summaryrefslogtreecommitdiffstats
path: root/0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch
diff options
context:
space:
mode:
Diffstat (limited to '0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch')
-rw-r--r--0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch369
1 files changed, 369 insertions, 0 deletions
diff --git a/0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch b/0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch
new file mode 100644
index 0000000..262e7c7
--- /dev/null
+++ b/0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch
@@ -0,0 +1,369 @@
+From 9ebae7cb434b9b177c0af85c67a6d6267f46bc68 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Fri, 1 Nov 2013 09:48:13 -0400
+Subject: [PATCH 2/7] In ksu, don't stat() not-on-disk ccache residuals
+
+Don't assume that ccache residual names are filenames which we can
+stat() usefully. Instead, use helper functions to call the library
+routines to try to read the default principal name from caches, and
+use whether or not that succeeds as an indication of whether or not
+there's a ccache in a given location.
+
+ticket: 7728
+---
+ src/clients/ksu/ccache.c | 60 ++++++++++++++++++++--------------
+ src/clients/ksu/heuristic.c | 13 ++------
+ src/clients/ksu/ksu.h | 8 +++--
+ src/clients/ksu/main.c | 79 +++++++++------------------------------------
+ 4 files changed, 60 insertions(+), 100 deletions(-)
+
+diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
+index 118fc53..5f57279 100644
+--- a/src/clients/ksu/ccache.c
++++ b/src/clients/ksu/ccache.c
+@@ -62,12 +62,9 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
+ {
+ int i=0;
+ krb5_ccache * cc_other;
+- const char * cc_def_name;
+- const char * cc_other_name;
+ krb5_error_code retval=0;
+ krb5_creds ** cc_def_creds_arr = NULL;
+ krb5_creds ** cc_other_creds_arr = NULL;
+- struct stat st_temp;
+
+ cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache));
+
+@@ -76,16 +73,13 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
+ return retval;
+ }
+
+- cc_def_name = krb5_cc_get_name(context, cc_def);
+- cc_other_name = krb5_cc_get_name(context, *cc_other);
+-
+- if ( ! stat(cc_def_name, &st_temp)){
++ if (ks_ccache_is_initialized(context, cc_def)) {
+ if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
+ return retval;
+ }
+ }
+
+- if (!lstat( cc_other_name, &st_temp))
++ if (ks_ccache_name_is_initialized(context, cc_other_tag))
+ return EINVAL;
+
+ if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
+@@ -540,24 +534,18 @@ krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal)
+ krb5_ccache cct;
+ krb5_principal primary_principal;
+ {
+- const char * cct_name;
+- const char * ccs_name;
+ krb5_error_code retval=0;
+ krb5_principal temp_principal;
+ krb5_creds ** ccs_creds_arr = NULL;
+ int i=0;
+- struct stat st_temp;
+
+- ccs_name = krb5_cc_get_name(context, ccs);
+- cct_name = krb5_cc_get_name(context, cct);
+-
+- if ( ! stat(ccs_name, &st_temp)){
++ if (ks_ccache_is_initialized(context, ccs)) {
+ if ((retval = krb5_get_nonexp_tkts(context, ccs, &ccs_creds_arr))){
+ return retval;
+ }
+ }
+
+- if ( ! stat(cct_name, &st_temp)){
++ if (ks_ccache_is_initialized(context, cct)) {
+ if ((retval = krb5_cc_get_principal(context, cct, &temp_principal))){
+ return retval;
+ }
+@@ -643,12 +631,10 @@ krb5_error_code krb5_ccache_filter (context, cc, prst)
+ krb5_creds ** cc_creds_arr = NULL;
+ const char * cc_name;
+ krb5_boolean stored;
+- struct stat st_temp;
+
+ cc_name = krb5_cc_get_name(context, cc);
+
+- if ( ! stat(cc_name, &st_temp)){
+-
++ if (ks_ccache_is_initialized(context, cc)) {
+ if (auth_debug) {
+ fprintf(stderr,"putting cache %s through a filter for -z option\n", cc_name);
