diff options
| author | Greg Hudson <ghudson@mit.edu> | 2020-04-06 20:45:10 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2020-04-10 13:12:21 -0400 |
| commit | 0ea94d49ba5861b2f78de4f27d37a53e0f4264b6 (patch) | |
| tree | d7c968d676f1e82771f3a90b6602af3a396c91b3 | |
| parent | 9d6dfe0a3e0ad66a86ca475e6ce3d3b5e655aa08 (diff) | |
| download | krb5-0ea94d49ba5861b2f78de4f27d37a53e0f4264b6.zip krb5-0ea94d49ba5861b2f78de4f27d37a53e0f4264b6.tar.gz krb5-0ea94d49ba5861b2f78de4f27d37a53e0f4264b6.tar.bz2 | |
Make ksu honor KRB5CCNAME again
Commit d439e370b70f7af4ed2da9c692a3be7dcf7b4ac6 (ticket 8800) caused
ksu to ignore KRB5CCNAME from the environment. ksu uses euid
switching to access the source cache, and should honor KRB5CCNAME to
find the ccache to potentially authorize the su operation.
Add a helper function init_ksu_context() to create the ksu context,
with explicit code to honor KRB5CCNAME using
krb5_cc_set_default_name().
(cherry picked from commit 8b1fff99f59f779bf7f7261f17b835576e20d35d)
ticket: 8895
version_fixed: 1.18.1
| -rw-r--r-- | src/clients/ksu/main.c | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c index 4f03dd8..57c3492 100644 --- a/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c @@ -48,6 +48,7 @@ int quiet = 0; static int set_env_var (char *, char *); static void sweep_up (krb5_context, krb5_ccache); static char * ontty (void); +static krb5_error_code init_ksu_context(krb5_context *); static krb5_error_code set_ccname_env(krb5_context, krb5_ccache); static void print_status( const char *fmt, ...) #if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7) @@ -129,7 +130,7 @@ main (argc, argv) unsetenv ("KRB5_CONFIG"); - retval = krb5_init_secure_context(&ksu_context); + retval = init_ksu_context(&ksu_context); if (retval) { com_err(argv[0], retval, _("while initializing krb5")); exit(1); @@ -794,6 +795,34 @@ main (argc, argv) } } +static krb5_error_code +init_ksu_context(krb5_context *context_out) +{ + krb5_error_code retval; + const char *env_ccname; + krb5_context context; + + *context_out = NULL; + + retval = krb5_init_secure_context(&context); + if (retval) + return retval; + + /* We want to obey KRB5CCNAME in this context even though this is a setuid + * program. (It will only be used when operating as the real uid.) */ + env_ccname = getenv(KRB5_ENV_CCNAME); + if (env_ccname != NULL) { + retval = krb5_cc_set_default_name(context, env_ccname); + if (retval) { + krb5_free_context(context); + return retval; + } + } + + *context_out = context; + return 0; +} + /* Set KRB5CCNAME in the environment to point to ccache. Print an error * message on failure. */ static krb5_error_code |