|
Nalin Dahyabhai |
83fca2f |
From 5195c2b20593330192feff67dd5f271e88f562e7 Mon Sep 17 00:00:00 2001
|
|
Nalin Dahyabhai |
83fca2f |
From: Nalin Dahyabhai <nalin@dahyabhai.net>
|
|
Nalin Dahyabhai |
83fca2f |
Date: Wed, 30 Oct 2013 21:45:35 -0400
|
|
Nalin Dahyabhai |
83fca2f |
Subject: [PATCH 2/6] Use an in-memory cache until we need the target's
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
Instead of copying source or obtained creds into the target cache and
|
|
Nalin Dahyabhai |
83fca2f |
changing ownership if everything succeeds, copy them into a MEMORY:
|
|
Nalin Dahyabhai |
83fca2f |
cache and then, if everything succeeds, create the target cache as the
|
|
Nalin Dahyabhai |
83fca2f |
target user.
|
|
Nalin Dahyabhai |
83fca2f |
---
|
|
Nalin Dahyabhai |
83fca2f |
src/clients/ksu/ksu.h | 1 +
|
|
Nalin Dahyabhai |
83fca2f |
src/clients/ksu/main.c | 133 +++++++++++++++++++++++++++++--------------------
|
|
Nalin Dahyabhai |
83fca2f |
2 files changed, 80 insertions(+), 54 deletions(-)
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
|
|
Nalin Dahyabhai |
83fca2f |
index 2a63c21..1d102a1 100644
|
|
Nalin Dahyabhai |
83fca2f |
--- a/src/clients/ksu/ksu.h
|
|
Nalin Dahyabhai |
83fca2f |
+++ b/src/clients/ksu/ksu.h
|
|
Nalin Dahyabhai |
83fca2f |
@@ -45,6 +45,7 @@
|
|
Nalin Dahyabhai |
83fca2f |
#define KRB5_DEFAULT_TKT_LIFE 60*60*12 /* 12 hours */
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
#define KRB5_SECONDARY_CACHE "FILE:/tmp/krb5cc_"
|
|
Nalin Dahyabhai |
83fca2f |
+#define KRB5_TEMPORARY_CACHE "MEMORY:_ksu"
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
#define KRB5_LOGIN_NAME ".k5login"
|
|
Nalin Dahyabhai |
83fca2f |
#define KRB5_USERS_NAME ".k5users"
|
|
Nalin Dahyabhai |
83fca2f |
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
|
|
Nalin Dahyabhai |
83fca2f |
index e2ca06a..fa86c78 100644
|
|
Nalin Dahyabhai |
83fca2f |
--- a/src/clients/ksu/main.c
|
|
Nalin Dahyabhai |
83fca2f |
+++ b/src/clients/ksu/main.c
|
|
Nalin Dahyabhai |
83fca2f |
@@ -86,7 +86,7 @@ main (argc, argv)
|
|
Nalin Dahyabhai |
83fca2f |
int statusp=0;
|
|
Nalin Dahyabhai |
83fca2f |
krb5_error_code retval = 0;
|
|
Nalin Dahyabhai |
83fca2f |
krb5_principal client = NULL;
|
|
Nalin Dahyabhai |
83fca2f |
- krb5_ccache cc_target = NULL;
|
|
Nalin Dahyabhai |
83fca2f |
+ krb5_ccache cc_tmp = NULL, cc_target = NULL;
|
|
Nalin Dahyabhai |
83fca2f |
krb5_context ksu_context;
|
|
Nalin Dahyabhai |
83fca2f |
char * cc_target_tag = NULL;
|
|
Nalin Dahyabhai |
83fca2f |
char * target_user = NULL;
|
|
Nalin Dahyabhai |
83fca2f |
@@ -452,14 +452,15 @@ main (argc, argv)
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
/*
|
|
Nalin Dahyabhai |
83fca2f |
- Only when proper authentication and authorization
|
|
Nalin Dahyabhai |
83fca2f |
- takes place, the target user becomes the owner of the cache.
