1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
|
From 3a456898af626dcab4e1ab0749ca2ccb9ad6162b Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Wed, 30 Oct 2013 21:47:14 -0400
Subject: [PATCH 4/7] Make ksu respect the default_ccache_name setting
Move the logic for resolving and initializing a cache that we're
copying creds into out of krb5_ccache_copy(), and let the caller deal
with it. Add a helper functions to select/resolve an output ccache in
the default location for the target user after we've switched to the
target user's privileges. If the destination is a collection, take
care not to change which subsidiary is its primary, and reuse a
subsidiary cache if we can. If the destination is not a collection,
append a unique value to its name to make a new ccache.
[ghudson@mit.edu: some changes to variable names and comments; move
responsibility for getting target ccache name from
resolve_target_ccache to main]
ticket: 7984 (new)
---
src/clients/ksu/ccache.c | 35 +++------
src/clients/ksu/ksu.h | 6 +-
src/clients/ksu/main.c | 181 ++++++++++++++++++++++++++++++++++++++---------
3 files changed, 157 insertions(+), 65 deletions(-)
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index d0fc389..4693bd4 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -46,59 +46,41 @@ void show_credential();
with k5 beta 3 release.
*/
-krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
- primary_principal, restrict_creds,
- target_principal, cc_out, stored, target_uid)
+krb5_error_code krb5_ccache_copy(context, cc_def, target_principal, cc_target,
+ restrict_creds, primary_principal, stored)
/* IN */
krb5_context context;
krb5_ccache cc_def;
- char *cc_other_tag;
- krb5_principal primary_principal;
- krb5_boolean restrict_creds;
krb5_principal target_principal;
- uid_t target_uid;
+ krb5_ccache cc_target;
+ krb5_boolean restrict_creds;
+ krb5_principal primary_principal;
/* OUT */
- krb5_ccache *cc_out;
krb5_boolean *stored;
{
int i=0;
- krb5_ccache * cc_other;
krb5_error_code retval=0;
krb5_creds ** cc_def_creds_arr = NULL;
krb5_creds ** cc_other_creds_arr = NULL;
- cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache));
-
- if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){
- com_err(prog_name, retval, _("resolving ccache %s"), cc_other_tag);
- return retval;
- }
-
if (ks_ccache_is_initialized(context, cc_def)) {
if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
return retval;
}
}
- if (ks_ccache_name_is_initialized(context, cc_other_tag))
- return EINVAL;
-
- if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
- return errno;
- }
-
- retval = krb5_cc_initialize(context, *cc_other, target_principal);
+ retval = krb5_cc_initialize(context, cc_target, target_principal);
if (retval)
return retval;
if (restrict_creds) {
- retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr,
+ retval = krb5_store_some_creds(context, cc_target, cc_def_creds_arr,
cc_other_creds_arr, primary_principal,
stored);
} else {
*stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
primary_principal);
- retval = krb5_store_all_creds(context, *cc_other, cc_def_creds_arr,
+ retval = krb5_store_all_creds(context, cc_target, cc_def_creds_arr,
cc_other_creds_arr);
}
@@ -118,7 +100,6 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
}
}
- *cc_out = *cc_other;
return retval;
}
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index 08bf01b..fbbf217 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -44,8 +44,6 @@
#define KRB5_DEFAULT_OPTIONS 0
#define KRB5_DEFAULT_TKT_LIFE 60*60*12 /* 12 hours */
-#define KRB5_SECONDARY_CACHE "FILE:/tmp/krb5cc_"
-
#define KRB5_LOGIN_NAME ".k5login"
#define KRB5_USERS_NAME ".k5users"
#define USE_DEFAULT_REALM_NAME "."
@@ -106,8 +104,8 @@ extern krb5_error_code get_best_principal
/* ccache.c */
extern krb5_error_code krb5_ccache_copy
-(krb5_context, krb5_ccache, char *, krb5_principal, krb5_boolean,
- krb5_principal, krb5_ccache *, krb5_boolean *, uid_t);
+(krb5_context, krb5_ccache, krb5_principal, krb5_ccache,
+ krb5_boolean, krb5_principal, krb5_boolean *);
extern krb5_error_code krb5_store_all_creds
(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **);
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index d1bb8ca..41a3bf8 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -54,6 +54,10 @@ static void print_status( const char *fmt, ...)
