diff options
Diffstat (limited to 'src/clients')
| -rw-r--r-- | src/clients/ChangeLog | 10 | ||||
| -rw-r--r-- | src/clients/configure.in | 7 | ||||
| -rw-r--r-- | src/clients/klist/ChangeLog | 12 | ||||
| -rw-r--r-- | src/clients/klist/Makefile.in | 2 | ||||
| -rw-r--r-- | src/clients/klist/klist.c | 28 | ||||
| -rw-r--r-- | src/clients/ksu/ChangeLog | 41 | ||||
| -rw-r--r-- | src/clients/ksu/Makefile.in | 3 | ||||
| -rw-r--r-- | src/clients/ksu/authorization.c | 7 | ||||
| -rw-r--r-- | src/clients/ksu/ccache.c | 6 | ||||
| -rw-r--r-- | src/clients/ksu/ksu.M | 30 | ||||
| -rw-r--r-- | src/clients/ksu/main.c | 227 | ||||
| -rw-r--r-- | src/clients/ksu/setenv.c | 9 |
12 files changed, 200 insertions, 182 deletions
diff --git a/src/clients/ChangeLog b/src/clients/ChangeLog index 2ab67bd..de83ed9 100644 --- a/src/clients/ChangeLog +++ b/src/clients/ChangeLog @@ -1,3 +1,13 @@ +2001-02-21 Tom Yu <tlyu@mit.edu> + + * configure.in: Add checks for unsetenv and getenv. Compile + setenv.o if any of setenv, unsetenv, or getenv are missing. + +2000-03-24 Ken Raeburn <raeburn@mit.edu> + + * configure.in: Check for alpha*-dec-osf* instead of + alpha-dec-osf*. + 2000-02-24 Ezra Peisach <epeisach@mit.edu> * configure.in: Test for <arpa/inet.h> include file for inet_ntop diff --git a/src/clients/configure.in b/src/clients/configure.in index bd2046d..5617168 100644 --- a/src/clients/configure.in +++ b/src/clients/configure.in @@ -3,8 +3,9 @@ CONFIG_RULES AC_PROG_INSTALL KRB5_BUILD_PROGRAM AC_HEADER_STDARG -AC_CHECK_FUNCS(getusershell lstat setenv inet_ntop getipnodebyaddr) -if test $ac_cv_func_setenv = no ; then +AC_CHECK_FUNCS(getusershell lstat setenv unsetenv getenv inet_ntop getipnodebyaddr) +if test $ac_cv_func_setenv = no || test $ac_cv_func_unsetenv = no \ + || test $ac_cv_func_getenv = no; then SETENVOBJ=setenv.o else SETENVOBJ= @@ -12,7 +13,7 @@ fi AC_SUBST(SETENVOBJ) AC_CHECK_HEADERS(unistd.h pwd.h arpa/inet.h) case $krb5_cv_host in -alpha-dec-osf*) +alpha*-dec-osf*) AC_CHECK_LIB(security,setluid, AC_DEFINE(HAVE_SETLUID) KSU_LIBS="$KSU_LIBS -lsecurity" diff --git a/src/clients/klist/ChangeLog b/src/clients/klist/ChangeLog index 86686bb..1016287 100644 --- a/src/clients/klist/ChangeLog +++ b/src/clients/klist/ChangeLog @@ -1,3 +1,15 @@ +2001-09-25 Ken Raeburn <raeburn@mit.edu> + + * klist.c (flags_string): Display transit-policy-checked, + ok-as-delegate, and anonymous ticket flags. + +2000-04-19 Danilo Almeida <dalmeida@mit.edu> + + * Makefile.in: Link in getopt library on Windows. + + * klist.c: Use getopt so that we can parse combined options (e.g., + -an or -45). + 2000-03-07 Danilo Almeida <dalmeida@mit.edu> * klist.M: Get man page up-to-date. diff --git a/src/clients/klist/Makefile.in b/src/clients/klist/Makefile.in index c33a4d0..4e067ea 100644 --- a/src/clients/klist/Makefile.in +++ b/src/clients/klist/Makefile.in @@ -14,7 +14,7 @@ all-mac:: klist: klist.o $(KRB4COMPAT_DEPLIBS) $(CC_LINK) -o $@ klist.o $(KRB4COMPAT_LIBS) -$(OUTPRE)klist.exe: $(OUTPRE)klist.obj $(KLIB) $(CLIB) +$(OUTPRE)klist.exe: $(OUTPRE)klist.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib $(KLIB) $(CLIB) link $(EXE_LINKOPTS) -out:$@ $** wsock32.lib clean-unix:: diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c index de435c4..2d77f7f 100644 --- a/src/clients/klist/klist.c +++ b/src/clients/klist/klist.c @@ -1,7 +1,7 @@ /* * clients/klist/klist.c * - * Copyright 1990 by the Massachusetts Institute of Technology. + * Copyright 1990,2001 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -53,6 +53,8 @@ #include <netdb.h> #endif +extern int optind; + int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0; int show_etype = 0, show_addresses = 0, no_resolve = 0; char *defname; @@ -130,6 +132,7 @@ main(argc, argv) int argc; char **argv; { + int c; char *name; int mode; int use_k5 = 0, use_k4 = 0; @@ -141,14 +144,10 @@ main(argc, argv) progname = GET_PROGNAME(argv[0]); - argv++; name = NULL; mode = DEFAULT; - while (*argv) { - if ((*argv)[0] != '-') { - if (name) usage(); - name = *argv; - } else switch ((*argv)[1]) { + while ((c = getopt(argc, argv, "fetKsnack45")) != -1) { + switch (c) { case 'f': show_flags = 1; break; @@ -202,7 +201,6 @@ main(argc, argv) usage(); break; } - argv++; } if (no_resolve && !show_addresses) { @@ -217,6 +215,14 @@ main(argc, argv) usage(); } + if (argc - optind > 1) { + fprintf(stderr, "Extra arguments (starting with \"%s\").