|
|
Nalin Dahyabhai |
83fca2f |
- */
|
|
Nalin Dahyabhai |
83fca2f |
-
|
|
Nalin Dahyabhai |
83fca2f |
- /* we continue to run as source uid until
|
|
Nalin Dahyabhai |
83fca2f |
- the middle of the copy, when becomewe become the target user
|
|
Nalin Dahyabhai |
83fca2f |
- The cache is owned by the target user.*/
|
|
Nalin Dahyabhai |
83fca2f |
+ * Only after proper authentication and authorization has
|
|
Nalin Dahyabhai |
83fca2f |
+ * taken place, do we populate a cache for the target user.
|
|
Nalin Dahyabhai |
83fca2f |
+ */
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
+ /*
|
|
Nalin Dahyabhai |
83fca2f |
+ * We read the set of creds we want to copy from the source ccache as the
|
|
Nalin Dahyabhai |
83fca2f |
+ * source uid, become root for authentication, and then become the target
|
|
Nalin Dahyabhai |
83fca2f |
+ * user to handle authorization and creating the target user's cache.
|
|
Nalin Dahyabhai |
83fca2f |
+ */
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
/* if root ksu's to a regular user, then
|
|
Nalin Dahyabhai |
83fca2f |
then only the credentials for that particular user
|
|
Nalin Dahyabhai |
83fca2f |
@@ -468,19 +469,23 @@ main (argc, argv)
|
|
Nalin Dahyabhai |
83fca2f |
if ((source_uid == 0) && (target_uid != 0)) {
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source,
|
|
Nalin Dahyabhai |
83fca2f |
- cc_target_tag, client,
|
|
Nalin Dahyabhai |
83fca2f |
- &cc_target, &stored,
|
|
Nalin Dahyabhai |
83fca2f |
- target_uid))){
|
|
Nalin Dahyabhai |
83fca2f |
+ KRB5_TEMPORARY_CACHE, client,
|
|
Nalin Dahyabhai |
83fca2f |
+ &cc_tmp, &stored,
|
|
Nalin Dahyabhai |
83fca2f |
+ 0))){
|
|
Nalin Dahyabhai |
83fca2f |
com_err(prog_name, retval, _("while copying cache %s to %s"),
|
|
Nalin Dahyabhai |
83fca2f |
- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
|
|
Nalin Dahyabhai |
83fca2f |
+ krb5_cc_get_name(ksu_context, cc_source),
|
|
Nalin Dahyabhai |
83fca2f |
+ KRB5_TEMPORARY_CACHE);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
} else {
|
|
Nalin Dahyabhai |
83fca2f |
- if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag,
|
|
Nalin Dahyabhai |
83fca2f |
- client,&cc_target, &stored, target_uid))) {
|
|
Nalin Dahyabhai |
83fca2f |
+
|
|
Nalin Dahyabhai |
83fca2f |
+ retval = krb5_ccache_copy(ksu_context, cc_source, KRB5_TEMPORARY_CACHE,
|
|
Nalin Dahyabhai |
83fca2f |
+ client, &cc_tmp, &stored, 0);
|
|
Nalin Dahyabhai |
83fca2f |
+ if (retval) {
|
|
Nalin Dahyabhai |
83fca2f |
com_err(prog_name, retval, _("while copying cache %s to %s"),
|
|
Nalin Dahyabhai |
83fca2f |
- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
|
|
Nalin Dahyabhai |
83fca2f |
+ krb5_cc_get_name(ksu_context, cc_source),
|
|
Nalin Dahyabhai |
83fca2f |
+ KRB5_TEMPORARY_CACHE);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
@@ -502,7 +507,7 @@ main (argc, argv)
|
|
Nalin Dahyabhai |
83fca2f |
&kdc_server))){
|
|
Nalin Dahyabhai |
83fca2f |
com_err(prog_name, retval,
|
|
Nalin Dahyabhai |
83fca2f |
_("while creating tgt for local realm"));
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
