1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
|
From dccc80a469b1925fcfe7697406a69912efe4baa1 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Wed, 30 Oct 2013 21:45:35 -0400
Subject: [PATCH 3/7] Use an intermediate memory cache in ksu
Instead of copying source or obtained creds into the target cache and
changing ownership if everything succeeds, copy them into a MEMORY:
cache and then, if everything succeeds, create the target cache as the
target user.
We no longer need to clean up the temporary ccache when exiting in
most error cases.
Use a fake principal name ("_ksu/_ksu@_ksu") as the primary holder of
the temporary cache so that we won't accidentally select it when we
make a subsequent call to krb5_cc_cache_match() (to be added in a
later patch) to find the target location where the creds should be
stored for use while running as the target user.
---
src/clients/ksu/ccache.c | 10 +--
src/clients/ksu/ksu.h | 4 +-
src/clients/ksu/main.c | 156 ++++++++++++++++++++++++-----------------------
3 files changed, 87 insertions(+), 83 deletions(-)
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index 5f57279..d0fc389 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -47,14 +47,15 @@ void show_credential();
*/
krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
- primary_principal, restrict_creds, cc_out,
- stored, target_uid)
+ primary_principal, restrict_creds,
+ target_principal, cc_out, stored, target_uid)
/* IN */
krb5_context context;
krb5_ccache cc_def;
char *cc_other_tag;
krb5_principal primary_principal;
krb5_boolean restrict_creds;
+ krb5_principal target_principal;
uid_t target_uid;
/* OUT */
krb5_ccache *cc_out;
@@ -86,10 +87,9 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
return errno;
}
-
- if ((retval = krb5_cc_initialize(context, *cc_other, primary_principal))){
+ retval = krb5_cc_initialize(context, *cc_other, target_principal);
+ if (retval)
return retval;
- }
if (restrict_creds) {
retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr,
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index e1e34f1..08bf01b 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -106,8 +106,8 @@ extern krb5_error_code get_best_principal
/* ccache.c */
extern krb5_error_code krb5_ccache_copy
-(krb5_context, krb5_ccache, char *, krb5_principal,
- krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t);
+(krb5_context, krb5_ccache, char *, krb5_principal, krb5_boolean,
+ krb5_principal, krb5_ccache *, krb5_boolean *, uid_t);
extern krb5_error_code krb5_store_all_creds
(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **);
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 8c49f94..d1bb8ca 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -42,10 +42,13 @@ char * gb_err = NULL;
int quiet = 0;
/***********/
+#define KS_TEMPORARY_CACHE "MEMORY:_ksu"
+#define KS_TEMPORARY_PRINC "_ksu/_ksu@_ksu"
#define _DEF_CSH "/bin/csh"
static int set_env_var (char *, char *);
static void sweep_up (krb5_context, krb5_ccache);
static char * ontty (void);
+static krb5_error_code set_ccname_env(krb5_context, krb5_ccache);
static void print_status( const char *fmt, ...)
#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7)
__attribute__ ((__format__ (__printf__, 1, 2)))
@@ -84,8 +87,8 @@ main (argc, argv)
int option=0;
int statusp=0;
krb5_error_code retval = 0;
- krb5_principal client = NULL;
- krb5_ccache cc_target = NULL;
+ krb5_principal client = NULL, tmp_princ = NULL;
+ krb5_ccache cc_tmp = NULL, cc_target = NULL;
krb5_context ksu_context;
char * cc_target_tag = NULL;
char * target_user = NULL;
@@ -93,7 +96,6 @@ main (argc, argv)
krb5_ccache cc_source = NULL;
const char * cc_source_tag = NULL;
- uid_t source_gid;
const char * cc_source_tag_tmp = NULL;
char * cmd = NULL, * exec_cmd = NULL;
int errflg = 0;
@@ -342,8 +344,6 @@ main (argc, argv)
/* allocate space and copy the usernamane there */
source_user = xstrdup(pwd->pw_name);
source_uid = pwd->pw_uid;
- source_gid = pwd->pw_gid;
-
if (!strcmp(SOURCE_USER_LOGIN, target_user)){
target_user = xstrdup (source_user);
@@ -435,25 +435,32 @@ main (argc, argv)
}
/*
- Only when proper authentication and authorization
- takes place, the target user becomes the owner of the cache.
