + default: + if (auth_debug){ + printf(" The child pid is %ld\n", (long) child_pid); + printf(" The parent pid is %ld\n", (long) getpid()); + } while ((ret_pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) { - if (WIFSTOPPED(statusp)) { - child_pgrp = tcgetpgrp(1); - kill(getpid(), SIGSTOP); - tcsetpgrp(1, child_pgrp); - kill(child_pid, SIGCONT); - statusp = 1; - continue; - } - break; + if (WIFSTOPPED(statusp)) { + child_pgrp = tcgetpgrp(1); + kill(getpid(), SIGSTOP); + tcsetpgrp(1, child_pgrp); + kill(child_pid, SIGCONT); + statusp = 1; + continue; + } + break; + } + if (auth_debug){ + printf("The exit status of the child is %d\n", statusp); + } + if (ret_pid == -1) { + com_err(prog_name, errno, "while calling waitpid"); } - if (auth_debug){ - printf("The exit status of the child is %d\n", statusp); - } - if (ret_pid == -1) { - com_err(prog_name, errno, "while calling waitpid"); - } - sweep_up(ksu_context, cc_target); - exit (statusp); - case -1: - com_err(prog_name, errno, "while trying to fork."); - sweep_up(ksu_context, cc_target); - exit (1); - case 0: - execv(params[0], params); - com_err(prog_name, errno, "while trying to execv %s", params[0]); - exit (1); - } + sweep_up(ksu_context, cc_target); + exit (statusp); + case -1: + com_err(prog_name, errno, "while trying to fork."); + sweep_up(ksu_context, cc_target); + exit (1); + case 0: + execv(params[0], params); + com_err(prog_name, errno, "while trying to execv %s", params[0]); + exit (1); + } } } #ifdef HAVE_GETUSERSHELL int standard_shell(sh) -char *sh; + char *sh; { register char *cp; char *getusershell(); - + while ((cp = getusershell()) != NULL) - if (!strcmp(cp, sh)) - return (1); - return (0); + if (!strcmp(cp, sh)) + return (1); + return (0); } - + #endif /* HAVE_GETUSERSHELL */ static char * ontty() @@ -857,14 +858,14 @@ static char * ontty() char *p, *ttyname(); static char buf[MAXPATHLEN + 5]; int result; - + buf[0] = 0; if ((p = ttyname(STDERR_FILENO))) { - result = snprintf(buf, sizeof(buf), " on %s", p); - if (SNPRINTF_OVERFLOW(result, sizeof(buf))) { - fprintf (stderr, "terminal name %s too long\n", p); - exit (1); - } + result = snprintf(buf, sizeof(buf), " on %s", p); + if (SNPRINTF_OVERFLOW(result, sizeof(buf))) { + fprintf (stderr, "terminal name %s too long\n", p); + exit (1); + } } return (buf); } @@ -875,33 +876,33 @@ static int set_env_var(name, value) char *value; { char * env_var_buf; - - asprintf(&env_var_buf,"%s=%s",name, value); + + asprintf(&env_var_buf,"%s=%s",name, value); return putenv(env_var_buf); - + } static void sweep_up(context, cc) krb5_context context; krb5_ccache cc; { - krb5_error_code retval; + krb5_error_code retval; const char * cc_name; struct stat st_temp; krb5_seteuid(0); if (krb5_seteuid(target_uid) < 0) { - com_err(prog_name, errno, - "while changing to target uid for destroying ccache"); - exit(1); + com_err(prog_name, errno, + "while changing to target uid for destroying ccache"); + exit(1); } cc_name = krb5_cc_get_name(context, cc); if ( ! stat(cc_name, &st_temp)){ - if ((retval = krb5_cc_destroy(context, cc))){ - com_err(prog_name, retval, - "while destroying cache"); - } + if ((retval = krb5_cc_destroy(context, cc))){ + com_err(prog_name, retval, + "while destroying cache"); + } } } @@ -926,16 +927,16 @@ get_params(optindex, pargc, pargv, params) int i,j; char ** ret_params; int size = pargc - *optindex + 2; - + if ((ret_params = (char **) calloc(size, sizeof (char *)))== NULL ){ - return ENOMEM; + return ENOMEM; } - + for (i = *optindex, j=1; i < pargc; i++,j++){ - ret_params[j] = pargv[i]; - *optindex = *optindex + 1; + ret_params[j] = pargv[i]; + *optindex = *optindex + 1; } - + ret_params[size-1] = NULL; *params = ret_params; return 0; @@ -945,8 +946,8 @@ static #ifdef HAVE_STDARG_H void print_status( const char *fmt, ...) #else -void print_status (va_alist) - va_dcl + void print_status (va_alist) + va_dcl #endif { va_list ap; @@ -958,9 +959,9 @@ void print_status (va_alist) va_end(ap); #else if (! quiet){ - va_start(ap, fmt); - vfprintf(stderr, fmt, ap); - va_end(ap); + va_start(ap, fmt); + vfprintf(stderr, fmt, ap); + va_end(ap); } #endif } @@ -969,20 +970,20 @@ void print_status (va_alist) char *get_dir_of_file(path) const char *path; { - char * temp_path; + char * temp_path; char * ptr; temp_path = xstrdup(path); - + if ((ptr = strrchr( temp_path, '/'))) { - *ptr = '\0'; + *ptr = '\0'; } else { - free (temp_path); - temp_path = xmalloc(MAXPATHLEN); - if (temp_path) - getcwd(temp_path, MAXPATHLEN); + free (temp_path); + temp_path = xmalloc(MAXPATHLEN); + if (temp_path) + getcwd(temp_path, MAXPATHLEN); } - return temp_path; + return temp_path; } krb5_error_code @@ -992,7 +993,7 @@ ksu_tgtname(context, server, client, tgtprinc) krb5_principal *tgtprinc; { return krb5_build_principal_ext(context, tgtprinc, client->length, client->data, - KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, - server->length, server->data, - 0); + KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, + server->length, server->data, + 0); } diff --git a/src/clients/ksu/setenv.c b/src/clients/ksu/setenv.c index 056a478e5..6e8710df6 100644 --- a/src/clients/ksu/setenv.c +++ b/src/clients/ksu/setenv.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 1987 Regents of the University of California. * All rights reserved. @@ -15,7 +16,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -/* based on @(#)setenv.c 5.2 (Berkeley) 6/27/88 */ +/* based on @(#)setenv.c 5.2 (Berkeley) 6/27/88 */ #include <sys/types.h> #include <stdio.h> @@ -33,81 +34,81 @@ extern void unsetenv(char *); /* * setenv -- - * Set the value of the environmental variable "name" to be - * "value". If rewrite is set, replace any current value. + * Set the value of the environmental variable "name" to be + * "value". If rewrite is set, replace any current value. */ #ifndef HAVE_SETENV int setenv(name, value, rewrite) - register char *name, *value; - int rewrite; + register char *name, *value; + int rewrite; { - extern char **environ; - static int alloced; /* if allocated space before */ - register char *C; - int l_value, offset; + extern char **environ; + static int alloced; /* if allocated space before */ + register char *C; + int l_value, offset; - if (*value == '=') /* no `=' in value */ - ++value; - l_value = strlen(value); - if ((C = _findenv(name, &offset))) { /* find if already exists */ - if (!rewrite) - return(0); - if (strlen(C) >= l_value) { /* old larger; copy over */ - while ((*C++ = *value++)); - return(0); - } - } - else { /* create new slot */ - register int cnt; - register char **P; + if (*value == '=') /* no `=' in value */ + ++value; + l_value = strlen(value); + if ((C = _findenv(name, &offset))) { /* find if already exists */ + if (!rewrite) + return(0); + if (strlen(C) >= l_value) { /* old larger; copy over */ + while ((*C++ = *value++)); + return(0); + } + } + else { /* create new slot */ + register int cnt; + register char **P; - for (P = environ, cnt = 0; *P; ++P, ++cnt); - if (alloced) { /* just increase size */ - environ = (char **)realloc((char *)environ, - (u_int)(sizeof(char *) * (cnt + 2))); - if (!environ) - return(-1); - } - else { /* get new space */ - alloced = 1; /* copy old entries into it */ - P = (char **)malloc((u_int)(sizeof(char *) * - (cnt + 2))); - if (!P) - return(-1); - memcpy(P, environ, cnt * sizeof(char *)); - environ = P; - } - environ[cnt + 1] = NULL; - offset = cnt; - } - for (C = name; *C && *C != '='; ++C); /* no `=' in name */ - if (!(environ[offset] = /* name + `=' + value */ - malloc((u_int)((int)(C - name) + l_value + 2)))) - return(-1); - for (C = environ[offset]; (*C = *name++) &&( *C != '='); ++C); - for (*C++ = '='; (*C++ = *value++) != NULL;); - return(0); + for (P = environ, cnt = 0; *P; ++P, ++cnt); + if (alloced) { /* just increase size */ + environ = (char **)realloc((char *)environ, + (u_int)(sizeof(char *) * (cnt + 2))); + if (!environ) + return(-1); + } + else { /* get new space */ + alloced = 1; /* copy old entries into it */ + P = (char **)malloc((u_int)(sizeof(char *) * + (cnt + 2))); + if (!P) + return(-1); + memcpy(P, environ, cnt * sizeof(char *)); + environ = P; + } + environ[cnt + 1] = NULL; + offset = cnt; + } + for (C = name; *C && *C != '='; ++C); /* no `=' in name */ + if (!