@@ -510,13 +515,13 @@ main (argc, argv)
|
|
Nalin Dahyabhai |
83fca2f |
"enter it here and are logged\n"));
|
|
Nalin Dahyabhai |
83fca2f |
fprintf(stderr, _(" in remotely using an unsecure "
|
|
Nalin Dahyabhai |
83fca2f |
"(non-encrypted) channel.\n"));
|
|
Nalin Dahyabhai |
83fca2f |
- if (krb5_get_tkt_via_passwd (ksu_context, &cc_target, client,
|
|
Nalin Dahyabhai |
83fca2f |
- kdc_server, &options,
|
|
Nalin Dahyabhai |
83fca2f |
- &zero_password) == FALSE){
|
|
Nalin Dahyabhai |
83fca2f |
+ if (krb5_get_tkt_via_passwd(ksu_context, &cc_tmp, client,
|
|
Nalin Dahyabhai |
83fca2f |
+ kdc_server, &options,
|
|
Nalin Dahyabhai |
83fca2f |
+ &zero_password) == FALSE){
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
if (zero_password == FALSE){
|
|
Nalin Dahyabhai |
83fca2f |
fprintf(stderr, _("Goodbye\n"));
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
@@ -535,15 +540,16 @@ main (argc, argv)
|
|
Nalin Dahyabhai |
83fca2f |
if (source_uid && (source_uid != target_uid)) {
|
|
Nalin Dahyabhai |
83fca2f |
char * client_name;
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
- auth_val = krb5_auth_check(ksu_context, client, localhostname, &options,
|
|
Nalin Dahyabhai |
83fca2f |
- target_user,cc_target, &path_passwd, target_uid);
|
|
Nalin Dahyabhai |
83fca2f |
+ auth_val = krb5_auth_check(ksu_context, client, localhostname,
|
|
Nalin Dahyabhai |
83fca2f |
+ &options, target_user, cc_tmp,
|
|
Nalin Dahyabhai |
83fca2f |
+ &path_passwd, target_uid);
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
/* if Kerberos authentication failed then exit */
|
|
Nalin Dahyabhai |
83fca2f |
if (auth_val ==FALSE){
|
|
Nalin Dahyabhai |
83fca2f |
fprintf(stderr, _("Authentication failed.\n"));
|
|
Nalin Dahyabhai |
83fca2f |
syslog(LOG_WARNING, "'%s %s' authentication failed for %s%s",
|
|
Nalin Dahyabhai |
83fca2f |
prog_name,target_user,source_user,ontty());
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
@@ -576,7 +582,7 @@ main (argc, argv)
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
if ((retval = krb5_unparse_name(ksu_context, client, &client_name))) {
|
|
Nalin Dahyabhai |
83fca2f |
com_err(prog_name, retval, _("When unparsing name"));
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
@@ -589,7 +595,7 @@ main (argc, argv)
|
|
Nalin Dahyabhai |
83fca2f |
if (krb5_seteuid(target_uid)) {
|
|
Nalin Dahyabhai |
83fca2f |
com_err(prog_name, errno, _("while switching to target for "
|
|
Nalin Dahyabhai |
83fca2f |
"authorization check"));
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
@@ -597,14 +603,14 @@ main (argc, argv)
|
|
Nalin Dahyabhai |
83fca2f |
cmd, &authorization_val, &exec_cmd))){
|
|
Nalin Dahyabhai |
83fca2f |
com_err(prog_name,retval, _("while checking authorization"));
|
|
Nalin Dahyabhai |
83fca2f |
krb5_seteuid(0); /*So we have some chance of sweeping up*/
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
if (krb5_seteuid(0)) {
|
|
Nalin Dahyabhai |
83fca2f |
com_err(prog_name, errno, _("while switching back from target "
|
|
Nalin Dahyabhai |
83fca2f |
