1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
|
From 5195c2b20593330192feff67dd5f271e88f562e7 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Wed, 30 Oct 2013 21:45:35 -0400
Subject: [PATCH 2/6] Use an in-memory cache until we need the target's
Instead of copying source or obtained creds into the target cache and
changing ownership if everything succeeds, copy them into a MEMORY:
cache and then, if everything succeeds, create the target cache as the
target user.
---
src/clients/ksu/ksu.h | 1 +
src/clients/ksu/main.c | 133 +++++++++++++++++++++++++++++--------------------
2 files changed, 80 insertions(+), 54 deletions(-)
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index 2a63c21..1d102a1 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -45,6 +45,7 @@
#define KRB5_DEFAULT_TKT_LIFE 60*60*12 /* 12 hours */
#define KRB5_SECONDARY_CACHE "FILE:/tmp/krb5cc_"
+#define KRB5_TEMPORARY_CACHE "MEMORY:_ksu"
#define KRB5_LOGIN_NAME ".k5login"
#define KRB5_USERS_NAME ".k5users"
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index e2ca06a..fa86c78 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -86,7 +86,7 @@ main (argc, argv)
int statusp=0;
krb5_error_code retval = 0;
krb5_principal client = NULL;
- krb5_ccache cc_target = NULL;
+ krb5_ccache cc_tmp = NULL, cc_target = NULL;
krb5_context ksu_context;
char * cc_target_tag = NULL;
char * target_user = NULL;
@@ -452,14 +452,15 @@ main (argc, argv)
}
/*
- Only when proper authentication and authorization
- takes place, the target user becomes the owner of the cache.
- */
-
- /* we continue to run as source uid until
- the middle of the copy, when becomewe become the target user
- The cache is owned by the target user.*/
+ * Only after proper authentication and authorization has
+ * taken place, do we populate a cache for the target user.
+ */
+ /*
+ * We read the set of creds we want to copy from the source ccache as the
+ * source uid, become root for authentication, and then become the target
+ * user to handle authorization and creating the target user's cache.
+ */
/* if root ksu's to a regular user, then
then only the credentials for that particular user
@@ -468,19 +469,23 @@ main (argc, argv)
if ((source_uid == 0) && (target_uid != 0)) {
if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source,
- cc_target_tag, client,
- &cc_target, &stored,
- target_uid))){
+ KRB5_TEMPORARY_CACHE, client,
+ &cc_tmp, &stored,
+ 0))){
com_err(prog_name, retval, _("while copying cache %s to %s"),
- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
+ krb5_cc_get_name(ksu_context, cc_source),
+ KRB5_TEMPORARY_CACHE);
exit(1);
}
} else {
- if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag,
- client,&cc_target, &stored, target_uid))) {
+
+ retval = krb5_ccache_copy(ksu_context, cc_source, KRB5_TEMPORARY_CACHE,
+ client, &cc_tmp, &stored, 0);
+ if (retval) {
com_err(prog_name, retval, _("while copying cache %s to %s"),
- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
+ krb5_cc_get_name(ksu_context, cc_source),
+ KRB5_TEMPORARY_CACHE);
exit(1);
}
@@ -502,7 +507,7 @@ main (argc, argv)
&kdc_server))){
com_err(prog_name, retval,
_("while creating tgt for local realm"));
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
@@ -510,13 +515,13 @@ main (argc, argv)
"enter it here and are logged\n"));
fprintf(stderr, _(" in remotely using an unsecure "
"(non-encrypted) channel.\n"));
- if (krb5_get_tkt_via_passwd (ksu_context, &cc_target, client,
- kdc_server, &options,
- &zero_password) == FALSE){
+ if (krb5_get_tkt_via_passwd(ksu_context, &cc_tmp, client,
+ kdc_server, &options,
+ &zero_password) == FALSE){
if (zero_password == FALSE){
fprintf(stderr, _("Goodbye\n"));
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
@@ -535,15 +540,16 @@ main (argc, argv)
if (source_uid && (source_uid != target_uid)) {
char * client_name;
- auth_val = krb5_auth_check(ksu_context, client, localhostname, &options,
- target_user,cc_target, &path_passwd, target_uid);
+ auth_val = krb5_auth_check(ksu_context, client, localhostname,
+ &options, target_user, cc_tmp,
+ &path_passwd, target_uid);
/* if Kerberos authentication failed then exit */
if (auth_val ==FALSE){
fprintf(stderr, _("Authentication failed.\n"));
