diff options
Diffstat (limited to '0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch')
-rw-r--r-- | 0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch | 369 |
1 files changed, 369 insertions, 0 deletions
diff --git a/0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch b/0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch new file mode 100644 index 0000000..262e7c7 --- /dev/null +++ b/0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch @@ -0,0 +1,369 @@ +From 9ebae7cb434b9b177c0af85c67a6d6267f46bc68 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai <nalin@redhat.com> +Date: Fri, 1 Nov 2013 09:48:13 -0400 +Subject: [PATCH 2/7] In ksu, don't stat() not-on-disk ccache residuals + +Don't assume that ccache residual names are filenames which we can +stat() usefully. Instead, use helper functions to call the library +routines to try to read the default principal name from caches, and +use whether or not that succeeds as an indication of whether or not +there's a ccache in a given location. + +ticket: 7728 +--- + src/clients/ksu/ccache.c | 60 ++++++++++++++++++++-------------- + src/clients/ksu/heuristic.c | 13 ++------ + src/clients/ksu/ksu.h | 8 +++-- + src/clients/ksu/main.c | 79 +++++++++------------------------------------ + 4 files changed, 60 insertions(+), 100 deletions(-) + +diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c +index 118fc53..5f57279 100644 +--- a/src/clients/ksu/ccache.c ++++ b/src/clients/ksu/ccache.c +@@ -62,12 +62,9 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, + { + int i=0; + krb5_ccache * cc_other; +- const char * cc_def_name; +- const char * cc_other_name; + krb5_error_code retval=0; + krb5_creds ** cc_def_creds_arr = NULL; + krb5_creds ** cc_other_creds_arr = NULL; +- struct stat st_temp; + + cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); + +@@ -76,16 +73,13 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, + return retval; + } + +- cc_def_name = krb5_cc_get_name(context, cc_def); +- cc_other_name = krb5_cc_get_name(context, *cc_other); +- +- if ( ! stat(cc_def_name, &st_temp)){ ++ if (ks_ccache_is_initialized(context, cc_def)) { + if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ + return retval; + } + } + +- if (!lstat( cc_other_name, &st_temp)) ++ if (ks_ccache_name_is_initialized(context, cc_other_tag)) + return EINVAL; + + if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { +@@ -540,24 +534,18 @@ krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal) + krb5_ccache cct; + krb5_principal primary_principal; + { +- const char * cct_name; +- const char * ccs_name; + krb5_error_code retval=0; + krb5_principal temp_principal; + krb5_creds ** ccs_creds_arr = NULL; + int i=0; +- struct stat st_temp; + +- ccs_name = krb5_cc_get_name(context, ccs); +- cct_name = krb5_cc_get_name(context, cct); +- +- if ( ! stat(ccs_name, &st_temp)){ ++ if (ks_ccache_is_initialized(context, ccs)) { + if ((retval = krb5_get_nonexp_tkts(context, ccs, &ccs_creds_arr))){ + return retval; + } + } + +- if ( ! stat(cct_name, &st_temp)){ ++ if (ks_ccache_is_initialized(context, cct)) { + if ((retval = krb5_cc_get_principal(context, cct, &temp_principal))){ + return retval; + } +@@ -643,12 +631,10 @@ krb5_error_code krb5_ccache_filter (context, cc, prst) + krb5_creds ** cc_creds_arr = NULL; + const char * cc_name; + krb5_boolean stored; +- struct stat st_temp; + + cc_name = krb5_cc_get_name(context, cc); + +- if ( ! stat(cc_name, &st_temp)){ +- ++ if (ks_ccache_is_initialized(context, cc)) { + if (auth_debug) { + fprintf(stderr,"putting cache %s through a filter for -z option\n", cc_name); + } +@@ -713,12 +699,8 @@ krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found) + { + krb5_error_code retval; + krb5_creds ** creds_list = NULL; +- const char * cc_name; +- struct stat st_temp; +- +- cc_name = krb5_cc_get_name(context, cc); + +- if ( ! stat(cc_name, &st_temp)){ ++ if (ks_ccache_is_initialized(context, cc)) { + if ((retval = krb5_get_nonexp_tkts(context, cc, &creds_list))){ + return retval; + } +@@ -727,3 +709,33 @@ krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found) + *found = krb5_find_princ_in_cred_list(context, creds_list, princ); + return 0; + } ++ ++krb5_boolean ++ks_ccache_name_is_initialized(krb5_context context, const char *cctag) ++{ ++ krb5_boolean result; ++ krb5_ccache cc; ++ ++ if (krb5_cc_resolve(context, cctag, &cc) != 0) ++ return FALSE; ++ result = ks_ccache_is_initialized(context, cc); ++ krb5_cc_close(context, cc); ++ ++ return result; ++} ++ ++krb5_boolean ++ks_ccache_is_initialized(krb5_context context, krb5_ccache cc) ++{ ++ krb5_principal princ; ++ krb5_error_code retval; ++ ++ if (cc == NULL) ++ return FALSE; ++ ++ retval = krb5_cc_get_principal(context, cc, &princ); ++ if (retval == 0) ++ krb5_free_principal(context, princ); ++ ++ return retval == 0; ++} +diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c +index 99b54e5..f73b8eb 100644 +--- a/src/clients/ksu/heuristic.c ++++ b/src/clients/ksu/heuristic.c +@@ -397,12 +397,8 @@ krb5_error_code find_either_ticket (context, cc, client, end_server, found) + krb5_principal kdc_server; + krb5_error_code retval; + krb5_boolean temp_found = FALSE; +- const char * cc_source_name; +- struct stat st_temp; + +- cc_source_name = krb5_cc_get_name(context, cc); +- +- if ( ! stat(cc_source_name, &st_temp)){ ++ if (ks_ccache_is_initialized(context, cc)) { + + retval = find_ticket(context, cc, client, end_server, &temp_found); + if (retval) +@@ -539,7 +535,6 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, + { + + princ_info princ_trials[10]; +- const char * cc_source_name; + krb5_principal cc_def_princ = NULL; + krb5_principal temp_client; + krb5_principal target_client; +@@ -551,7 +546,6 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, + struct stat tb; + int count =0; + int i; +- struct stat st_temp; + + *path_out = 0; + +@@ -559,10 +553,7 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, + if (options->princ) + return 0; + +- cc_source_name = krb5_cc_get_name(context, cc_source); +- +- +- if (! stat(cc_source_name, &st_temp)) { ++ if (ks_ccache_is_initialized(context, cc_source)) { + retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ); + if (retval) + return retval; +diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h +index 9e0c613..e1e34f1 100644 +--- a/src/clients/ksu/ksu.h ++++ b/src/clients/ksu/ksu.h +@@ -141,6 +141,12 @@ extern krb5_error_code krb5_store_some_creds + (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **, + krb5_principal, krb5_boolean *); + ++extern krb5_boolean ks_ccache_name_is_initialized ++(krb5_context, const char *); ++ ++extern krb5_boolean ks_ccache_is_initialized ++(krb5_context, krb5_ccache); ++ + extern krb5_error_code krb5_ccache_refresh + (krb5_context, krb5_ccache); + +@@ -198,8 +204,6 @@ extern int standard_shell (char *); + + extern krb5_error_code get_params (int *, int, char **, char ***); + +-extern char *get_dir_of_file (const char *); +- + /* heuristic.c */ + extern krb5_error_code get_all_princ_from_file (FILE *, char ***); + +diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c +index 62f3bc0..8c49f94 100644 +--- a/src/clients/ksu/main.c ++++ b/src/clients/ksu/main.c +@@ -51,7 +51,6 @@ static void print_status( const char *fmt, ...) + __attribute__ ((__format__ (__printf__, 1, 2))) + #endif + ; +-char * get_dir_of_file(); + + /* Note -e and -a options are mutually exclusive */ + /* insure the proper specification of target user as well as catching +@@ -96,7 +95,6 @@ main (argc, argv) + const char * cc_source_tag = NULL; + uid_t source_gid; + const char * cc_source_tag_tmp = NULL; +- char * cc_target_tag_tmp=NULL; + char * cmd = NULL, * exec_cmd = NULL; + int errflg = 0; + krb5_boolean auth_val; +@@ -112,11 +110,9 @@ main (argc, argv) + extern char * getpass(), *crypt(); + int pargc; + char ** pargv; +- struct stat st_temp; + krb5_boolean stored = FALSE; + krb5_principal kdc_server; + krb5_boolean zero_password; +- char * dir_of_cc_target; + krb5_boolean restrict_creds; + + options.opt = KRB5_DEFAULT_OPTIONS; +@@ -266,9 +262,10 @@ main (argc, argv) + if ( strchr(cc_source_tag, ':')){ + cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1; + +- if( stat( cc_source_tag_tmp, &st_temp)){ ++ if (!ks_ccache_name_is_initialized(ksu_context, ++ cc_source_tag)) { + com_err(prog_name, errno, +- _("while looking for credentials file %s"), ++ _("while looking for credentials cache %s"), + cc_source_tag_tmp); + exit (1); + } +@@ -419,32 +416,18 @@ main (argc, argv) + exit(1); + } + +- if (cc_target_tag == NULL) { +- +- cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE ,sizeof(char)); +- /* make sure that the new ticket file does not already exist +- This is run as source_uid because it is reasonable to +- require the source user to have write to where the target +- cache will be created.*/ +- +- do { +- snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d", +- KRB5_SECONDARY_CACHE, +- (long) target_uid, gen_sym()); +- cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1; +- +- }while ( !stat ( cc_target_tag_tmp, &st_temp)); +- } +- +- +- dir_of_cc_target = get_dir_of_file(cc_target_tag_tmp); +- +- if (access(dir_of_cc_target, R_OK | W_OK )){ +- fprintf(stderr, +- _("%s does not have correct permissions for %s\n"), +- source_user, cc_target_tag); +- exit(1); +- } ++ /* ++ * Make sure that the new ticket file does not already exist. ++ * This is run as source_uid because it is reasonable to ++ * require the source user to have write to where the target ++ * cache will be created. ++ */ ++ cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE, sizeof(char)); ++ do { ++ snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d", ++ KRB5_SECONDARY_CACHE, ++ (long)target_uid, gen_sym()); ++ } while (ks_ccache_name_is_initialized(ksu_context, cc_target_tag)); + + if (auth_debug){ + fprintf(stderr, " source cache = %s\n", cc_source_tag); +@@ -747,13 +730,6 @@ main (argc, argv) + exit(1); + } + +- if (access( cc_target_tag_tmp, R_OK | W_OK )){ +- com_err(prog_name, errno, +- _("%s does not have correct permissions for %s, %s aborted"), +- target_user, cc_target_tag_tmp, prog_name); +- exit(1); +- } +- + if ( cc_source) + krb5_cc_close(ksu_context, cc_source); + +@@ -873,8 +849,6 @@ static void sweep_up(context, cc) + krb5_ccache cc; + { + krb5_error_code retval; +- const char * cc_name; +- struct stat st_temp; + + krb5_seteuid(0); + if (krb5_seteuid(target_uid) < 0) { +@@ -883,8 +857,7 @@ static void sweep_up(context, cc) + exit(1); + } + +- cc_name = krb5_cc_get_name(context, cc); +- if ( ! stat(cc_name, &st_temp)){ ++ if (ks_ccache_is_initialized(context, cc)) { + if ((retval = krb5_cc_destroy(context, cc))) + com_err(prog_name, retval, _("while destroying cache")); + } +@@ -937,26 +910,6 @@ void print_status(const char *fmt, ...) + } + } + +- +-char *get_dir_of_file(path) +- const char *path; +-{ +- char * temp_path; +- char * ptr; +- +- temp_path = xstrdup(path); +- +- if ((ptr = strrchr( temp_path, '/'))) { +- *ptr = '\0'; +- } else { +- free (temp_path); +- temp_path = xmalloc(MAXPATHLEN); +- if (temp_path) +- getcwd(temp_path, MAXPATHLEN); +- } +- return temp_path; +-} +- + krb5_error_code + ksu_tgtname(context, server, client, tgtprinc) + krb5_context context; +-- +2.0.4 + |