+ }
+@@ -713,12 +699,8 @@ krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found)
+ {
+ krb5_error_code retval;
+ krb5_creds ** creds_list = NULL;
+- const char * cc_name;
+- struct stat st_temp;
+-
+- cc_name = krb5_cc_get_name(context, cc);
+
+- if ( ! stat(cc_name, &st_temp)){
++ if (ks_ccache_is_initialized(context, cc)) {
+ if ((retval = krb5_get_nonexp_tkts(context, cc, &creds_list))){
+ return retval;
+ }
+@@ -727,3 +709,33 @@ krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found)
+ *found = krb5_find_princ_in_cred_list(context, creds_list, princ);
+ return 0;
+ }
++
++krb5_boolean
++ks_ccache_name_is_initialized(krb5_context context, const char *cctag)
++{
++ krb5_boolean result;
++ krb5_ccache cc;
++
++ if (krb5_cc_resolve(context, cctag, &cc) != 0)
++ return FALSE;
++ result = ks_ccache_is_initialized(context, cc);
++ krb5_cc_close(context, cc);
++
++ return result;
++}
++
++krb5_boolean
++ks_ccache_is_initialized(krb5_context context, krb5_ccache cc)
++{
++ krb5_principal princ;
++ krb5_error_code retval;
++
++ if (cc == NULL)
++ return FALSE;
++
++ retval = krb5_cc_get_principal(context, cc, &princ);
++ if (retval == 0)
++ krb5_free_principal(context, princ);
++
++ return retval == 0;
++}
+diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c
+index 99b54e5..f73b8eb 100644
+--- a/src/clients/ksu/heuristic.c
++++ b/src/clients/ksu/heuristic.c
+@@ -397,12 +397,8 @@ krb5_error_code find_either_ticket (context, cc, client, end_server, found)
+ krb5_principal kdc_server;
+ krb5_error_code retval;
+ krb5_boolean temp_found = FALSE;
+- const char * cc_source_name;
+- struct stat st_temp;
+
+- cc_source_name = krb5_cc_get_name(context, cc);
+-
+- if ( ! stat(cc_source_name, &st_temp)){
++ if (ks_ccache_is_initialized(context, cc)) {
+
+ retval = find_ticket(context, cc, client, end_server, &temp_found);
+ if (retval)
+@@ -539,7 +535,6 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
+ {
+
+ princ_info princ_trials[10];
+- const char * cc_source_name;
+ krb5_principal cc_def_princ = NULL;
+ krb5_principal temp_client;
+ krb5_principal target_client;
+@@ -551,7 +546,6 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
+ struct stat tb;
+ int count =0;
+ int i;
+- struct stat st_temp;
+
+ *path_out = 0;
+
+@@ -559,10 +553,7 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
+ if (options->princ)
+ return 0;
+
+- cc_source_name = krb5_cc_get_name(context, cc_source);
+-
+-
+- if (! stat(cc_source_name, &st_temp)) {
++ if (ks_ccache_is_initialized(context, cc_source)) {
+ retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
+ if (retval)
+ return retval;
+diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
+index 9e0c613..e1e34f1 100644
+--- a/src/clients/ksu/ksu.h
++++ b/src/clients/ksu/ksu.h
+@@ -141,6 +141,12 @@ extern krb5_error_code krb5_store_some_creds
+ (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **,
+ krb5_principal, krb5_boolean *);
+
++extern krb5_boolean ks_ccache_name_is_initialized
++(krb5_context, const char *);
++
++extern krb5_boolean ks_ccache_is_initialized
++(krb5_context, krb5_ccache);
++
+ extern krb5_error_code krb5_ccache_refresh
+ (krb5_context, krb5_ccache);
+
+@@ -198,8 +204,6 @@ extern int standard_shell (char *);
+
+ extern krb5_error_code get_params (int *, int, char **, char ***);
+
+-extern char *get_dir_of_file (const char *);
+-
+ /* heuristic.c */
+ extern krb5_error_code get_all_princ_from_file (FILE *, char ***);
+
+diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
+index 62f3bc0..8c49f94 100644
+--- a/src/clients/ksu/main.c
++++ b/src/clients/ksu/main.c
+@@ -51,7 +51,6 @@ static void print_status( const char *fmt, ...)
