summaryrefslogtreecommitdiffstats
path: root/0005-Be-more-careful-of-target-ccache-collections.patch
blob: 5f9de369a86ea788429e7f9931a54d0996f47fd6 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179

From 5286fddf967af8952bd9d42d6d1ec1ddfcc159ad Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Wed, 30 Oct 2013 21:34:27 -0400
Subject: [PATCH 5/6] Be more careful of target ccache collections

When copying credentials to a cache collection, take care to avoid
generating multiple caches for a single client principal, but don't
change the primary out from anyone who might already be using the
target collection.
---
 src/clients/ksu/ccache.c | 62 ++++++++++++++++++++++++++++++++++++++++++------
 src/clients/ksu/ksu.h    |  2 +-
 src/clients/ksu/main.c   | 11 +++++++--
 3 files changed, 65 insertions(+), 10 deletions(-)

diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index 90ba2f2..2a97893 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -48,7 +48,7 @@ void show_credential();
 
 krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
                                   primary_principal, destroy_def,
-                                  cc_out, stored, target_uid)
+                                  cc_out, stored, reused, target_uid)
 /* IN */
     krb5_context context;
     krb5_ccache cc_def;
@@ -59,10 +59,12 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
     /* OUT */
     krb5_ccache *cc_out;
     krb5_boolean *stored;
+    krb5_boolean *reused;
 {
     int i=0;
     krb5_ccache  * cc_other;
     const char * cc_other_type;
+    char * saved_cc_default_name;
     krb5_error_code retval=0;
     krb5_creds ** cc_def_creds_arr = NULL;
     krb5_creds ** cc_other_creds_arr = NULL;
@@ -99,9 +101,33 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
         return errno;
     }
 
-
-    if ((retval = krb5_cc_initialize(context, *cc_other, primary_principal))){
-        return retval;
+    if (krb5_cc_support_switch(context, cc_other_type)) {
+        *reused = TRUE;
+        krb5_cc_close(context, *cc_other);
+        saved_cc_default_name = strdup(krb5_cc_default_name(context));
+        krb5_cc_set_default_name(context, cc_other_tag);
+        if (krb5_cc_cache_match(context, primary_principal, cc_other) != 0) {
+            *reused = FALSE;
+            retval = krb5_cc_new_unique(context, cc_other_type, NULL,
+                                        cc_other);
+            if (retval) {
+                krb5_cc_set_default_name(context, saved_cc_default_name);
+                free(saved_cc_default_name);
+                return retval;
+            }
+        }
+        retval = krb5_cc_initialize(context, *cc_other, primary_principal);
+        krb5_cc_set_default_name(context, saved_cc_default_name);
+        free(saved_cc_default_name);
+        if (retval) {
+            return retval;
+        }
+    } else {
+        *reused = FALSE;
+        retval = krb5_cc_initialize(context, *cc_other, primary_principal);
+        if (retval) {
+            return retval;
+        }
     }
 
     retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr,
@@ -650,6 +676,7 @@ krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag,
     int i=0;
     krb5_ccache  * cc_other;
     const char * cc_other_type;
+    char * saved_cc_default_name;
     krb5_error_code retval=0;
     krb5_creds ** cc_def_creds_arr = NULL;
     krb5_creds ** cc_other_creds_arr = NULL;
@@ -677,9 +704,30 @@ krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag,
         return errno;
     }
 
-
-    if ((retval = krb5_cc_initialize(context, *cc_other, prst))){
-        return retval;
+    if (krb5_cc_support_switch(context, cc_other_type)) {
+        krb5_cc_close(context, *cc_other);
+        saved_cc_default_name = strdup(krb5_cc_default_name(context));
+        krb5_cc_set_default_name(context, cc_other_tag);
+        if (krb5_cc_cache_match(context, prst, cc_other) != 0) {
+            retval = krb5_cc_new_unique(context, cc_other_type, NULL,
+                                        cc_other);
+            if (retval) {
+                krb5_cc_set_default_name(context, saved_cc_default_name);
+                free(saved_cc_default_name);
+                return retval;
+            }
+        }
+        retval = krb5_cc_initialize(context, *cc_other, prst);
+        if (retval) {
+            return retval;
+        }
+        krb5_cc_set_default_name(context, saved_cc_default_name);
+        free(saved_cc_default_name);
+    } else {
+        retval = krb5_cc_initialize(context, *cc_other, prst);
+        if (retval) {
+            return retval;
+        }
     }
 
     retval = krb5_store_some_creds(context, * cc_other,
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index a195f52..b3ef7b9 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -108,7 +108,7 @@ extern krb5_error_code get_best_principal
 /* ccache.c */
 extern krb5_error_code krb5_ccache_copy
 (krb5_context, krb5_ccache, char *, krb5_principal,
- krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t);
+ krb5_boolean, krb5_ccache *, krb5_boolean *, krb5_boolean *, uid_t);
 
 extern krb5_error_code krb5_store_all_creds
 (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **);
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 58df6a1..1c0c822 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -117,6 +117,7 @@ main (argc, argv)
     int pargc;
     char ** pargv;
     krb5_boolean stored = FALSE;
+    krb5_boolean reused = FALSE;
     krb5_principal  kdc_server;
     krb5_boolean zero_password;
 
@@ -523,7 +524,8 @@ main (argc, argv)
     } else {
 
         retval = krb5_ccache_copy(ksu_context, cc_source, KRB5_TEMPORARY_CACHE,
-                                  client, FALSE, &cc_tmp, &stored, 0);
+                                  client, FALSE, &cc_tmp, &stored, &reused,
+                                  0);
         if (retval) {
             com_err(prog_name, retval, _("while copying cache %s to %s"),
                     krb5_cc_get_name(ksu_context, cc_source),
@@ -801,7 +803,7 @@ main (argc, argv)
 
     retval = krb5_ccache_copy(ksu_context, cc_tmp, cc_target_tag,
                               client, TRUE, &cc_target, &stored,
-                              target_pwd->pw_uid);
+                              &reused, target_pwd->pw_uid);
     if (retval) {
         com_err(prog_name, retval, _("while copying cache %s to %s"),
                 krb5_cc_get_name(ksu_context, cc_tmp), cc_target_tag);
@@ -825,6 +827,11 @@ main (argc, argv)
                 sweep_up(ksu_context, cc_target);
                 exit(1);
             }
+            if (reused && !keep_target_cache) {
+                print_status(_("Reusing cache %s, it will not be removed.\n"),
+                             cc_target_tag);
+                keep_target_cache = TRUE;
+            }
             krb5_free_string(ksu_context, cc_target_tag);
         } else {
             com_err(prog_name, retval, _("while reading cache name from %s"),
-- 
1.8.5.3
generated by cgit (git 2.34.1) at 2024-05-29 04:41:31 +0000