diff options
Diffstat (limited to '0005-Be-more-careful-of-target-ccache-collections.patch')
-rw-r--r-- | 0005-Be-more-careful-of-target-ccache-collections.patch | 179 |
1 files changed, 179 insertions, 0 deletions
diff --git a/0005-Be-more-careful-of-target-ccache-collections.patch b/0005-Be-more-careful-of-target-ccache-collections.patch new file mode 100644 index 0000000..5f9de36 --- /dev/null +++ b/0005-Be-more-careful-of-target-ccache-collections.patch @@ -0,0 +1,179 @@ +From 5286fddf967af8952bd9d42d6d1ec1ddfcc159ad Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai <nalin@dahyabhai.net> +Date: Wed, 30 Oct 2013 21:34:27 -0400 +Subject: [PATCH 5/6] Be more careful of target ccache collections + +When copying credentials to a cache collection, take care to avoid +generating multiple caches for a single client principal, but don't +change the primary out from anyone who might already be using the +target collection. +--- + src/clients/ksu/ccache.c | 62 ++++++++++++++++++++++++++++++++++++++++++------ + src/clients/ksu/ksu.h | 2 +- + src/clients/ksu/main.c | 11 +++++++-- + 3 files changed, 65 insertions(+), 10 deletions(-) + +diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c +index 90ba2f2..2a97893 100644 +--- a/src/clients/ksu/ccache.c ++++ b/src/clients/ksu/ccache.c +@@ -48,7 +48,7 @@ void show_credential(); + + krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, + primary_principal, destroy_def, +- cc_out, stored, target_uid) ++ cc_out, stored, reused, target_uid) + /* IN */ + krb5_context context; + krb5_ccache cc_def; +@@ -59,10 +59,12 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, + /* OUT */ + krb5_ccache *cc_out; + krb5_boolean *stored; ++ krb5_boolean *reused; + { + int i=0; + krb5_ccache * cc_other; + const char * cc_other_type; ++ char * saved_cc_default_name; + krb5_error_code retval=0; + krb5_creds ** cc_def_creds_arr = NULL; + krb5_creds ** cc_other_creds_arr = NULL; +@@ -99,9 +101,33 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, + return errno; + } + +- +- if ((retval = krb5_cc_initialize(context, *cc_other, primary_principal))){ +- return retval; ++ if (krb5_cc_support_switch(context, cc_other_type)) { ++ *reused = TRUE; ++ krb5_cc_close(context, *cc_other); ++ saved_cc_default_name = strdup(krb5_cc_default_name(context)); ++ krb5_cc_set_default_name(context, cc_other_tag); ++ if (krb5_cc_cache_match(context, primary_principal, cc_other) != 0) { ++ *reused = FALSE; ++ retval = krb5_cc_new_unique(context, cc_other_type, NULL, ++ cc_other); ++ if (retval) { ++ krb5_cc_set_default_name(context, saved_cc_default_name); ++ free(saved_cc_default_name); ++ return retval; ++ } ++ } ++ retval = krb5_cc_initialize(context, *cc_other, primary_principal); ++ krb5_cc_set_default_name(context, saved_cc_default_name); ++ free(saved_cc_default_name); ++ if (retval) { ++ return retval; ++ } ++ } else { ++ *reused = FALSE; ++ retval = krb5_cc_initialize(context, *cc_other, primary_principal); ++ if (retval) { ++ return retval; ++ } + } + + retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr, +@@ -650,6 +676,7 @@ krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag, + int i=0; + krb5_ccache * cc_other; + const char * cc_other_type; ++ char * saved_cc_default_name; + krb5_error_code retval=0; + krb5_creds ** cc_def_creds_arr = NULL; + krb5_creds ** cc_other_creds_arr = NULL; +@@ -677,9 +704,30 @@ krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag, + return errno; + } + +- +- if ((retval = krb5_cc_initialize(context, *cc_other, prst))){ +- return retval; ++ if (krb5_cc_support_switch(context, cc_other_type)) { ++ krb5_cc_close(context, *cc_other); ++ saved_cc_default_name = strdup(krb5_cc_default_name(context)); ++ krb5_cc_set_default_name(context, cc_other_tag); ++ if (krb5_cc_cache_match(context, prst, cc_other) != 0) { ++ retval = krb5_cc_new_unique(context, cc_other_type, NULL, ++ cc_other); ++ if (retval) { ++ krb5_cc_set_default_name(context, saved_cc_default_name); ++ free(saved_cc_default_name); ++ return retval; ++ } ++ } ++ retval = krb5_cc_initialize(context, *cc_other, prst); ++ if (retval) { ++ return retval; ++ } ++ krb5_cc_set_default_name(context, saved_cc_default_name); ++ free(saved_cc_default_name); ++ } else { ++ retval = krb5_cc_initialize(context, *cc_other, prst); ++ if (retval) { ++ return retval; ++ } + } + + retval = krb5_store_some_creds(context, * cc_other, +diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h +index a195f52..b3ef7b9 100644 +--- a/src/clients/ksu/ksu.h ++++ b/src/clients/ksu/ksu.h +@@ -108,7 +108,7 @@ extern krb5_error_code get_best_principal + /* ccache.c */ + extern krb5_error_code krb5_ccache_copy + (krb5_context, krb5_ccache, char *, krb5_principal, +- krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t); ++ krb5_boolean, krb5_ccache *, krb5_boolean *, krb5_boolean *, uid_t); + + extern krb5_error_code krb5_store_all_creds + (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **); +diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c +index 58df6a1..1c0c822 100644 +--- a/src/clients/ksu/main.c ++++ b/src/clients/ksu/main.c +@@ -117,6 +117,7 @@ main (argc, argv) + int pargc; + char ** pargv; + krb5_boolean stored = FALSE; ++ krb5_boolean reused = FALSE; + krb5_principal kdc_server; + krb5_boolean zero_password; + +@@ -523,7 +524,8 @@ main (argc, argv) + } else { + + retval = krb5_ccache_copy(ksu_context, cc_source, KRB5_TEMPORARY_CACHE, +- client, FALSE, &cc_tmp, &stored, 0); ++ client, FALSE, &cc_tmp, &stored, &reused, ++ 0); + if (retval) { + com_err(prog_name, retval, _("while copying cache %s to %s"), + krb5_cc_get_name(ksu_context, cc_source), +@@ -801,7 +803,7 @@ main (argc, argv) + + retval = krb5_ccache_copy(ksu_context, cc_tmp, cc_target_tag, + client, TRUE, &cc_target, &stored, +- target_pwd->pw_uid); ++ &reused, target_pwd->pw_uid); + if (retval) { + com_err(prog_name, retval, _("while copying cache %s to %s"), + krb5_cc_get_name(ksu_context, cc_tmp), cc_target_tag); +@@ -825,6 +827,11 @@ main (argc, argv) + sweep_up(ksu_context, cc_target); + exit(1); + } ++ if (reused && !keep_target_cache) { ++ print_status(_("Reusing cache %s, it will not be removed.\n"), ++ cc_target_tag); ++ keep_target_cache = TRUE; ++ } + krb5_free_string(ksu_context, cc_target_tag); + } else { + com_err(prog_name, retval, _("while reading cache name from %s"), +-- +1.8.5.3 + |