summaryrefslogtreecommitdiffstats
path: root/0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch
diff options
context:
space:
mode:
Diffstat (limited to '0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch')
-rw-r--r--0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch230
1 files changed, 230 insertions, 0 deletions
diff --git a/0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch b/0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch
new file mode 100644
index 0000000..ac7baa1
--- /dev/null
+++ b/0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch
@@ -0,0 +1,230 @@
+From 74e775ac6d937c9d22be4fc1d429e5e62705fb7d Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Thu, 24 Jul 2014 15:39:53 -0400
+Subject: [PATCH 1/7] In ksu, merge krb5_ccache_copy() and _restricted()
+
+Other than whether or not they limit the creds it stores to the new
+ccache based on the principal name of the client for whom the creds were
+issued, there's no meaningful difference between what these two
+functions do. Merge them.
+---
+ src/clients/ksu/ccache.c | 106 ++++++-----------------------------------------
+ src/clients/ksu/ksu.h | 6 +--
+ src/clients/ksu/main.c | 27 ++++--------
+ 3 files changed, 22 insertions(+), 117 deletions(-)
+
+diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
+index 9916c75..118fc53 100644
+--- a/src/clients/ksu/ccache.c
++++ b/src/clients/ksu/ccache.c
+@@ -47,12 +47,14 @@ void show_credential();
+ */
+
+ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
+- primary_principal, cc_out, stored, target_uid)
++ primary_principal, restrict_creds, cc_out,
++ stored, target_uid)
+ /* IN */
+ krb5_context context;
+ krb5_ccache cc_def;
+ char *cc_other_tag;
+ krb5_principal primary_principal;
++ krb5_boolean restrict_creds;
+ uid_t target_uid;
+ /* OUT */
+ krb5_ccache *cc_out;
+@@ -83,9 +85,6 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
+ }
+ }
+
+- *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
+- primary_principal);
+-
+ if (!lstat( cc_other_name, &st_temp))
+ return EINVAL;
+
+@@ -98,8 +97,16 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
+ return retval;
+ }
+
+- retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr,
+- cc_other_creds_arr);
++ if (restrict_creds) {
++ retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr,
++ cc_other_creds_arr, primary_principal,
++ stored);
++ } else {
++ *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
++ primary_principal);
++ retval = krb5_store_all_creds(context, *cc_other, cc_def_creds_arr,
++ cc_other_creds_arr);
++ }
+
+ if (cc_def_creds_arr){
+ while (cc_def_creds_arr[i]){
+@@ -623,93 +630,6 @@ krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst,
+ *stored = temp_stored;
+ return 0;
+ }
+-/******************************************************************
+-krb5_cache_copy_restricted
+-
+-gets rid of any expired tickets in the secondary cache,
+-copies the default cache into the secondary cache,
+-only credentials that are for prst are copied.
+-
+-the algorithm may look a bit funny,
+-but I had to do it this way, since cc_remove function did not come
+-with k5 beta 3 release.
