diff options
Diffstat (limited to '0006-Use-more-randomness-for-ksu-secondary-cache-names.patch')
-rw-r--r-- | 0006-Use-more-randomness-for-ksu-secondary-cache-names.patch | 115 |
1 files changed, 115 insertions, 0 deletions
diff --git a/0006-Use-more-randomness-for-ksu-secondary-cache-names.patch b/0006-Use-more-randomness-for-ksu-secondary-cache-names.patch new file mode 100644 index 0000000..da8a32a --- /dev/null +++ b/0006-Use-more-randomness-for-ksu-secondary-cache-names.patch @@ -0,0 +1,115 @@ +From 69c8e20b18577781e17c5959e23514134dfb5755 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai <nalin@redhat.com> +Date: Thu, 24 Jul 2014 16:43:21 -0400 +Subject: [PATCH 6/7] Use more randomness for ksu secondary cache names + +When generating a suffix to append to a ccache name that will hold the +credentials for a ksu-invoked process, instead of using integers +counting up from 1, use the result of base64-encoding six randomly- +generated octets. Tweak the output alphabet just a bit to avoid using +'+' or '/' in the generated names, the latter of which could really +confuse things. +--- + src/clients/ksu/ccache.c | 27 +++++++++++++++++++++++---- + src/clients/ksu/ksu.h | 2 +- + src/clients/ksu/main.c | 16 ++++++++++++---- + 3 files changed, 36 insertions(+), 9 deletions(-) + +diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c +index 0f9e042..a0736f2 100644 +--- a/src/clients/ksu/ccache.c ++++ b/src/clients/ksu/ccache.c +@@ -27,6 +27,7 @@ + */ + + #include "ksu.h" ++#include "k5-base64.h" + #include "adm_proto.h" + #include <sys/types.h> + #include <sys/stat.h> +@@ -504,10 +505,28 @@ show_credential(context, cred, cc) + free(sname); + } + +-int gen_sym(){ +- static int i = 0; +- i ++; +- return i; ++/* Create a random string suitable for a filename extension. */ ++krb5_error_code ++gen_sym(krb5_context context, char **sym_out) ++{ ++ krb5_error_code retval; ++ char bytes[6], *p, *sym; ++ krb5_data data = make_data(bytes, sizeof(bytes)); ++ ++ *sym_out = NULL; ++ retval = krb5_c_random_make_octets(context, &data); ++ if (retval) ++ return retval; ++ sym = k5_base64_encode(data.data, data.length); ++ if (sym == NULL) ++ return ENOMEM; ++ /* Tweak the output alphabet just a bit. */ ++ while ((p = strchr(sym, '/')) != NULL) ++ *p = '_'; ++ while ((p = strchr(sym, '+')) != NULL) ++ *p = '-'; ++ *sym_out = sym; ++ return 0; + } + + krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal) +diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h +index fbbf217..5ba5ceb 100644 +--- a/src/clients/ksu/ksu.h ++++ b/src/clients/ksu/ksu.h +@@ -130,7 +130,7 @@ extern krb5_error_code krb5_get_login_princ + extern void show_credential + (krb5_context, krb5_creds *, krb5_ccache); + +-extern int gen_sym (void); ++krb5_error_code gen_sym(krb5_context context, char **sym); + + extern krb5_error_code krb5_ccache_overwrite + (krb5_context, krb5_ccache, krb5_ccache, krb5_principal); +diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c +index 41a3bf8..47fa820 100644 +--- a/src/clients/ksu/main.c ++++ b/src/clients/ksu/main.c +@@ -856,7 +856,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ, + krb5_error_code retval; + krb5_boolean switchable, reused = FALSE; + krb5_ccache ccache = NULL; +- char *sep, *ccname = NULL, *target; ++ char *sep, *ccname = NULL, *sym = NULL, *target; + + *ccache_out = NULL; + *ccache_reused = FALSE; +@@ -876,12 +876,20 @@ resolve_target_cache(krb5_context context, krb5_principal princ, + * the name of a cache that doesn't exist yet. */ + do { + free(ccname); +- if (asprintf(&ccname, "%s.%d", target, gen_sym()) < 0) { ++ retval = gen_sym(context, &sym); ++ if (retval) { ++ com_err(prog_name, retval, ++ _("while generating part of the target ccache name")); ++ return retval; ++ } ++ if (asprintf(&ccname, "%s.%s", target, sym) < 0) { + retval = ENOMEM; +- com_err(prog_name, ENOMEM, +- _("while allocating memory for target ccache name")); ++ free(sym); ++ com_err(prog_name, retval, _("while allocating memory for the " ++ "target ccache name")); + goto cleanup; + } ++ free(sym); + } while (ks_ccache_name_is_initialized(context, ccname)); + retval = krb5_cc_resolve(context, ccname, &ccache); + } else { +-- +2.0.4 + |