syslog(LOG_WARNING, "'%s %s' authentication failed for %s%s",
prog_name,target_user,source_user,ontty());
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
@@ -576,7 +582,7 @@ main (argc, argv)
if ((retval = krb5_unparse_name(ksu_context, client, &client_name))) {
com_err(prog_name, retval, _("When unparsing name"));
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
@@ -589,7 +595,7 @@ main (argc, argv)
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for "
"authorization check"));
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
@@ -597,14 +603,14 @@ main (argc, argv)
cmd, &authorization_val, &exec_cmd))){
com_err(prog_name,retval, _("while checking authorization"));
krb5_seteuid(0); /*So we have some chance of sweeping up*/
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
if (krb5_seteuid(0)) {
com_err(prog_name, errno, _("while switching back from target "
"after authorization check"));
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
if (authorization_val == TRUE){
@@ -646,21 +652,23 @@ main (argc, argv)
}
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
}
if( some_rest_copy){
- if ((retval = krb5_ccache_filter(ksu_context, cc_target, client))){
+ retval = krb5_ccache_filter(ksu_context, cc_tmp, client);
+ if (retval) {
com_err(prog_name,retval, _("while calling cc_filter"));
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
}
if (all_rest_copy){
- if ((retval = krb5_cc_initialize(ksu_context, cc_target, client))){
+ retval = krb5_cc_initialize(ksu_context, cc_tmp, client);
+ if (retval) {
com_err(prog_name, retval, _("while erasing target cache"));
exit(1);
}
@@ -682,7 +690,7 @@ main (argc, argv)
if (!standard_shell(target_pwd->pw_shell) && source_uid) {
fprintf(stderr, _("ksu: permission denied (shell).\n"));
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
#endif /* HAVE_GETUSERSHELL */
@@ -692,43 +700,33 @@ main (argc, argv)
if(set_env_var("USER", target_pwd->pw_name)){
fprintf(stderr,
_("ksu: couldn't set environment variable USER\n"));
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
}
if(set_env_var( "HOME", target_pwd->pw_dir)){
fprintf(stderr, _("ksu: couldn't set environment variable HOME\n"));
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
if(set_env_var( "SHELL", shell)){
fprintf(stderr, _("ksu: couldn't set environment variable SHELL\n"));
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
-
- /* set the cc env name to target */
-
- if(set_env_var( KRB5_ENV_CCNAME, cc_target_tag)){
- fprintf(stderr, _("ksu: couldn't set environment variable %s\n"),
- KRB5_ENV_CCNAME);
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
-
if (initgroups(target_user, target_pwd->pw_gid)) {
fprintf(stderr, _("ksu: initgroups failed.\n"));
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
@@ -748,22 +746,49 @@ main (argc, argv)
*/
if (setluid((uid_t) pwd->pw_uid) < 0) {
perror("setluid");
- sweep_up(ksu_context, cc_target);
+ sweep_up(ksu_context, cc_tmp);
exit(1);
}
#endif /* HAVE_SETLUID */
- if (setuid(target_pwd->pw_uid) < 0) {
+ if (seteuid(0) < 0 || seteuid(target_pwd->pw_uid) < 0) {
+ perror("ksu: seteuid");
+ sweep_up(ksu_context, cc_tmp);
+ exit(1);
+ }
+
+ retval = krb5_ccache_copy(ksu_context, cc_tmp, cc_target_tag,
+ client, &cc_target, &stored,
+ target_pwd->pw_uid);
+ if (retval) {
+ com_err(prog_name, retval, _("while copying cache %s to %s"),
+ krb5_cc_get_name(ksu_context, cc_tmp), cc_target_tag);
+ exit(1);
+ }
+
+ if (setuid(0) < 0 || setuid(target_pwd->pw_uid) < 0) {
perror("ksu: setuid");
sweep_up(ksu_context, cc_target);
exit(1);
}
- if (access( cc_target_tag_tmp, R_OK | W_OK )){
- com_err(prog_name, errno,
- _("%s does not have correct permissions for %s, %s aborted"),
- target_user, cc_target_tag_tmp, prog_name);
- exit(1);
+ /* set the cc env name to target */
+ if (stored) {
+ if (krb5_cc_get_full_name(ksu_context, cc_target,
+ &cc_target_tag) == 0) {
+ if (set_env_var(KRB5_ENV_CCNAME, cc_target_tag)){
+ fprintf(stderr,
+ _("ksu: couldn't set environment variable %s\n"),
+ KRB5_ENV_CCNAME);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ krb5_free_string(ksu_context, cc_target_tag);
+ } else {
+ com_err(prog_name, retval, _("while reading cache name from %s"),
+ cc_target_tag);
+ exit(1);
+ }
}
if ( cc_source)
--
1.8.5.3
|
