diff options
Diffstat (limited to '0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch')
-rw-r--r-- | 0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch | 230 |
1 files changed, 230 insertions, 0 deletions
diff --git a/0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch b/0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch new file mode 100644 index 0000000..ac7baa1 --- /dev/null +++ b/0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch @@ -0,0 +1,230 @@ +From 74e775ac6d937c9d22be4fc1d429e5e62705fb7d Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai <nalin@redhat.com> +Date: Thu, 24 Jul 2014 15:39:53 -0400 +Subject: [PATCH 1/7] In ksu, merge krb5_ccache_copy() and _restricted() + +Other than whether or not they limit the creds it stores to the new +ccache based on the principal name of the client for whom the creds were +issued, there's no meaningful difference between what these two +functions do. Merge them. +--- + src/clients/ksu/ccache.c | 106 ++++++----------------------------------------- + src/clients/ksu/ksu.h | 6 +-- + src/clients/ksu/main.c | 27 ++++-------- + 3 files changed, 22 insertions(+), 117 deletions(-) + +diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c +index 9916c75..118fc53 100644 +--- a/src/clients/ksu/ccache.c ++++ b/src/clients/ksu/ccache.c +@@ -47,12 +47,14 @@ void show_credential(); + */ + + krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, +- primary_principal, cc_out, stored, target_uid) ++ primary_principal, restrict_creds, cc_out, ++ stored, target_uid) + /* IN */ + krb5_context context; + krb5_ccache cc_def; + char *cc_other_tag; + krb5_principal primary_principal; ++ krb5_boolean restrict_creds; + uid_t target_uid; + /* OUT */ + krb5_ccache *cc_out; +@@ -83,9 +85,6 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, + } + } + +- *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr, +- primary_principal); +- + if (!lstat( cc_other_name, &st_temp)) + return EINVAL; + +@@ -98,8 +97,16 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, + return retval; + } + +- retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr, +- cc_other_creds_arr); ++ if (restrict_creds) { ++ retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr, ++ cc_other_creds_arr, primary_principal, ++ stored); ++ } else { ++ *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr, ++ primary_principal); ++ retval = krb5_store_all_creds(context, *cc_other, cc_def_creds_arr, ++ cc_other_creds_arr); ++ } + + if (cc_def_creds_arr){ + while (cc_def_creds_arr[i]){ +@@ -623,93 +630,6 @@ krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst, + *stored = temp_stored; + return 0; + } +-/****************************************************************** +-krb5_cache_copy_restricted +- +-gets rid of any expired tickets in the secondary cache, +-copies the default cache into the secondary cache, +-only credentials that are for prst are copied. +- +-the algorithm may look a bit funny, +-but I had to do it this way, since cc_remove function did not come +-with k5 beta 3 release. +-************************************************************************/ +- +-krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag, +- prst, cc_out, stored, target_uid) +- krb5_context context; +- krb5_ccache cc_def; +- char *cc_other_tag; +- krb5_principal prst; +- uid_t target_uid; +- /* OUT */ +- krb5_ccache *cc_out; +- krb5_boolean *stored; +-{ +- +- int i=0; +- krb5_ccache * cc_other; +- const char * cc_def_name; +- const char * cc_other_name; +- krb5_error_code retval=0; +- krb5_creds ** cc_def_creds_arr = NULL; +- krb5_creds ** cc_other_creds_arr = NULL; +- struct stat st_temp; +- +- cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); +- +- if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){ +- com_err(prog_name, retval, _("resolving ccache %s"), cc_other_tag); +- return retval; +- } +- +- cc_def_name = krb5_cc_get_name(context, cc_def); +- cc_other_name = krb5_cc_get_name(context, *cc_other); +- +- if ( ! stat(cc_def_name, &st_temp)){ +- if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ +- return retval; +- } +- +- } +- +- if (!lstat( cc_other_name, &st_temp)) { +- return EINVAL; +- } +- +- if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { +- return errno; +- } +- +- +- if ((retval = krb5_cc_initialize(context, *cc_other, prst))){ +- return retval; +- } +- +- retval = krb5_store_some_creds(context, * cc_other, +- cc_def_creds_arr, cc_other_creds_arr, prst, stored); +- +- +- +- if (cc_def_creds_arr){ +- while (cc_def_creds_arr[i]){ +- krb5_free_creds(context, cc_def_creds_arr[i]); +- i++; +- } +- } +- +- i=0; +- +- if(cc_other_creds_arr){ +- while (cc_other_creds_arr[i]){ +- krb5_free_creds(context, cc_other_creds_arr[i]); +- i++; +- } +- } +- +- *cc_out = *cc_other; +- return retval; +-} + + krb5_error_code krb5_ccache_filter (context, cc, prst) + krb5_context context; +diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h +index f2c0811..9e0c613 100644 +--- a/src/clients/ksu/ksu.h ++++ b/src/clients/ksu/ksu.h +@@ -107,7 +107,7 @@ extern krb5_error_code get_best_principal + /* ccache.c */ + extern krb5_error_code krb5_ccache_copy + (krb5_context, krb5_ccache, char *, krb5_principal, +- krb5_ccache *, krb5_boolean *, uid_t); ++ krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t); + + extern krb5_error_code krb5_store_all_creds + (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **); +@@ -141,10 +141,6 @@ extern krb5_error_code krb5_store_some_creds + (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **, + krb5_principal, krb5_boolean *); + +-extern krb5_error_code krb5_ccache_copy_restricted +-(krb5_context, krb5_ccache, char *, krb5_principal, +- krb5_ccache *, krb5_boolean *, uid_t); +- + extern krb5_error_code krb5_ccache_refresh + (krb5_context, krb5_ccache); + +diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c +index 233eb52..62f3bc0 100644 +--- a/src/clients/ksu/main.c ++++ b/src/clients/ksu/main.c +@@ -117,6 +117,7 @@ main (argc, argv) + krb5_principal kdc_server; + krb5_boolean zero_password; + char * dir_of_cc_target; ++ krb5_boolean restrict_creds; + + options.opt = KRB5_DEFAULT_OPTIONS; + options.lifetime = KRB5_DEFAULT_TKT_LIFE; +@@ -464,25 +465,13 @@ main (argc, argv) + then only the credentials for that particular user + should be copied */ + +- if ((source_uid == 0) && (target_uid != 0)) { +- +- if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source, +- cc_target_tag, client, +- &cc_target, &stored, +- target_uid))){ +- com_err(prog_name, retval, _("while copying cache %s to %s"), +- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag); +- exit(1); +- } +- +- } else { +- if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, +- client,&cc_target, &stored, target_uid))) { +- com_err(prog_name, retval, _("while copying cache %s to %s"), +- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag); +- exit(1); +- } +- ++ restrict_creds = (source_uid == 0) && (target_uid != 0); ++ retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, client, ++ restrict_creds, &cc_target, &stored, target_uid); ++ if (retval) { ++ com_err(prog_name, retval, _("while copying cache %s to %s"), ++ krb5_cc_get_name(ksu_context, cc_source), cc_target_tag); ++ exit(1); + } + + /* Become root for authentication*/ +-- +2.0.4 + |