- */
-
- /* we continue to run as source uid until
- the middle of the copy, when becomewe become the target user
- The cache is owned by the target user.*/
+ * After proper authentication and authorization, populate a cache for the
+ * target user.
+ */
+ /*
+ * We read the set of creds we want to copy from the source ccache as the
+ * source uid, become root for authentication, and then become the target
+ * user to handle authorization and creating the target user's cache.
+ */
/* if root ksu's to a regular user, then
then only the credentials for that particular user
should be copied */
restrict_creds = (source_uid == 0) && (target_uid != 0);
- retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, client,
- restrict_creds, &cc_target, &stored, target_uid);
+ retval = krb5_parse_name(ksu_context, KS_TEMPORARY_PRINC, &tmp_princ);
+ if (retval) {
+ com_err(prog_name, retval, _("while parsing temporary name"));
+ exit(1);
+ }
+ retval = krb5_ccache_copy(ksu_context, cc_source, KS_TEMPORARY_CACHE,
+ client, restrict_creds, tmp_princ, &cc_tmp,
+ &stored, 0);
if (retval) {
com_err(prog_name, retval, _("while copying cache %s to %s"),
- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
+ krb5_cc_get_name(ksu_context, cc_source), KS_TEMPORARY_CACHE);
exit(1);
}
@@ -473,7 +480,6 @@ main (argc, argv)
&kdc_server))){
com_err(prog_name, retval,
_("while creating tgt for local realm"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
@@ -481,13 +487,12 @@ main (argc, argv)
"enter it here and are logged\n"));
fprintf(stderr, _(" in remotely using an unsecure "
"(non-encrypted) channel.\n"));
- if (krb5_get_tkt_via_passwd (ksu_context, &cc_target, client,
- kdc_server, &options,
- &zero_password) == FALSE){
+ if (krb5_get_tkt_via_passwd(ksu_context, &cc_tmp, client,
+ kdc_server, &options,
+ &zero_password) == FALSE){
if (zero_password == FALSE){
fprintf(stderr, _("Goodbye\n"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
@@ -506,48 +511,20 @@ main (argc, argv)
if (source_uid && (source_uid != target_uid)) {
char * client_name;
- auth_val = krb5_auth_check(ksu_context, client, localhostname, &options,
- target_user,cc_target, &path_passwd, target_uid);
+ auth_val = krb5_auth_check(ksu_context, client, localhostname,
+ &options, target_user, cc_tmp,
+ &path_passwd, target_uid);
/* if Kerberos authentication failed then exit */
if (auth_val ==FALSE){
fprintf(stderr, _("Authentication failed.\n"));
syslog(LOG_WARNING, "'%s %s' authentication failed for %s%s",
prog_name,target_user,source_user,ontty());
- sweep_up(ksu_context, cc_target);
exit(1);
}
-#if 0
- /* At best, this avoids a single kdc request
- It is hard to implement dealing with file permissions and
- is unnecessary. It is important
- to properly handle races in chown if this code is ever re-enabled.
- */
- /* cache the tickets if possible in the source cache */
- if (!path_passwd){
-
- if ((retval = krb5_ccache_overwrite(ksu_context, cc_target, cc_source,
- client))){
- com_err (prog_name, retval,
- "while copying cache %s to %s",
- krb5_cc_get_name(ksu_context, cc_target),
- krb5_cc_get_name(ksu_context, cc_source));
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
- if (chown(cc_source_tag_tmp, source_uid, source_gid)){
- com_err(prog_name, errno,
- "while changing owner for %s",
- cc_source_tag_tmp);
- exit(1);
- }
- }
-#endif /*0*/
-
if ((retval = krb5_unparse_name(ksu_context, client, &client_name))) {
com_err(prog_name, retval, _("When unparsing name"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
@@ -560,7 +537,6 @@ main (argc, argv)
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for "
"authorization check"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
@@ -568,14 +544,12 @@ main (argc, argv)
cmd, &authorization_val, &exec_cmd))){
com_err(prog_name,retval, _("while checking authorization"));