"after authorization check"));
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
if (authorization_val == TRUE){
|
|
Nalin Dahyabhai |
83fca2f |
@@ -646,21 +652,23 @@ main (argc, argv)
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
if( some_rest_copy){
|
|
Nalin Dahyabhai |
83fca2f |
- if ((retval = krb5_ccache_filter(ksu_context, cc_target, client))){
|
|
Nalin Dahyabhai |
83fca2f |
+ retval = krb5_ccache_filter(ksu_context, cc_tmp, client);
|
|
Nalin Dahyabhai |
83fca2f |
+ if (retval) {
|
|
Nalin Dahyabhai |
83fca2f |
com_err(prog_name,retval, _("while calling cc_filter"));
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
if (all_rest_copy){
|
|
Nalin Dahyabhai |
83fca2f |
- if ((retval = krb5_cc_initialize(ksu_context, cc_target, client))){
|
|
Nalin Dahyabhai |
83fca2f |
+ retval = krb5_cc_initialize(ksu_context, cc_tmp, client);
|
|
Nalin Dahyabhai |
83fca2f |
+ if (retval) {
|
|
Nalin Dahyabhai |
83fca2f |
com_err(prog_name, retval, _("while erasing target cache"));
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
@@ -682,7 +690,7 @@ main (argc, argv)
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
if (!standard_shell(target_pwd->pw_shell) && source_uid) {
|
|
Nalin Dahyabhai |
83fca2f |
fprintf(stderr, _("ksu: permission denied (shell).\n"));
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
#endif /* HAVE_GETUSERSHELL */
|
|
Nalin Dahyabhai |
83fca2f |
@@ -692,43 +700,33 @@ main (argc, argv)
|
|
Nalin Dahyabhai |
83fca2f |
if(set_env_var("USER", target_pwd->pw_name)){
|
|
Nalin Dahyabhai |
83fca2f |
fprintf(stderr,
|
|
Nalin Dahyabhai |
83fca2f |
_("ksu: couldn't set environment variable USER\n"));
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
if(set_env_var( "HOME", target_pwd->pw_dir)){
|
|
Nalin Dahyabhai |
83fca2f |
fprintf(stderr, _("ksu: couldn't set environment variable HOME\n"));
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
if(set_env_var( "SHELL", shell)){
|
|
Nalin Dahyabhai |
83fca2f |
fprintf(stderr, _("ksu: couldn't set environment variable SHELL\n"));
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
- exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
- }
|
|
Nalin Dahyabhai |
83fca2f |
-
|
|
Nalin Dahyabhai |
83fca2f |
- /* set the cc env name to target */
|
|
Nalin Dahyabhai |
83fca2f |
-
|
|
Nalin Dahyabhai |
83fca2f |
- if(set_env_var( KRB5_ENV_CCNAME, cc_target_tag)){
|
|
Nalin Dahyabhai |
83fca2f |
- fprintf(stderr, _("ksu: couldn't set environment variable %s\n"),
|
|
Nalin Dahyabhai |
83fca2f |
- KRB5_ENV_CCNAME);
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
/* set permissions */
|
|
Nalin Dahyabhai |
83fca2f |
if (setgid(target_pwd->pw_gid) < 0) {
|
|
Nalin Dahyabhai |
83fca2f |
perror("ksu: setgid");
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
-
|
|
Nalin Dahyabhai |
83fca2f |
if (initgroups(target_user, target_pwd->pw_gid)) {
|
|
Nalin Dahyabhai |
83fca2f |
fprintf(stderr, _("ksu: initgroups failed.\n"));
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
@@ -748,22 +746,49 @@ main (argc, argv)
|
|
Nalin Dahyabhai |
83fca2f |
