From d0a3250bd384b5dd524f102f97c9c1edc1fe00fb Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Wed, 30 Oct 2013 21:47:14 -0400
Subject: [PATCH 4/6] Try to use the default_ccache_name'd as the target
Try to use the location named by the default_ccache_name setting as the
target cache. If it's a collection, just create or update a subsidiary
cache. If it's not, then fall back to creating a new cache to try to
avoid destroying the contents of one that might already be there. We
can't really detect this in advance for KEYRING: caches, though.
---
src/clients/ksu/ksu.h | 2 +-
src/clients/ksu/main.c | 91 ++++++++++++++++++++++++++++++++++++--------------
2 files changed, 67 insertions(+), 26 deletions(-)
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index a889fb9..a195f52 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -44,7 +44,7 @@
#define KRB5_DEFAULT_OPTIONS 0
#define KRB5_DEFAULT_TKT_LIFE 60*60*12 /* 12 hours */
-#define KRB5_SECONDARY_CACHE "FILE:/tmp/krb5cc_"
+#define KRB5_DEFAULT_SECONDARY_CACHE "FILE:/tmp/krb5cc_%{uid}"
#define KRB5_TEMPORARY_CACHE "MEMORY:_ksu"
#define KRB5_LOGIN_NAME ".k5login"
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 7497a2b..58df6a1 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -90,7 +90,10 @@ main (argc, argv)
krb5_ccache cc_tmp = NULL, cc_target = NULL;
krb5_context ksu_context;
char * cc_target_tag = NULL;
+ char * cc_target_tag_conf;
+ krb5_boolean cc_target_switchable;
char * target_user = NULL;
+ char * target_user_uid_str;
char * source_user;
krb5_ccache cc_source = NULL;
@@ -116,7 +119,6 @@ main (argc, argv)
krb5_boolean stored = FALSE;
krb5_principal kdc_server;
krb5_boolean zero_password;
- char * dir_of_cc_target;
options.opt = KRB5_DEFAULT_OPTIONS;
options.lifetime = KRB5_DEFAULT_TKT_LIFE;
@@ -420,31 +422,70 @@ main (argc, argv)
}
if (cc_target_tag == NULL) {
-
cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE ,sizeof(char));
- /* make sure that the new ticket file does not already exist
- This is run as source_uid because it is reasonable to
- require the source user to have write to where the target
- cache will be created.*/
-
- do {
- snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d",
- KRB5_SECONDARY_CACHE,
- (long) target_uid, gen_sym());
- cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1;
-
- } while (krb5_ccache_name_is_initialized(ksu_context,
- cc_target_tag));
- }
-
-
- dir_of_cc_target = get_dir_of_file(cc_target_tag_tmp);
-
- if (access(dir_of_cc_target, R_OK | W_OK )){
- fprintf(stderr,
- _("%s does not have correct permissions for %s\n"),
- source_user, cc_target_tag);
- exit(1);
+ if (cc_target_tag == NULL) {
+ com_err(prog_name, retval , _("while allocating memory for the "
+ "target ccache name"));
+ exit(1);
+ }
+ /* Read the configured value. */
+ if (profile_get_string(ksu_context->profile, KRB5_CONF_LIBDEFAULTS,
+ KRB5_CONF_DEFAULT_CCACHE_NAME, NULL,
+ KRB5_DEFAULT_SECONDARY_CACHE,
+ &cc_target_tag_conf)) {
+ com_err(prog_name, retval , _("while allocating memory for the "
+ "target ccache name"));
+ exit(1);
+ }
+ /* Prepend "FILE:" if a cctype wasn't specified in the config. */
+ if (strchr(cc_target_tag_conf, ':')) {
+ cc_target_tag_tmp = strdup(cc_target_tag_conf);
+ } else {
+ if (asprintf(&cc_target_tag_tmp, "FILE:%s",
+ cc_target_tag_conf) < 0)
+ cc_target_tag_tmp = NULL;
+ }
+ profile_release_string(cc_target_tag_conf);
+ if (cc_target_tag_tmp == NULL) {
+ com_err(prog_name, retval , _("while allocating memory for the "
+ "target ccache name"));
+ exit(1);
+ }
+ /* Resolve parameters in the configured value for the target user. */
+ if (asprintf(&target_user_uid_str, "%lu",
+ (unsigned long)target_uid) < 0) {
+ com_err(prog_name, retval , _("while allocating memory for the "
+ "target ccache name"));
+ exit(1);
+ }
+ if (k5_expand_path_tokens_extra(ksu_context,
+ cc_target_tag_tmp, &cc_target_tag_conf,
+ "euid", target_user_uid_str,
+ "uid", target_user_uid_str,
+ "USERID", target_user_uid_str,
+ "username", target_user,
+ NULL) != 0) {
+ com_err(prog_name, retval , _("while allocating memory for the "
+ "target ccache name"));
+ exit(1);
+ }
+ cc_target_tag_tmp[strcspn(cc_target_tag_tmp, ":")] = '\0';
+ cc_target_switchable = krb5_cc_support_switch(ksu_context,
+ cc_target_tag_tmp);
+ free(cc_target_tag_tmp);
+ /* Try to avoid destroying a target ccache. */
+ if (cc_target_switchable) {
+ snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s",
+ cc_target_tag_conf);
+ } else {
+ do {
+ snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s.%d",
+ cc_target_tag_conf, gen_sym());
+ } while (krb5_ccache_name_is_initialized(ksu_context,
+ cc_target_tag));
+ }
+ cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1;
+ krb5_free_string(ksu_context, cc_target_tag_conf);
}
if (auth_debug){
--
1.8.4.2