1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
|
From 74e775ac6d937c9d22be4fc1d429e5e62705fb7d Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Thu, 24 Jul 2014 15:39:53 -0400
Subject: [PATCH 1/7] In ksu, merge krb5_ccache_copy() and _restricted()
Other than whether or not they limit the creds it stores to the new
ccache based on the principal name of the client for whom the creds were
issued, there's no meaningful difference between what these two
functions do. Merge them.
---
src/clients/ksu/ccache.c | 106 ++++++-----------------------------------------
src/clients/ksu/ksu.h | 6 +--
src/clients/ksu/main.c | 27 ++++--------
3 files changed, 22 insertions(+), 117 deletions(-)
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index 9916c75..118fc53 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -47,12 +47,14 @@ void show_credential();
*/
krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
- primary_principal, cc_out, stored, target_uid)
+ primary_principal, restrict_creds, cc_out,
+ stored, target_uid)
/* IN */
krb5_context context;
krb5_ccache cc_def;
char *cc_other_tag;
krb5_principal primary_principal;
+ krb5_boolean restrict_creds;
uid_t target_uid;
/* OUT */
krb5_ccache *cc_out;
@@ -83,9 +85,6 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
}
}
- *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
- primary_principal);
-
if (!lstat( cc_other_name, &st_temp))
return EINVAL;
@@ -98,8 +97,16 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
return retval;
}
- retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr,
- cc_other_creds_arr);
+ if (restrict_creds) {
+ retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr,
+ cc_other_creds_arr, primary_principal,
+ stored);
+ } else {
+ *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
+ primary_principal);
+ retval = krb5_store_all_creds(context, *cc_other, cc_def_creds_arr,
+ cc_other_creds_arr);
+ }
if (cc_def_creds_arr){
while (cc_def_creds_arr[i]){
@@ -623,93 +630,6 @@ krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst,
*stored = temp_stored;
return 0;
}
-/******************************************************************
-krb5_cache_copy_restricted
-
-gets rid of any expired tickets in the secondary cache,
-copies the default cache into the secondary cache,
-only credentials that are for prst are copied.
-
-the algorithm may look a bit funny,
-but I had to do it this way, since cc_remove function did not come
-with k5 beta 3 release.
-************************************************************************/
-
-krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag,
- prst, cc_out, stored, target_uid)
- krb5_context context;
- krb5_ccache cc_def;
- char *cc_other_tag;
- krb5_principal prst;
- uid_t target_uid;
- /* OUT */
- krb5_ccache *cc_out;
- krb5_boolean *stored;
-{
-
- int i=0;
- krb5_ccache * cc_other;
- const char * cc_def_name;
- const char * cc_other_name;
- krb5_error_code retval=0;
- krb5_creds ** cc_def_creds_arr = NULL;
- krb5_creds ** cc_other_creds_arr = NULL;
- struct stat st_temp;
-
- cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache));
-
- if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){
- com_err(prog_name, retval, _("resolving ccache %s"), cc_other_tag);
- return retval;
- }
-
- cc_def_name = krb5_cc_get_name(context, cc_def);
- cc_other_name = krb5_cc_get_name(context, *cc_other);
-
- if ( ! stat(cc_def_name, &st_temp)){
- if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
- return retval;
- }
-
- }
-
- if (!lstat( cc_other_name, &st_temp)) {
- return EINVAL;
- }
-
- if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
- return errno;
- }
-
-
- if ((retval = krb5_cc_initialize(context, *cc_other, prst))){
- return retval;
- }
-
- retval = krb5_store_some_creds(context, * cc_other,
- cc_def_creds_arr, cc_other_creds_arr, prst, stored);
-
-
-
- if (cc_def_creds_arr){
- while (cc_def_creds_arr[i]){
- krb5_free_creds(context, cc_def_creds_arr[i]);
- i++;
- }
- }
-
- i=0;
-
- if(cc_other_creds_arr){
- while (cc_other_creds_arr[i]){
- krb5_free_creds(context, cc_other_creds_arr[i]);
- i++;
- }
- }
-
- *cc_out = *cc_other;
- return retval;
-}
krb5_error_code krb5_ccache_filter (context, cc, prst)
krb5_context context;
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index f2c0811..9e0c613 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -107,7 +107,7 @@ extern krb5_error_code get_best_principal
/* ccache.c */
extern krb5_error_code krb5_ccache_copy
(krb5_context, krb5_ccache, char *, krb5_principal,
- krb5_ccache *, krb5_boolean *, uid_t);
+ krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t);
extern krb5_error_code krb5_store_all_creds
(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **);
@@ -141,10 +141,6 @@ extern krb5_error_code krb5_store_some_creds
(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **,
krb5_principal, krb5_boolean *);
-extern krb5_error_code krb5_ccache_copy_restricted
-(krb5_context, krb5_ccache, char *, krb5_principal,
- krb5_ccache *, krb5_boolean *, uid_t);
-
extern krb5_error_code krb5_ccache_refresh
(krb5_context, krb5_ccache);
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 233eb52..62f3bc0 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -117,6 +117,7 @@ main (argc, argv)
krb5_principal kdc_server;
krb5_boolean zero_password;
char * dir_of_cc_target;
+ krb5_boolean restrict_creds;
options.opt = KRB5_DEFAULT_OPTIONS;
options.lifetime = KRB5_DEFAULT_TKT_LIFE;
@@ -464,25 +465,13 @@ main (argc, argv)
then only the credentials for that particular user
should be copied */
- if ((source_uid == 0) && (target_uid != 0)) {
-
- if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source,
- cc_target_tag, client,
- &cc_target, &stored,
- target_uid))){
- com_err(prog_name, retval, _("while copying cache %s to %s"),
- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
- exit(1);
- }
-
- } else {
- if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag,
- client,&cc_target, &stored, target_uid))) {
- com_err(prog_name, retval, _("while copying cache %s to %s"),
- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
- exit(1);
- }
-
+ restrict_creds = (source_uid == 0) && (target_uid != 0);
+ retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, client,
+ restrict_creds, &cc_target, &stored, target_uid);
+ if (retval) {
+ com_err(prog_name, retval, _("while copying cache %s to %s"),
+ krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
+ exit(1);
}
/* Become root for authentication*/
--
2.0.4
|
