diff options
Diffstat (limited to '0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch')
-rw-r--r-- | 0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch | 230 |
1 files changed, 0 insertions, 230 deletions
diff --git a/0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch b/0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch deleted file mode 100644 index ac7baa1..0000000 --- a/0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch +++ /dev/null @@ -1,230 +0,0 @@ -From 74e775ac6d937c9d22be4fc1d429e5e62705fb7d Mon Sep 17 00:00:00 2001 -From: Nalin Dahyabhai <nalin@redhat.com> -Date: Thu, 24 Jul 2014 15:39:53 -0400 -Subject: [PATCH 1/7] In ksu, merge krb5_ccache_copy() and _restricted() - -Other than whether or not they limit the creds it stores to the new -ccache based on the principal name of the client for whom the creds were -issued, there's no meaningful difference between what these two -functions do. Merge them. ---- - src/clients/ksu/ccache.c | 106 ++++++----------------------------------------- - src/clients/ksu/ksu.h | 6 +-- - src/clients/ksu/main.c | 27 ++++-------- - 3 files changed, 22 insertions(+), 117 deletions(-) - -diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c -index 9916c75..118fc53 100644 ---- a/src/clients/ksu/ccache.c -+++ b/src/clients/ksu/ccache.c -@@ -47,12 +47,14 @@ void show_credential(); - */ - - krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, -- primary_principal, cc_out, stored, target_uid) -+ primary_principal, restrict_creds, cc_out, -+ stored, target_uid) - /* IN */ - krb5_context context; - krb5_ccache cc_def; - char *cc_other_tag; - krb5_principal primary_principal; -+ krb5_boolean restrict_creds; - uid_t target_uid; - /* OUT */ - krb5_ccache *cc_out; -@@ -83,9 +85,6 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, - } - } - -- *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr, -- primary_principal); -- - if (!lstat( cc_other_name, &st_temp)) - return EINVAL; - -@@ -98,8 +97,16 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, - return retval; - } - -- retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr, -- cc_other_creds_arr); -+ if (restrict_creds) { -+ retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr, -+ cc_other_creds_arr, primary_principal, -+ stored); -+ } else { -+ *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr, -+ primary_principal); -+ retval = krb5_store_all_creds(context, *cc_other, cc_def_creds_arr, -+ cc_other_creds_arr); -+ } - - if (cc_def_creds_arr){ - while (cc_def_creds_arr[i]){ -@@ -623,93 +630,6 @@ krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst, - *stored = temp_stored; - return 0; - } --/****************************************************************** --krb5_cache_copy_restricted -- --gets rid of any expired tickets in the secondary cache, --copies the default cache into the secondary cache, --only credentials that are for prst are copied. -- --the algorithm may look a bit funny, --but I had to do it this way, since cc_remove function did not come --with k5 beta 3 release. --************************************************************************/ -- --krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag, -- prst, cc_out, stored, target_uid) -- krb5_context context; -- krb5_ccache cc_def; -- char *cc_other_tag; -- krb5_principal prst; -- uid_t target_uid; -- /* OUT */ -- krb5_ccache *cc_out; -- krb5_boolean *stored; --{ -- -- int i=0; -- krb5_ccache * cc_other; -- const char * cc_def_name; -- const char * cc_other_name; -- krb5_error_code retval=0; -- krb5_creds ** cc_def_creds_arr = NULL; -- krb5_creds ** cc_other_creds_arr = NULL; -- struct stat st_temp; -- -- cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); -- -- if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){ -- com_err(prog_name, retval, _("resolving ccache %s"), cc_other_tag); -- return retval; -- } -- -- cc_def_name = krb5_cc_get_name(context, cc_def); -- cc_other_name = krb5_cc_get_name(context, *cc_other); -- -- if ( ! stat(cc_def_name, &st_temp)){ -- if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ -- return retval; -- } -- -- } -- -- if (!lstat( cc_other_name, &st_temp)) { -- return EINVAL; -- } -- -- if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { -- return errno; -- } -- -- -- if ((retval = krb5_cc_initialize(context, *cc_other, prst))){ -- return retval; -- } -- -- retval = krb5_store_some_creds(context, * cc_other, -- cc_def_creds_arr, cc_other_creds_arr, prst, stored); -- -- -- -- if (cc_def_creds_arr){ -- while (cc_def_creds_arr[i]){ -- krb5_free_creds(context, cc_def_creds_arr[i]); -- i++; -- } -- } -- -- i=0; -- -- if(cc_other_creds_arr){ -- while (cc_other_creds_arr[i]){ -- krb5_free_creds(context, cc_other_creds_arr[i]); -- i++; -- } -- } -- -- *cc_out = *cc_other; -- return retval; --} - - krb5_error_code krb5_ccache_filter (context, cc, prst) - krb5_context context; -diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h -index f2c0811..9e0c613 100644 ---- a/src/clients/ksu/ksu.h -+++ b/src/clients/ksu/ksu.h -@@ -107,7 +107,7 @@ extern krb5_error_code get_best_principal - /* ccache.c */ - extern krb5_error_code krb5_ccache_copy - (krb5_context, krb5_ccache, char *, krb5_principal, -- krb5_ccache *, krb5_boolean *, uid_t); -+ krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t); - - extern krb5_error_code krb5_store_all_creds - (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **); -@@ -141,10 +141,6 @@ extern krb5_error_code krb5_store_some_creds - (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **, - krb5_principal, krb5_boolean *); - --extern krb5_error_code krb5_ccache_copy_restricted --(krb5_context, krb5_ccache, char *, krb5_principal, -- krb5_ccache *, krb5_boolean *, uid_t); -- - extern krb5_error_code krb5_ccache_refresh - (krb5_context, krb5_ccache); - -diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index 233eb52..62f3bc0 100644 ---- a/src/clients/ksu/main.c -+++ b/src/clients/ksu/main.c -@@ -117,6 +117,7 @@ main (argc, argv) - krb5_principal kdc_server; - krb5_boolean zero_password; - char * dir_of_cc_target; -+ krb5_boolean restrict_creds; - - options.opt = KRB5_DEFAULT_OPTIONS; - options.lifetime = KRB5_DEFAULT_TKT_LIFE; -@@ -464,25 +465,13 @@ main (argc, argv) - then only the credentials for that particular user - should be copied */ - -- if ((source_uid == 0) && (target_uid != 0)) { -- -- if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source, -- cc_target_tag, client, -- &cc_target, &stored, -- target_uid))){ -- com_err(prog_name, retval, _("while copying cache %s to %s"), -- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag); -- exit(1); -- } -- -- } else { -- if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, -- client,&cc_target, &stored, target_uid))) { -- com_err(prog_name, retval, _("while copying cache %s to %s"), -- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag); -- exit(1); -- } -- -+ restrict_creds = (source_uid == 0) && (target_uid != 0); -+ retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, client, -+ restrict_creds, &cc_target, &stored, target_uid); -+ if (retval) { -+ com_err(prog_name, retval, _("while copying cache %s to %s"), -+ krb5_cc_get_name(ksu_context, cc_source), cc_target_tag); -+ exit(1); - } - - /* Become root for authentication*/ --- -2.0.4 - |