|
|
7d335d |
From b39abd936b6422716d0d6edf5b37326bbe095da7 Mon Sep 17 00:00:00 2001
|
|
|
5af5b2 |
From: Nalin Dahyabhai <nalin@dahyabhai.net>
|
|
|
5af5b2 |
Date: Wed, 30 Oct 2013 21:34:27 -0400
|
|
|
5af5b2 |
Subject: [PATCH 5/6] Be more careful of target ccache collections
|
|
|
5af5b2 |
|
|
|
5af5b2 |
When copying credentials to a cache collection, take care to avoid
|
|
|
5af5b2 |
generating multiple caches for a single client principal, but don't
|
|
|
5af5b2 |
change the primary out from anyone who might already be using the
|
|
|
5af5b2 |
target collection.
|
|
|
5af5b2 |
---
|
|
|
5af5b2 |
src/clients/ksu/ccache.c | 62 ++++++++++++++++++++++++++++++++++++++++++------
|
|
|
5af5b2 |
src/clients/ksu/ksu.h | 2 +-
|
|
|
5af5b2 |
src/clients/ksu/main.c | 11 +++++++--
|
|
|
5af5b2 |
3 files changed, 65 insertions(+), 10 deletions(-)
|
|
|
5af5b2 |
|
|
|
5af5b2 |
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
|
|
|
5af5b2 |
index 90ba2f2..2a97893 100644
|
|
|
5af5b2 |
--- a/src/clients/ksu/ccache.c
|
|
|
5af5b2 |
+++ b/src/clients/ksu/ccache.c
|
|
|
5af5b2 |
@@ -48,7 +48,7 @@ void show_credential();
|
|
|
5af5b2 |
|
|
|
5af5b2 |
krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
|
|
|
5af5b2 |
primary_principal, destroy_def,
|
|
|
5af5b2 |
- cc_out, stored, target_uid)
|
|
|
5af5b2 |
+ cc_out, stored, reused, target_uid)
|
|
|
5af5b2 |
/* IN */
|
|
|
5af5b2 |
krb5_context context;
|
|
|
5af5b2 |
krb5_ccache cc_def;
|
|
|
5af5b2 |
@@ -59,10 +59,12 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
|
|
|
5af5b2 |
/* OUT */
|
|
|
5af5b2 |
krb5_ccache *cc_out;
|
|
|
5af5b2 |
krb5_boolean *stored;
|
|
|
5af5b2 |
+ krb5_boolean *reused;
|
|
|
5af5b2 |
{
|
|
|
5af5b2 |
int i=0;
|
|
|
5af5b2 |
krb5_ccache * cc_other;
|
|
|
5af5b2 |
const char * cc_other_type;
|
|
|
5af5b2 |
+ char * saved_cc_default_name;
|
|
|
5af5b2 |
krb5_error_code retval=0;
|
|
|
5af5b2 |
krb5_creds ** cc_def_creds_arr = NULL;
|
|
|
5af5b2 |
krb5_creds ** cc_other_creds_arr = NULL;
|
|
|
5af5b2 |
@@ -99,9 +101,33 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
|
|
|
5af5b2 |
return errno;
|
|
|
5af5b2 |
}
|
|
|
5af5b2 |
|
|
|
5af5b2 |
-
|
|
|
5af5b2 |
- if ((retval = krb5_cc_initialize(context, *cc_other, primary_principal))){
|
|
|
5af5b2 |
- return retval;
|
|
|
5af5b2 |
+ if (krb5_cc_support_switch(context, cc_other_type)) {
|
|
|
5af5b2 |
+ *reused = TRUE;
|
|
|
5af5b2 |
+ krb5_cc_close(context, *cc_other);
|
|
|
5af5b2 |
+ saved_cc_default_name = strdup(krb5_cc_default_name(context));
|
|
|
5af5b2 |
+ krb5_cc_set_default_name(context, cc_other_tag);
|
|
|
5af5b2 |
+ if (krb5_cc_cache_match(context, primary_principal, cc_other) != 0) {
|
|
|
5af5b2 |
+ *reused = FALSE;
|
|
|
5af5b2 |
+ retval = krb5_cc_new_unique(context, cc_other_type, NULL,