+ __attribute__ ((__format__ (__printf__, 1, 2)))
+ #endif
+ ;
+-char * get_dir_of_file();
+
+ /* Note -e and -a options are mutually exclusive */
+ /* insure the proper specification of target user as well as catching
+@@ -96,7 +95,6 @@ main (argc, argv)
+ const char * cc_source_tag = NULL;
+ uid_t source_gid;
+ const char * cc_source_tag_tmp = NULL;
+- char * cc_target_tag_tmp=NULL;
+ char * cmd = NULL, * exec_cmd = NULL;
+ int errflg = 0;
+ krb5_boolean auth_val;
+@@ -112,11 +110,9 @@ main (argc, argv)
+ extern char * getpass(), *crypt();
+ int pargc;
+ char ** pargv;
+- struct stat st_temp;
+ krb5_boolean stored = FALSE;
+ krb5_principal kdc_server;
+ krb5_boolean zero_password;
+- char * dir_of_cc_target;
+ krb5_boolean restrict_creds;
+
+ options.opt = KRB5_DEFAULT_OPTIONS;
+@@ -266,9 +262,10 @@ main (argc, argv)
+ if ( strchr(cc_source_tag, ':')){
+ cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
+
+- if( stat( cc_source_tag_tmp, &st_temp)){
++ if (!ks_ccache_name_is_initialized(ksu_context,
++ cc_source_tag)) {
+ com_err(prog_name, errno,
+- _("while looking for credentials file %s"),
++ _("while looking for credentials cache %s"),
+ cc_source_tag_tmp);
+ exit (1);
+ }
+@@ -419,32 +416,18 @@ main (argc, argv)
+ exit(1);
+ }
+
+- if (cc_target_tag == NULL) {
+-
+- cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE ,sizeof(char));
+- /* make sure that the new ticket file does not already exist
+- This is run as source_uid because it is reasonable to
+- require the source user to have write to where the target
+- cache will be created.*/
+-
+- do {
+- snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d",
+- KRB5_SECONDARY_CACHE,
+- (long) target_uid, gen_sym());
+- cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1;
+-
+- }while ( !stat ( cc_target_tag_tmp, &st_temp));
+- }
+-
+-
+- dir_of_cc_target = get_dir_of_file(cc_target_tag_tmp);
+-
+- if (access(dir_of_cc_target, R_OK | W_OK )){
+- fprintf(stderr,
+- _("%s does not have correct permissions for %s\n"),
+- source_user, cc_target_tag);
+- exit(1);
+- }
++ /*
++ * Make sure that the new ticket file does not already exist.
++ * This is run as source_uid because it is reasonable to
++ * require the source user to have write to where the target
++ * cache will be created.
++ */
++ cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE, sizeof(char));
++ do {
++ snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d",
++ KRB5_SECONDARY_CACHE,
++ (long)target_uid, gen_sym());
++ } while (ks_ccache_name_is_initialized(ksu_context, cc_target_tag));
+
+ if (auth_debug){
+ fprintf(stderr, " source cache = %s\n", cc_source_tag);
+@@ -747,13 +730,6 @@ main (argc, argv)
+ exit(1);
+ }
+
+- if (access( cc_target_tag_tmp, R_OK | W_OK )){
+- com_err(prog_name, errno,
+- _("%s does not have correct permissions for %s, %s aborted"),
+- target_user, cc_target_tag_tmp, prog_name);
+- exit(1);
+- }
+-
+ if ( cc_source)
+ krb5_cc_close(ksu_context, cc_source);
+
+@@ -873,8 +849,6 @@ static void sweep_up(context, cc)
+ krb5_ccache cc;
+ {
+ krb5_error_code retval;
+- const char * cc_name;
+- struct stat st_temp;
+
+ krb5_seteuid(0);
+ if (krb5_seteuid(target_uid) < 0) {
+@@ -883,8 +857,7 @@ static void sweep_up(context, cc)
+ exit(1);
+ }
+
+- cc_name = krb5_cc_get_name(context, cc);
+- if ( ! stat(cc_name, &st_temp)){
++ if (ks_ccache_is_initialized(context, cc)) {
+ if ((retval = krb5_cc_destroy(context, cc)))
+ com_err(prog_name, retval, _("while destroying cache"));
+ }
+@@ -937,26 +910,6 @@ void print_status(const char *fmt, ...)
+ }
+ }
+
+-
+-char *get_dir_of_file(path)
+- const char *path;
+-{
+- char * temp_path;
+- char * ptr;
+-
+- temp_path = xstrdup(path);
+-
+- if ((ptr = strrchr( temp_path, '/'))) {
+- *ptr = '\0';
+- } else {
+- free (temp_path);
+- temp_path = xmalloc(MAXPATHLEN);
+- if (temp_path)
+- getcwd(temp_path, MAXPATHLEN);
+- }
+- return temp_path;
+-}
+-
+ krb5_error_code
+ ksu_tgtname(context, server, client, tgtprinc)
+ krb5_context context;
+--
+2.0.4
+
generated by cgit (git 2.34.1) at 2024-05-31 06:53:03 +0000