krb5_seteuid(0); /*So we have some chance of sweeping up*/
- sweep_up(ksu_context, cc_target);
exit(1);
}
if (krb5_seteuid(0)) {
com_err(prog_name, errno, _("while switching back from target "
"after authorization check"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
if (authorization_val == TRUE){
@@ -617,25 +591,25 @@ main (argc, argv)
}
- sweep_up(ksu_context, cc_target);
exit(1);
}
}
if( some_rest_copy){
- if ((retval = krb5_ccache_filter(ksu_context, cc_target, client))){
+ retval = krb5_ccache_filter(ksu_context, cc_tmp, client);
+ if (retval) {
com_err(prog_name,retval, _("while calling cc_filter"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
}
if (all_rest_copy){
- if ((retval = krb5_cc_initialize(ksu_context, cc_target, client))){
+ retval = krb5_cc_initialize(ksu_context, cc_tmp, tmp_princ);
+ if (retval) {
com_err(prog_name, retval, _("while erasing target cache"));
exit(1);
}
-
+ stored = FALSE;
}
/* get the shell of the user, this will be the shell used by su */
@@ -653,7 +627,6 @@ main (argc, argv)
if (!standard_shell(target_pwd->pw_shell) && source_uid) {
fprintf(stderr, _("ksu: permission denied (shell).\n"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
#endif /* HAVE_GETUSERSHELL */
@@ -663,43 +636,28 @@ main (argc, argv)
if(set_env_var("USER", target_pwd->pw_name)){
fprintf(stderr,
_("ksu: couldn't set environment variable USER\n"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
}
if(set_env_var( "HOME", target_pwd->pw_dir)){
fprintf(stderr, _("ksu: couldn't set environment variable HOME\n"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
if(set_env_var( "SHELL", shell)){
fprintf(stderr, _("ksu: couldn't set environment variable SHELL\n"));
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
-
- /* set the cc env name to target */
-
- if(set_env_var( KRB5_ENV_CCNAME, cc_target_tag)){
- fprintf(stderr, _("ksu: couldn't set environment variable %s\n"),
- KRB5_ENV_CCNAME);
- sweep_up(ksu_context, cc_target);
exit(1);
}
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
- sweep_up(ksu_context, cc_target);
exit(1);
}
-
if (initgroups(target_user, target_pwd->pw_gid)) {
fprintf(stderr, _("ksu: initgroups failed.\n"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
@@ -719,13 +677,36 @@ main (argc, argv)
*/
if (setluid((uid_t) pwd->pw_uid) < 0) {
perror("setluid");
- sweep_up(ksu_context, cc_target);
exit(1);
}
#endif /* HAVE_SETLUID */
if (setuid(target_pwd->pw_uid) < 0) {
perror("ksu: setuid");
+ exit(1);
+ }
+
+ retval = krb5_ccache_copy(ksu_context, cc_tmp, cc_target_tag,
+ client, FALSE, client, &cc_target, &stored,
+ target_pwd->pw_uid);
+ if (retval) {
+ com_err(prog_name, retval, _("while copying cache %s to %s"),
+ KS_TEMPORARY_CACHE, cc_target_tag);
+ exit(1);
+ }
+
+ if (stored && !ks_ccache_is_initialized(ksu_context, cc_target)) {
+ com_err(prog_name, errno,
+ _("%s does not have correct permissions for %s, %s aborted"),
+ target_user, cc_target_tag, prog_name);
+ exit(1);
+ }
+
+ free(cc_target_tag);
+
+ /* Set the cc env name to target. */
+ retval = set_ccname_env(ksu_context, cc_target);
+ if (retval != 0) {
sweep_up(ksu_context, cc_target);
exit(1);
}
@@ -799,6 +780,29 @@ main (argc, argv)
}
}
+/* Set KRB5CCNAME in the environment to point to ccache. Print an error
+ * message on failure. */
+static krb5_error_code
+set_ccname_env(krb5_context ksu_context, krb5_ccache ccache)
+{
+ krb5_error_code retval;
+ char *ccname;
+
+ retval = krb5_cc_get_full_name(ksu_context, ccache, &ccname);
+ if (retval) {
+ com_err(prog_name, retval, _("while reading cache name from ccache"));
+ return retval;
+ }
+ if (set_env_var(KRB5_ENV_CCNAME, ccname)) {
+ retval = errno;
+ fprintf(stderr,
+ _("ksu: couldn't set environment variable %s\n"),
+ KRB5_ENV_CCNAME);
+ }
+ krb5_free_string(ksu_context, ccname);
+ return retval;
+}
+
#ifdef HAVE_GETUSERSHELL
int standard_shell(sh)
--
2.0.4
|