*/
|
|
Nalin Dahyabhai |
83fca2f |
if (setluid((uid_t) pwd->pw_uid) < 0) {
|
|
Nalin Dahyabhai |
83fca2f |
perror("setluid");
|
|
Nalin Dahyabhai |
83fca2f |
- sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
#endif /* HAVE_SETLUID */
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
- if (setuid(target_pwd->pw_uid) < 0) {
|
|
Nalin Dahyabhai |
83fca2f |
+ if (seteuid(0) < 0 || seteuid(target_pwd->pw_uid) < 0) {
|
|
Nalin Dahyabhai |
83fca2f |
+ perror("ksu: seteuid");
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_tmp);
|
|
Nalin Dahyabhai |
83fca2f |
+ exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
+ }
|
|
Nalin Dahyabhai |
83fca2f |
+
|
|
Nalin Dahyabhai |
83fca2f |
+ retval = krb5_ccache_copy(ksu_context, cc_tmp, cc_target_tag,
|
|
Nalin Dahyabhai |
83fca2f |
+ client, &cc_target, &stored,
|
|
Nalin Dahyabhai |
83fca2f |
+ target_pwd->pw_uid);
|
|
Nalin Dahyabhai |
83fca2f |
+ if (retval) {
|
|
Nalin Dahyabhai |
83fca2f |
+ com_err(prog_name, retval, _("while copying cache %s to %s"),
|
|
Nalin Dahyabhai |
83fca2f |
+ krb5_cc_get_name(ksu_context, cc_tmp), cc_target_tag);
|
|
Nalin Dahyabhai |
83fca2f |
+ exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
+ }
|
|
Nalin Dahyabhai |
83fca2f |
+
|
|
Nalin Dahyabhai |
83fca2f |
+ if (setuid(0) < 0 || setuid(target_pwd->pw_uid) < 0) {
|
|
Nalin Dahyabhai |
83fca2f |
perror("ksu: setuid");
|
|
Nalin Dahyabhai |
83fca2f |
sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
- if (access( cc_target_tag_tmp, R_OK | W_OK )){
|
|
Nalin Dahyabhai |
83fca2f |
- com_err(prog_name, errno,
|
|
Nalin Dahyabhai |
83fca2f |
- _("%s does not have correct permissions for %s, %s aborted"),
|
|
Nalin Dahyabhai |
83fca2f |
- target_user, cc_target_tag_tmp, prog_name);
|
|
Nalin Dahyabhai |
83fca2f |
- exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
+ /* set the cc env name to target */
|
|
Nalin Dahyabhai |
83fca2f |
+ if (stored) {
|
|
Nalin Dahyabhai |
83fca2f |
+ if (krb5_cc_get_full_name(ksu_context, cc_target,
|
|
Nalin Dahyabhai |
83fca2f |
+ &cc_target_tag) == 0) {
|
|
Nalin Dahyabhai |
83fca2f |
+ if (set_env_var(KRB5_ENV_CCNAME, cc_target_tag)){
|
|
Nalin Dahyabhai |
83fca2f |
+ fprintf(stderr,
|
|
Nalin Dahyabhai |
83fca2f |
+ _("ksu: couldn't set environment variable %s\n"),
|
|
Nalin Dahyabhai |
83fca2f |
+ KRB5_ENV_CCNAME);
|
|
Nalin Dahyabhai |
83fca2f |
+ sweep_up(ksu_context, cc_target);
|
|
Nalin Dahyabhai |
83fca2f |
+ exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
+ }
|
|
Nalin Dahyabhai |
83fca2f |
+ krb5_free_string(ksu_context, cc_target_tag);
|
|
Nalin Dahyabhai |
83fca2f |
+ } else {
|
|
Nalin Dahyabhai |
83fca2f |
+ com_err(prog_name, retval, _("while reading cache name from %s"),
|
|
Nalin Dahyabhai |
83fca2f |
+ cc_target_tag);
|
|
Nalin Dahyabhai |
83fca2f |
+ exit(1);
|
|
Nalin Dahyabhai |
83fca2f |
+ }
|
|
Nalin Dahyabhai |
83fca2f |
}
|
|
Nalin Dahyabhai |
83fca2f |
|
|
Nalin Dahyabhai |
83fca2f |
if ( cc_source)
|
|
Nalin Dahyabhai |
83fca2f |
--
|
|
Nalin Dahyabhai |
83fca2f |
1.8.5.3
|
|
Nalin Dahyabhai |
83fca2f |
|