The idea is to not complain about problems in the default ticket file if we
couldn't read it, because the client would be able to tell if it's there or
not.  Still needs work, I think.
--- krb5-1.3/src/clients/ksu/ccache.c
+++ krb5-1.3/src/clients/ksu/ccache.c
@@ -77,7 +77,7 @@
     cc_def_name = krb5_cc_get_name(context, cc_def);    
     cc_other_name = krb5_cc_get_name(context, *cc_other);    
 
-    if ( ! stat(cc_def_name, &st_temp)){
+    if ( ! access(cc_def_name, R_OK) && ! stat(cc_def_name, &st_temp)){
 	if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
 		return retval;
 	}
--- krb5-1.3/src/clients/ksu/heuristic.c
+++ krb5-1.3/src/clients/ksu/heuristic.c
@@ -412,7 +412,7 @@
 
     cc_source_name = krb5_cc_get_name(context, cc);
 
-    if ( ! stat(cc_source_name, &st_temp)){
+    if ( ! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)){
 
 	retval = find_ticket(context, cc, client, end_server, &temp_found);
 	if (retval)
@@ -572,7 +572,7 @@
     cc_source_name = krb5_cc_get_name(context, cc_source);
 
 	
-    if (! stat(cc_source_name, &st_temp)) {
+    if (! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)) {
 	retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
 	if (retval)
 	    return retval;
--- krb5-1.3/src/clients/ksu/main.c
+++ krb5-1.3/src/clients/ksu/main.c
@@ -263,7 +263,7 @@
 		if ( strchr(cc_source_tag, ':')){
 		    cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
 		    
-		    if( stat( cc_source_tag_tmp, &st_temp)){
+		    if( access( cc_source_tag_tmp, F_OK | R_OK) || stat( cc_source_tag_tmp, &st_temp)){
 			com_err (prog_name, errno,
 				 "while looking for credentials file %s",
 				 cc_source_tag_tmp);