+-************************************************************************/
+-
+-krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag,
+- prst, cc_out, stored, target_uid)
+- krb5_context context;
+- krb5_ccache cc_def;
+- char *cc_other_tag;
+- krb5_principal prst;
+- uid_t target_uid;
+- /* OUT */
+- krb5_ccache *cc_out;
+- krb5_boolean *stored;
+-{
+-
+- int i=0;
+- krb5_ccache * cc_other;
+- const char * cc_def_name;
+- const char * cc_other_name;
+- krb5_error_code retval=0;
+- krb5_creds ** cc_def_creds_arr = NULL;
+- krb5_creds ** cc_other_creds_arr = NULL;
+- struct stat st_temp;
+-
+- cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache));
+-
+- if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){
+- com_err(prog_name, retval, _("resolving ccache %s"), cc_other_tag);
+- return retval;
+- }
+-
+- cc_def_name = krb5_cc_get_name(context, cc_def);
+- cc_other_name = krb5_cc_get_name(context, *cc_other);
+-
+- if ( ! stat(cc_def_name, &st_temp)){
+- if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
+- return retval;
+- }
+-
+- }
+-
+- if (!lstat( cc_other_name, &st_temp)) {
+- return EINVAL;
+- }
+-
+- if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
+- return errno;
+- }
+-
+-
+- if ((retval = krb5_cc_initialize(context, *cc_other, prst))){
+- return retval;
+- }
+-
+- retval = krb5_store_some_creds(context, * cc_other,
+- cc_def_creds_arr, cc_other_creds_arr, prst, stored);
+-
+-
+-
+- if (cc_def_creds_arr){
+- while (cc_def_creds_arr[i]){
+- krb5_free_creds(context, cc_def_creds_arr[i]);
+- i++;
+- }
+- }
+-
+- i=0;
+-
+- if(cc_other_creds_arr){
+- while (cc_other_creds_arr[i]){
+- krb5_free_creds(context, cc_other_creds_arr[i]);
+- i++;
+- }
+- }
+-
+- *cc_out = *cc_other;
+- return retval;
+-}
+
+ krb5_error_code krb5_ccache_filter (context, cc, prst)
+ krb5_context context;
+diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
+index f2c0811..9e0c613 100644
+--- a/src/clients/ksu/ksu.h
++++ b/src/clients/ksu/ksu.h
+@@ -107,7 +107,7 @@ extern krb5_error_code get_best_principal
+ /* ccache.c */
+ extern krb5_error_code krb5_ccache_copy
+ (krb5_context, krb5_ccache, char *, krb5_principal,
+- krb5_ccache *, krb5_boolean *, uid_t);
++ krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t);
+
+ extern krb5_error_code krb5_store_all_creds
+ (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **);
+@@ -141,10 +141,6 @@ extern krb5_error_code krb5_store_some_creds
+ (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **,
+ krb5_principal, krb5_boolean *);
+
+-extern krb5_error_code krb5_ccache_copy_restricted
+-(krb5_context, krb5_ccache, char *, krb5_principal,
+- krb5_ccache *, krb5_boolean *, uid_t);
+-
+ extern krb5_error_code krb5_ccache_refresh
+ (krb5_context, krb5_ccache);
+
+diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
+index 233eb52..62f3bc0 100644
+--- a/src/clients/ksu/main.c
++++ b/src/clients/ksu/main.c
+@@ -117,6 +117,7 @@ main (argc, argv)
+ krb5_principal kdc_server;
+ krb5_boolean zero_password;
+ char * dir_of_cc_target;
++ krb5_boolean restrict_creds;
+
+ options.opt = KRB5_DEFAULT_OPTIONS;
+ options.lifetime = KRB5_DEFAULT_TKT_LIFE;
+@@ -464,25 +465,13 @@ main (argc, argv)
+ then only the credentials for that particular user
+ should be copied */
+
+- if ((source_uid == 0) && (target_uid != 0)) {
+-
+- if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source,
+- cc_target_tag, client,
+- &cc_target, &stored,
+- target_uid))){
+- com_err(prog_name, retval, _("while copying cache %s to %s"),
+- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
+- exit(1);
+- }
+-
+- } else {
+- if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag,
+- client,&cc_target, &stored, target_uid))) {
+- com_err(prog_name, retval, _("while copying cache %s to %s"),
+- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
+- exit(1);
+- }
+-
++ restrict_creds = (source_uid == 0) && (target_uid != 0);
++ retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, client,
++ restrict_creds, &cc_target, &stored, target_uid);
++ if (retval) {
++ com_err(prog_name, retval, _("while copying cache %s to %s"),
++ krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
++ exit(1);
+ }
+
+ /* Become root for authentication*/
+--
+2.0.4
+
generated by cgit (git 2.34.1) at 2024-05-29 03:38:10 +0000