summaryrefslogtreecommitdiffstats
path: root/0006-Use-more-randomness-for-ksu-secondary-cache-names.patch
diff options
context:
space:
mode:
Diffstat (limited to '0006-Use-more-randomness-for-ksu-secondary-cache-names.patch')
-rw-r--r--0006-Use-more-randomness-for-ksu-secondary-cache-names.patch115
1 files changed, 115 insertions, 0 deletions
diff --git a/0006-Use-more-randomness-for-ksu-secondary-cache-names.patch b/0006-Use-more-randomness-for-ksu-secondary-cache-names.patch
new file mode 100644
index 0000000..da8a32a
--- /dev/null
+++ b/0006-Use-more-randomness-for-ksu-secondary-cache-names.patch
@@ -0,0 +1,115 @@
+From 69c8e20b18577781e17c5959e23514134dfb5755 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Thu, 24 Jul 2014 16:43:21 -0400
+Subject: [PATCH 6/7] Use more randomness for ksu secondary cache names
+
+When generating a suffix to append to a ccache name that will hold the
+credentials for a ksu-invoked process, instead of using integers
+counting up from 1, use the result of base64-encoding six randomly-
+generated octets. Tweak the output alphabet just a bit to avoid using
+'+' or '/' in the generated names, the latter of which could really
+confuse things.
+---
+ src/clients/ksu/ccache.c | 27 +++++++++++++++++++++++----
+ src/clients/ksu/ksu.h | 2 +-
+ src/clients/ksu/main.c | 16 ++++++++++++----
+ 3 files changed, 36 insertions(+), 9 deletions(-)
+
+diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
+index 0f9e042..a0736f2 100644
+--- a/src/clients/ksu/ccache.c
++++ b/src/clients/ksu/ccache.c
+@@ -27,6 +27,7 @@
+ */
+
+ #include "ksu.h"
++#include "k5-base64.h"
+ #include "adm_proto.h"
+ #include <sys/types.h>
+ #include <sys/stat.h>
+@@ -504,10 +505,28 @@ show_credential(context, cred, cc)
+ free(sname);
+ }
+
+-int gen_sym(){
+- static int i = 0;
+- i ++;
+- return i;
++/* Create a random string suitable for a filename extension. */
++krb5_error_code
++gen_sym(krb5_context context, char **sym_out)
++{
++ krb5_error_code retval;
++ char bytes[6], *p, *sym;
++ krb5_data data = make_data(bytes, sizeof(bytes));
++
++ *sym_out = NULL;
++ retval = krb5_c_random_make_octets(context, &data);
++ if (retval)
++ return retval;
++ sym = k5_base64_encode(data.data, data.length);
++ if (sym == NULL)
++ return ENOMEM;
++ /* Tweak the output alphabet just a bit. */
++ while ((p = strchr(sym, '/')) != NULL)
++ *p = '_';
++ while ((p = strchr(sym, '+')) != NULL)
++ *p = '-';
++ *sym_out = sym;
++ return 0;
+ }
+
+ krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal)
+diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
+index fbbf217..5ba5ceb 100644
+--- a/src/clients/ksu/ksu.h
++++ b/src/clients/ksu/ksu.h
+@@ -130,7 +130,7 @@ extern krb5_error_code krb5_get_login_princ
+ extern void show_credential
+ (krb5_context, krb5_creds *, krb5_ccache);
+
+-extern int gen_sym (void);
++krb5_error_code gen_sym(krb5_context context, char **sym);
+
+ extern krb5_error_code krb5_ccache_overwrite
+ (krb5_context, krb5_ccache, krb5_ccache, krb5_principal);
+diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
+index 41a3bf8..47fa820 100644
+--- a/src/clients/ksu/main.c
++++ b/src/clients/ksu/main.c
+@@ -856,7 +856,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
+ krb5_error_code retval;
+ krb5_boolean switchable, reused = FALSE;
+ krb5_ccache ccache = NULL;
+- char *sep, *ccname = NULL, *target;
++ char *sep, *ccname = NULL, *sym = NULL, *target;
+
+ *ccache_out = NULL;
+ *ccache_reused = FALSE;
+@@ -876,12 +876,20 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
+ * the name of a cache that doesn't exist yet. */
+ do {
+ free(ccname);
+- if (asprintf(&ccname, "%s.%d", target, gen_sym()) < 0) {
++ retval = gen_sym(context, &sym);
++ if (retval) {
++ com_err(prog_name, retval,
++ _("while generating part of the target ccache name"));
++ return retval;
++ }
++ if (asprintf(&ccname, "%s.%s", target, sym) < 0) {
+ retval = ENOMEM;
+- com_err(prog_name, ENOMEM,
+- _("while allocating memory for target ccache name"));
++ free(sym);
++ com_err(prog_name, retval, _("while allocating memory for the "
++ "target ccache name"));
+ goto cleanup;
+ }
++ free(sym);
+ } while (ks_ccache_name_is_initialized(context, ccname));
+ retval = krb5_cc_resolve(context, ccname, &ccache);
+ } else {
+--
+2.0.4
+
generated by cgit (git 2.34.1) at 2024-05-29 03:32:00 +0000