(environ[offset] = /* name + `=' + value */ + malloc((u_int)((int)(C - name) + l_value + 2)))) + return(-1); + for (C = environ[offset]; (*C = *name++) &&( *C != '='); ++C); + for (*C++ = '='; (*C++ = *value++) != NULL;); + return(0); } #endif /* * unsetenv(name) -- - * Delete environmental variable "name". + * Delete environmental variable "name". */ #ifndef HAVE_UNSETENV void unsetenv(name) - char *name; + char *name; { - extern char **environ; - register char **P; - int offset; + extern char **environ; + register char **P; + int offset; - while (_findenv(name, &offset)) /* if set multiple times */ - for (P = &environ[offset];; ++P) - if (!(*P = *(P + 1))) - break; + while (_findenv(name, &offset)) /* if set multiple times */ + for (P = &environ[offset];; ++P) + if (!(*P = *(P + 1))) + break; } #endif /* @@ -127,46 +128,46 @@ unsetenv(name) * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -/* based on @(#)getenv.c 5.5 (Berkeley) 6/27/88 */ +/* based on @(#)getenv.c 5.5 (Berkeley) 6/27/88 */ /* * getenv -- - * Returns ptr to value associated with name, if any, else NULL. + * Returns ptr to value associated with name, if any, else NULL. */ #ifndef HAVE_GETENV char * getenv(name) - char *name; + char *name; { - int offset; + int offset; - return(_findenv(name, &offset)); + return(_findenv(name, &offset)); } #endif /* * _findenv -- - * Returns pointer to value associated with name, if any, else NULL. - * Sets offset to be the offset of the name/value combination in the - * environmental array, for use by setenv(3) and unsetenv(3). - * Explicitly removes '=' in argument name. + * Returns pointer to value associated with name, if any, else NULL. + * Sets offset to be the offset of the name/value combination in the + * environmental array, for use by setenv(3) and unsetenv(3). + * Explicitly removes '=' in argument name. * */ static char * _findenv(name, offset) - register char *name; - int *offset; + register char *name; + int *offset; { - extern char **environ; - register int len; - register char **P, *C; + extern char **environ; + register int len; + register char **P, *C; - for (C = name, len = 0; *C && *C != '='; ++C, ++len); - for (P = environ; *P; ++P) - if (!strncmp(*P, name, len)) - if (*(C = *P + len) == '=') { - *offset = P - environ; - return(++C); - } - return(NULL); + for (C = name, len = 0; *C && *C != '='; ++C, ++len); + for (P = environ; *P; ++P) + if (!strncmp(*P, name, len)) + if (*(C = *P + len) == '=') { + *offset = P - environ; + return(++C); + } + return(NULL); } diff --git a/src/clients/ksu/xmalloc.c b/src/clients/ksu/xmalloc.c index 44bdca16d..f88c0a652 100644 --- a/src/clients/ksu/xmalloc.c +++ b/src/clients/ksu/xmalloc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * clients/ksu/xmalloc.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Perform simple allocation/copy operations, exiting on failure. */ @@ -35,8 +36,8 @@ void *xmalloc (size_t sz) { void *ret = malloc (sz); if (ret == 0 && sz != 0) { - perror (prog_name); - exit (1); + perror (prog_name); + exit (1); } return ret; } @@ -45,8 +46,8 @@ void *xrealloc (void *old, size_t newsz) { void *ret = realloc (old, newsz); if (ret == 0 && newsz != 0) { - perror (prog_name); - exit (1); + perror (prog_name); + exit (1); } return ret; } @@ -55,8 +56,8 @@ void *xcalloc (size_t nelts, size_t eltsz) { void *ret = calloc (nelts, eltsz); if (ret == 0 && nelts != 0 && eltsz != 0) { - perror (prog_name); - exit (1); + perror (prog_name); + exit (1); } return ret; } @@ -76,8 +77,8 @@ char *xasprintf (const char *format, ...) va_start (args, format); if (vasprintf(&out, format, args) < 0) { - perror (prog_name); - exit (1); + perror (prog_name); + exit (1); } va_end(args); return out; |