__attribute__ ((__format__ (__printf__, 1, 2)))
#endif
;
+static krb5_error_code resolve_target_cache(krb5_context ksu_context,
+ krb5_principal princ,
+ krb5_ccache *ccache_out,
+ krb5_boolean *ccache_reused);
/* Note -e and -a options are mutually exclusive */
/* insure the proper specification of target user as well as catching
@@ -112,7 +116,7 @@ main (argc, argv)
extern char * getpass(), *crypt();
int pargc;
char ** pargv;
- krb5_boolean stored = FALSE;
+ krb5_boolean stored = FALSE, cc_reused = FALSE;
krb5_principal kdc_server;
krb5_boolean zero_password;
krb5_boolean restrict_creds;
@@ -416,23 +420,8 @@ main (argc, argv)
exit(1);
}
- /*
- * Make sure that the new ticket file does not already exist.
- * This is run as source_uid because it is reasonable to
- * require the source user to have write to where the target
- * cache will be created.
- */
- cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE, sizeof(char));
- do {
- snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d",
- KRB5_SECONDARY_CACHE,
- (long)target_uid, gen_sym());
- } while (ks_ccache_name_is_initialized(ksu_context, cc_target_tag));
-
- if (auth_debug){
+ if (auth_debug)
fprintf(stderr, " source cache = %s\n", cc_source_tag);
- fprintf(stderr, " target cache = %s\n", cc_target_tag);
- }
/*
* After proper authentication and authorization, populate a cache for the
@@ -455,14 +444,19 @@ main (argc, argv)
com_err(prog_name, retval, _("while parsing temporary name"));
exit(1);
}
- retval = krb5_ccache_copy(ksu_context, cc_source, KS_TEMPORARY_CACHE,
- client, restrict_creds, tmp_princ, &cc_tmp,
- &stored, 0);
+ retval = krb5_cc_resolve(ksu_context, KS_TEMPORARY_CACHE, &cc_tmp);
+ if (retval) {
+ com_err(prog_name, retval, _("while creating temporary cache"));
+ exit(1);
+ }
+ retval = krb5_ccache_copy(ksu_context, cc_source, tmp_princ, cc_tmp,
+ restrict_creds, client, &stored);
if (retval) {
com_err(prog_name, retval, _("while copying cache %s to %s"),
krb5_cc_get_name(ksu_context, cc_source), KS_TEMPORARY_CACHE);
exit(1);
}
+ krb5_cc_close(ksu_context, cc_source);
/* Become root for authentication*/
@@ -686,23 +680,38 @@ main (argc, argv)
exit(1);
}
- retval = krb5_ccache_copy(ksu_context, cc_tmp, cc_target_tag,
- client, FALSE, client, &cc_target, &stored,
- target_pwd->pw_uid);
+ retval = resolve_target_cache(ksu_context, client, &cc_target, &cc_reused);
+ if (retval)
+ exit(1);
+ retval = krb5_cc_get_full_name(ksu_context, cc_target, &cc_target_tag);
if (retval) {
- com_err(prog_name, retval, _("while copying cache %s to %s"),
- KS_TEMPORARY_CACHE, cc_target_tag);
+ com_err(prog_name, retval, _("while getting name of target ccache"));
+ sweep_up(ksu_context, cc_target);
exit(1);
}
+ if (auth_debug)
+ fprintf(stderr, " target cache = %s\n", cc_target_tag);
+ if (cc_reused)
+ keep_target_cache = TRUE;
- if (stored && !ks_ccache_is_initialized(ksu_context, cc_target)) {
- com_err(prog_name, errno,
- _("%s does not have correct permissions for %s, %s aborted"),
- target_user, cc_target_tag, prog_name);
- exit(1);
+ if (stored) {
+ retval = krb5_ccache_copy(ksu_context, cc_tmp, client, cc_target,
+ FALSE, client, &stored);
+ if (retval) {
+ com_err(prog_name, retval, _("while copying cache %s to %s"),
+ KS_TEMPORARY_CACHE, cc_target_tag);
+ exit(1);
+ }
+
+ if (!ks_ccache_is_initialized(ksu_context, cc_target)) {
+ com_err(prog_name, errno,
+ _("%s does not have correct permissions for %s, "
+ "%s aborted"), target_user, cc_target_tag, prog_name);
+ exit(1);
+ }
}
- free(cc_target_tag);
+ krb5_free_string(ksu_context, cc_target_tag);
/* Set the cc env name to target. */
retval = set_ccname_env(ksu_context, cc_target);
@@ -711,9 +720,6 @@ main (argc, argv)
exit(1);
}
- if ( cc_source)
- krb5_cc_close(ksu_context, cc_source);
-
if (cmd){
if ((source_uid == 0) || (source_uid == target_uid )){
exec_cmd = cmd;
@@ -803,6 +809,113 @@ set_ccname_env(krb5_context ksu_context, krb5_ccache ccache)
return retval;
}
+/*
+ * Get the configured default ccache name. Unset KRB5CCNAME and force a
+ * recomputation so we don't use values for the source user. Print an error
+ * message on failure.