|
|
|
5af5b2 |
+ cc_other);
|
|
|
5af5b2 |
+ if (retval) {
|
|
|
5af5b2 |
+ krb5_cc_set_default_name(context, saved_cc_default_name);
|
|
|
5af5b2 |
+ free(saved_cc_default_name);
|
|
|
5af5b2 |
+ return retval;
|
|
|
5af5b2 |
+ }
|
|
|
5af5b2 |
+ }
|
|
|
5af5b2 |
+ retval = krb5_cc_initialize(context, *cc_other, primary_principal);
|
|
|
5af5b2 |
+ krb5_cc_set_default_name(context, saved_cc_default_name);
|
|
|
5af5b2 |
+ free(saved_cc_default_name);
|
|
|
5af5b2 |
+ if (retval) {
|
|
|
5af5b2 |
+ return retval;
|
|
|
5af5b2 |
+ }
|
|
|
5af5b2 |
+ } else {
|
|
|
5af5b2 |
+ *reused = FALSE;
|
|
|
5af5b2 |
+ retval = krb5_cc_initialize(context, *cc_other, primary_principal);
|
|
|
5af5b2 |
+ if (retval) {
|
|
|
5af5b2 |
+ return retval;
|
|
|
5af5b2 |
+ }
|
|
|
5af5b2 |
}
|
|
|
5af5b2 |
|
|
|
5af5b2 |
retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr,
|
|
|
5af5b2 |
@@ -650,6 +676,7 @@ krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag,
|
|
|
5af5b2 |
int i=0;
|
|
|
5af5b2 |
krb5_ccache * cc_other;
|
|
|
5af5b2 |
const char * cc_other_type;
|
|
|
5af5b2 |
+ char * saved_cc_default_name;
|
|
|
5af5b2 |
krb5_error_code retval=0;
|
|
|
5af5b2 |
krb5_creds ** cc_def_creds_arr = NULL;
|
|
|
5af5b2 |
krb5_creds ** cc_other_creds_arr = NULL;
|
|
|
5af5b2 |
@@ -677,9 +704,30 @@ krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag,
|
|
|
5af5b2 |
return errno;
|
|
|
5af5b2 |
}
|
|
|
5af5b2 |
|
|
|
5af5b2 |
-
|
|
|
5af5b2 |
- if ((retval = krb5_cc_initialize(context, *cc_other, prst))){
|
|
|
5af5b2 |
- return retval;
|
|
|
5af5b2 |
+ if (krb5_cc_support_switch(context, cc_other_type)) {
|
|
|
5af5b2 |
+ krb5_cc_close(context, *cc_other);
|
|
|
5af5b2 |
+ saved_cc_default_name = strdup(krb5_cc_default_name(context));
|
|
|
5af5b2 |
+ krb5_cc_set_default_name(context, cc_other_tag);
|
|
|
5af5b2 |
+ if (krb5_cc_cache_match(context, prst, cc_other) != 0) {
|
|
|
5af5b2 |
+ retval = krb5_cc_new_unique(context, cc_other_type, NULL,
|
|
|
5af5b2 |
+ cc_other);
|
|
|
5af5b2 |
+ if (retval) {
|
|
|
5af5b2 |
+ krb5_cc_set_default_name(context, saved_cc_default_name);
|
|
|
5af5b2 |
+ free(saved_cc_default_name);
|
|
|
5af5b2 |
+ return retval;
|
|
|
5af5b2 |
+ }
|
|
|
5af5b2 |
+ }
|
|
|
5af5b2 |
+ retval = krb5_cc_initialize(context, *cc_other, prst);
|
|
|
5af5b2 |
+ if (retval) {
|
|
|
5af5b2 |
+ return retval;
|
|
|
5af5b2 |
+ }
|
|
|
5af5b2 |
+ krb5_cc_set_default_name(context, saved_cc_default_name);
|
|
|
5af5b2 |
+ free(saved_cc_default_name);
|
|
|
5af5b2 |
+ } else {
|
|
|
5af5b2 |
+ retval = krb5_cc_initialize(context, *cc_other, prst);
|
|
|
5af5b2 |
+ if (retval) {
|
|
|
5af5b2 |
+ return retval;
|
|
|
5af5b2 |
+ }
|
|
|
5af5b2 |
}
|
|
|
5af5b2 |
|
|
|
5af5b2 |
retval = krb5_store_some_creds(context, * cc_other,
