From 9f902f70a79ab864083078d104196a83943844ac Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 1 Nov 2013 09:48:13 -0400 Subject: [PATCH 1/6] Don't try to stat() not-on-disk ccache residuals Don't assume that ccache residual names are filenames which we can stat() usefully. Instead, use helper functions to call the library routines to try to read the default principal name from caches. --- src/clients/ksu/ccache.c | 88 +++++++++++++++++++++++++++------------------ src/clients/ksu/heuristic.c | 13 ++----- src/clients/ksu/ksu.h | 6 ++++ src/clients/ksu/main.c | 17 +++++---- 4 files changed, 70 insertions(+), 54 deletions(-) diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c index 9916c75..7917af2 100644 --- a/src/clients/ksu/ccache.c +++ b/src/clients/ksu/ccache.c @@ -60,12 +60,10 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, { int i=0; krb5_ccache * cc_other; - const char * cc_def_name; - const char * cc_other_name; + const char * cc_other_type; krb5_error_code retval=0; krb5_creds ** cc_def_creds_arr = NULL; krb5_creds ** cc_other_creds_arr = NULL; - struct stat st_temp; cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); @@ -74,10 +72,9 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, return retval; } - cc_def_name = krb5_cc_get_name(context, cc_def); - cc_other_name = krb5_cc_get_name(context, *cc_other); + cc_other_type = krb5_cc_get_type(context, *cc_other); - if ( ! stat(cc_def_name, &st_temp)){ + if (krb5_ccache_is_initialized(context, cc_def)) { if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ return retval; } @@ -86,7 +83,8 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr, primary_principal); - if (!lstat( cc_other_name, &st_temp)) + if (!krb5_cc_support_switch(context, cc_other_type) && + krb5_ccache_name_is_initialized(context, cc_other_tag)) return EINVAL; if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { @@ -533,24 +531,18 @@ krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal) krb5_ccache cct; krb5_principal primary_principal; { - const char * cct_name; - const char * ccs_name; krb5_error_code retval=0; krb5_principal temp_principal; krb5_creds ** ccs_creds_arr = NULL; int i=0; - struct stat st_temp; - ccs_name = krb5_cc_get_name(context, ccs); - cct_name = krb5_cc_get_name(context, cct); - - if ( ! stat(ccs_name, &st_temp)){ + if (krb5_ccache_is_initialized(context, ccs)) { if ((retval = krb5_get_nonexp_tkts(context, ccs, &ccs_creds_arr))){ return retval; } } - if ( ! stat(cct_name, &st_temp)){ + if (krb5_ccache_is_initialized(context, cct)) { if ((retval = krb5_cc_get_principal(context, cct, &temp_principal))){ return retval; } @@ -649,12 +641,10 @@ krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag, int i=0; krb5_ccache * cc_other; - const char * cc_def_name; - const char * cc_other_name; + const char * cc_other_type; krb5_error_code retval=0; krb5_creds ** cc_def_creds_arr = NULL; krb5_creds ** cc_other_creds_arr = NULL; - struct stat st_temp; cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); @@ -663,19 +653,17 @@ krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag, return retval; } - cc_def_name = krb5_cc_get_name(context, cc_def); - cc_other_name = krb5_cc_get_name(context, *cc_other); + cc_other_type = krb5_cc_get_type(context, *cc_other); - if ( ! stat(cc_def_name, &st_temp)){ - if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ + if (krb5_ccache_is_initialized(context, cc_def)) { + retval = krb5_get_nonexp_tkts(context, cc_def, &cc_def_creds_arr); + if (retval) return retval; - } - } - if (!lstat( cc_other_name, &st_temp)) { + if (!krb5_cc_support_switch(context, cc_other_type) && + krb5_ccache_name_is_initialized(context, cc_other_tag)) return EINVAL; - } if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { return errno; @@ -723,12 +711,10 @@ krb5_error_code krb5_ccache_filter (context, cc, prst) krb5_creds ** cc_creds_arr = NULL; const char * cc_name; krb5_boolean stored; - struct stat st_temp; cc_name = krb5_cc_get_name(context, cc); - if ( ! stat(cc_name, &st_temp)){ - + if (krb5_ccache_is_initialized(context, cc)) { if (auth_debug) { fprintf(stderr,"putting cache %s through a filter for -z option\n", cc_name); } @@ -793,12 +779,8 @@ krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found) { krb5_error_code retval; krb5_creds ** creds_list = NULL; - const char * cc_name; - struct stat st_temp; - cc_name = krb5_cc_get_name(context, cc); - - if ( ! stat(cc_name, &st_temp)){ + if (krb5_ccache_is_initialized(context, cc)) { if ((retval = krb5_get_nonexp_tkts(context, cc, &creds_list))){ return retval; } @@ -807,3 +789,41 @@ krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found) *found = krb5_find_princ_in_cred_list(context, creds_list, princ); return 0; } + +extern krb5_boolean +krb5_ccache_name_is_initialized(krb5_context context, const char *cctag) +{ + krb5_error_code retval = 0; + krb5_ccache cc; + krb5_principal princ; + + retval = krb5_cc_resolve(context, cctag, &cc); + if (retval) + return FALSE; + + retval = krb5_cc_get_principal(context, cc, &princ); + if (retval == 0) + krb5_free_principal(context, princ); + krb5_cc_close(context, cc); + + return retval == 0; +} + +extern krb5_boolean +krb5_ccache_is_initialized(krb5_context context, krb5_ccache def_cc) +{ + krb5_error_code retval = 0; + krb5_boolean result; + char *def_cc_name; + + if (def_cc == NULL) + return FALSE; + + retval = krb5_cc_get_full_name(context, def_cc, &def_cc_name); + if (retval) + return FALSE; + + result = krb5_ccache_name_is_initialized(context, def_cc_name); + krb5_free_string(context, def_cc_name); + return result; +} diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c index c7e691c..bfde451 100644 --- a/src/clients/ksu/heuristic.c +++ b/src/clients/ksu/heuristic.c @@ -404,12 +404,8 @@ krb5_error_code find_either_ticket (context, cc, client, end_server, found) krb5_principal kdc_server; krb5_error_code retval; krb5_boolean temp_found = FALSE; - const char * cc_source_name; - struct stat st_temp; - cc_source_name = krb5_cc_get_name(context, cc); - - if ( ! stat(cc_source_name, &st_temp)){ + if (krb5_ccache_is_initialized(context, cc)) { retval = find_ticket(context, cc, client, end_server, &temp_found); if (retval) @@ -546,7 +542,6 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, { princ_info princ_trials[10]; - const char * cc_source_name; krb5_principal cc_def_princ = NULL; krb5_principal temp_client; krb5_principal target_client; @@ -558,7 +553,6 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, struct stat tb; int count =0; int i; - struct stat st_temp; *path_out = 0; @@ -566,10 +560,7 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, if (options->princ) return 0; - cc_source_name = krb5_cc_get_name(context, cc_source); - - - if (! stat(cc_source_name, &st_temp)) { + if (krb5_ccache_is_initialized(context, cc_source)) { retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ); if (retval) return retval; diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h index f2c0811..2a63c21 100644 --- a/src/clients/ksu/ksu.h +++ b/src/clients/ksu/ksu.h @@ -141,6 +141,12 @@ extern krb5_error_code krb5_store_some_creds (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **, krb5_principal, krb5_boolean *); +extern krb5_boolean krb5_ccache_name_is_initialized +(krb5_context, const char *); + +extern krb5_boolean krb5_ccache_is_initialized +(krb5_context, krb5_ccache); + extern krb5_error_code krb5_ccache_copy_restricted (krb5_context, krb5_ccache, char *, krb5_principal, krb5_ccache *, krb5_boolean *, uid_t); diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c index 233eb52..e2ca06a 100644 --- a/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c @@ -112,7 +112,6 @@ main (argc, argv) extern char * getpass(), *crypt(); int pargc; char ** pargv; - struct stat st_temp; krb5_boolean stored = FALSE; krb5_principal kdc_server; krb5_boolean zero_password; @@ -265,9 +264,10 @@ main (argc, argv) if ( strchr(cc_source_tag, ':')){ cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1; - if( stat( cc_source_tag_tmp, &st_temp)){ + if (!krb5_ccache_name_is_initialized(ksu_context, + cc_source_tag)) { com_err(prog_name, errno, - _("while looking for credentials file %s"), + _("while looking for credentials cache %s"), cc_source_tag_tmp); exit (1); } @@ -432,7 +432,8 @@ main (argc, argv) (long) target_uid, gen_sym()); cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1; - }while ( !stat ( cc_target_tag_tmp, &st_temp)); + } while (krb5_ccache_name_is_initialized(ksu_context, + cc_target_tag)); } @@ -884,8 +885,6 @@ static void sweep_up(context, cc) krb5_ccache cc; { krb5_error_code retval; - const char * cc_name; - struct stat st_temp; krb5_seteuid(0); if (krb5_seteuid(target_uid) < 0) { @@ -894,9 +893,9 @@ static void sweep_up(context, cc) exit(1); } - cc_name = krb5_cc_get_name(context, cc); - if ( ! stat(cc_name, &st_temp)){ - if ((retval = krb5_cc_destroy(context, cc))) + if (krb5_ccache_is_initialized(context, cc)) { + retval = krb5_cc_destroy(context, cc); + if (retval) com_err(prog_name, retval, _("while destroying cache")); } } -- 1.8.5.3