+ */
+static krb5_error_code
+get_configured_defccname(krb5_context context, char **target_out)
+{
+ krb5_error_code retval;
+ const char *defname;
+ char *target;
+
+ *target_out = NULL;
+
+ if (unsetenv(KRB5_ENV_CCNAME) != 0) {
+ retval = errno;
+ com_err(prog_name, retval, _("while clearing the value of %s"),
+ KRB5_ENV_CCNAME);
+ return retval;
+ }
+
+ /* Make sure we don't have a cached value for a different uid. */
+ retval = krb5_cc_set_default_name(context, NULL);
+ if (retval != 0) {
+ com_err(prog_name, retval, _("while resetting target ccache name"));
+ return retval;
+ }
+
+ defname = krb5_cc_default_name(context);
+ target = (defname == NULL) ? NULL : strdup(defname);
+ if (target == NULL) {
+ com_err(prog_name, ENOMEM, _("while determining target ccache name"));
+ return ENOMEM;
+ }
+ *target_out = target;
+ return 0;
+}
+
+/* Determine where the target user's creds should be stored. Print an error
+ * message on failure. */
+static krb5_error_code
+resolve_target_cache(krb5_context context, krb5_principal princ,
+ krb5_ccache *ccache_out, krb5_boolean *ccache_reused)
+{
+ krb5_error_code retval;
+ krb5_boolean switchable, reused = FALSE;
+ krb5_ccache ccache = NULL;
+ char *sep, *ccname = NULL, *target;
+
+ *ccache_out = NULL;
+ *ccache_reused = FALSE;
+
+ retval = get_configured_defccname(context, &target);
+ if (retval != 0)
+ return retval;
+
+ /* Check if the configured default name uses a switchable type. */
+ sep = strchr(target, ':');
+ *sep = '\0';
+ switchable = krb5_cc_support_switch(context, target);
+ *sep = ':';
+
+ if (!switchable) {
+ /* Try to avoid destroying an in-use target ccache by coming up with
+ * the name of a cache that doesn't exist yet. */
+ do {
+ free(ccname);
+ if (asprintf(&ccname, "%s.%d", target, gen_sym()) < 0) {
+ retval = ENOMEM;
+ com_err(prog_name, ENOMEM,
+ _("while allocating memory for target ccache name"));
+ goto cleanup;
+ }
+ } while (ks_ccache_name_is_initialized(context, ccname));
+ retval = krb5_cc_resolve(context, ccname, &ccache);
+ } else {
+ /* Look for a cache in the collection that we can reuse. */
+ retval = krb5_cc_cache_match(context, princ, &ccache);
+ if (retval == 0) {
+ reused = TRUE;
+ } else {
+ /* There isn't one, so create a new one. */
+ *sep = '\0';
+ retval = krb5_cc_new_unique(context, target, NULL, &ccache);
+ *sep = ':';
+ if (retval) {
+ com_err(prog_name, retval,
+ _("while creating new target ccache"));
+ goto cleanup;
+ }
+ retval = krb5_cc_initialize(context, ccache, princ);
+ if (retval) {
+ com_err(prog_name, retval,
+ _("while initializing target cache"));
+ goto cleanup;
+ }
+ }
+ }
+
+ *ccache_out = ccache;
+ *ccache_reused = reused;
+
+cleanup:
+ free(target);
+ return retval;
+}
+
#ifdef HAVE_GETUSERSHELL
int standard_shell(sh)
--
2.0.4
|