|
|
|
5af5b2 |
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
|
|
|
5af5b2 |
index a195f52..b3ef7b9 100644
|
|
|
5af5b2 |
--- a/src/clients/ksu/ksu.h
|
|
|
5af5b2 |
+++ b/src/clients/ksu/ksu.h
|
|
|
5af5b2 |
@@ -108,7 +108,7 @@ extern krb5_error_code get_best_principal
|
|
|
5af5b2 |
/* ccache.c */
|
|
|
5af5b2 |
extern krb5_error_code krb5_ccache_copy
|
|
|
5af5b2 |
(krb5_context, krb5_ccache, char *, krb5_principal,
|
|
|
5af5b2 |
- krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t);
|
|
|
5af5b2 |
+ krb5_boolean, krb5_ccache *, krb5_boolean *, krb5_boolean *, uid_t);
|
|
|
5af5b2 |
|
|
|
5af5b2 |
extern krb5_error_code krb5_store_all_creds
|
|
|
5af5b2 |
(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **);
|
|
|
5af5b2 |
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
|
|
|
5af5b2 |
index 58df6a1..1c0c822 100644
|
|
|
5af5b2 |
--- a/src/clients/ksu/main.c
|
|
|
5af5b2 |
+++ b/src/clients/ksu/main.c
|
|
|
5af5b2 |
@@ -117,6 +117,7 @@ main (argc, argv)
|
|
|
5af5b2 |
int pargc;
|
|
|
5af5b2 |
char ** pargv;
|
|
|
5af5b2 |
krb5_boolean stored = FALSE;
|
|
|
5af5b2 |
+ krb5_boolean reused = FALSE;
|
|
|
5af5b2 |
krb5_principal kdc_server;
|
|
|
5af5b2 |
krb5_boolean zero_password;
|
|
|
5af5b2 |
|
|
|
5af5b2 |
@@ -523,7 +524,8 @@ main (argc, argv)
|
|
|
5af5b2 |
} else {
|
|
|
5af5b2 |
|
|
|
5af5b2 |
retval = krb5_ccache_copy(ksu_context, cc_source, KRB5_TEMPORARY_CACHE,
|
|
|
5af5b2 |
- client, FALSE, &cc_tmp, &stored, 0);
|
|
|
5af5b2 |
+ client, FALSE, &cc_tmp, &stored, &reused,
|
|
|
5af5b2 |
+ 0);
|
|
|
5af5b2 |
if (retval) {
|
|
|
5af5b2 |
com_err(prog_name, retval, _("while copying cache %s to %s"),
|
|
|
5af5b2 |
krb5_cc_get_name(ksu_context, cc_source),
|
|
|
5af5b2 |
@@ -801,7 +803,7 @@ main (argc, argv)
|
|
|
5af5b2 |
|
|
|
5af5b2 |
retval = krb5_ccache_copy(ksu_context, cc_tmp, cc_target_tag,
|
|
|
5af5b2 |
client, TRUE, &cc_target, &stored,
|
|
|
5af5b2 |
- target_pwd->pw_uid);
|
|
|
5af5b2 |
+ &reused, target_pwd->pw_uid);
|
|
|
5af5b2 |
if (retval) {
|
|
|
5af5b2 |
com_err(prog_name, retval, _("while copying cache %s to %s"),
|
|
|
5af5b2 |
krb5_cc_get_name(ksu_context, cc_tmp), cc_target_tag);
|
|
|
5af5b2 |
@@ -825,6 +827,11 @@ main (argc, argv)
|
|
|
5af5b2 |
sweep_up(ksu_context, cc_target);
|
|
|
5af5b2 |
exit(1);
|
|
|
5af5b2 |
}
|
|
|
5af5b2 |
+ if (reused && !keep_target_cache) {
|
|
|
5af5b2 |
+ print_status(_("Reusing cache %s, it will not be removed.\n"),
|
|
|
5af5b2 |
+ cc_target_tag);
|
|
|
5af5b2 |
+ keep_target_cache = TRUE;
|
|
|
5af5b2 |
+ }
|
|
|
5af5b2 |
krb5_free_string(ksu_context, cc_target_tag);
|
|
|
5af5b2 |
} else {
|
|
|
5af5b2 |
com_err(prog_name, retval, _("while reading cache name from %s"),
|
|
|
5af5b2 |
--
|
|
|
5af5b2 |
1.8.4.2
|
|
|
5af5b2 |
|