\n", + argv[optind+1]); + usage(); + } + + name = (optind == argc-1) ? argv[optind] : 0; + if (!use_k5 && !use_k4) { use_k5 = default_k5; @@ -514,6 +520,12 @@ flags_string(cred) buf[i++] = 'H'; if (cred->ticket_flags & TKT_FLG_PRE_AUTH) buf[i++] = 'A'; + if (cred->ticket_flags & TKT_FLG_TRANSIT_POLICY_CHECKED) + buf[i++] = 'T'; + if (cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE) + buf[i++] = 'O'; /* D/d are taken. Use short strings? */ + if (cred->ticket_flags & TKT_FLG_ANONYMOUS) + buf[i++] = 'a'; buf[i] = '\0'; return(buf); } diff --git a/src/clients/ksu/ChangeLog b/src/clients/ksu/ChangeLog index f486004..0b964bb 100644 --- a/src/clients/ksu/ChangeLog +++ b/src/clients/ksu/ChangeLog @@ -1,3 +1,44 @@ +2001-10-18 Ken Raeburn <raeburn@mit.edu> + + Don't crash if .k[5]login file ownership is wrong. Patch from + Emily Ratliff, ratliff@austin.ibm.com. + * authorization.c (fowner): Don't close the file even on error. + (krb5_authorization): Close the file if fowner returns FALSE. + +2001-02-21 Tom Yu <tlyu@mit.edu> + + * setenv.c: Add conditionals for compilation of setenv, unsetenv, + and getenv such that they only get compiled if they don't already + exist. + +2000-05-22 Tom Yu <tlyu@mit.edu> + + * Makefile.in (OBJS): Put @SETENVOBJ@ on same line as xmalloc.o to + avoid trailing backslash on the end of the variable. + +2000-05-15 Ken Raeburn <raeburn@mit.edu> + + * ccache.c (krb5_ccache_copy): Modify conditionalized code block + slightly to make automatic indentation work better. + + * main.c (main): Complain and quit if prog_name is longer than 50 + characters. + +2000-04-26 Ken Raeburn <raeburn@mit.edu> + Nalin Dahyabhai <nalin@redhat.com> + + * main.c (DEBUG): Don't define. + (usage): Remove -C option from description. + (sweep_up): Deleted second argument; all callers changed. + (main): Support -D option only if DEBUG is defined. Initialize + ruid on entry. Set effective uid to ruid before processing + argument list. Removed -C option from -z/-Z conflict messages. + Report errors trying to stat source ccache using com_err. Verify + that getpwuid's returned data for source user has correct uid. + Eliminate use_source_cache variable. + + * ksu.M: Updates for removal of -C option. + 2000-01-27 Ken Raeburn <raeburn@mit.edu> * main.c (print_status): Now static. Add format attribute if diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in index c96de37..915d4b2 100644 --- a/src/clients/ksu/Makefile.in +++ b/src/clients/ksu/Makefile.in @@ -23,8 +23,7 @@ OBJS = \ authorization.o \ main.o \ heuristic.o \ - xmalloc.o \ - @SETENVOBJ@ + xmalloc.o @SETENVOBJ@ all:: ksu diff --git a/src/clients/ksu/authorization.c b/src/clients/ksu/authorization.c index a2e5409..d184993 100644 --- a/src/clients/ksu/authorization.c +++ b/src/clients/ksu/authorization.c @@ -40,12 +40,10 @@ krb5_boolean fowner(fp, uid) * the user himself, or by root. Otherwise, don't grant access. */ if (fstat(fileno(fp), &sbuf)) { - fclose(fp); return(FALSE); } if ((sbuf.st_uid != uid) && sbuf.st_uid) { - fclose(fp); return(FALSE); } @@ -102,8 +100,10 @@ krb5_error_code krb5_authorization(context, principal, luser, if (!k5login_flag){ if ((login_fp = fopen(k5login_path, "r")) == NULL) return 0; - if ( fowner(login_fp, pwd->pw_uid) == FALSE) + if ( fowner(login_fp, pwd->pw_uid) == FALSE) { + fclose(login_fp); return 0; + } } if (!k5users_flag){ @@ -111,6 +111,7 @@ krb5_error_code krb5_authorization(context, principal, luser, return 0; } if ( fowner(users_fp, pwd->pw_uid) == FALSE){ + fclose(users_fp); return 0; } } diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c index be77456..97a2084 100644 --- a/src/clients/ksu/ccache.c +++ b/src/clients/ksu/ccache.c @@ -75,7 +75,6 @@ struct stat st_temp; cc_def_name = krb5_cc_get_name(context, cc_def); cc_other_name = krb5_cc_get_name(context, *cc_other); - if ( ! stat(cc_def_name, &st_temp)){ if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ return retval; @@ -86,12 +85,11 @@ struct stat st_temp; primary_principal); #ifdef HAVE_LSTAT - if (!lstat( cc_other_name, &st_temp)) { + if (!lstat( cc_other_name, &st_temp)) #else /*HAVE_LSTAT*/ - if (!stat( cc_other_name, &st_temp)) { + if (!stat( cc_other_name, &st_temp)) #endif return EINVAL; - } if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { return errno; diff --git a/src/clients/ksu/ksu.M b/src/clients/ksu/ksu.M index 2eea2a0..325d2e8 100644 --- a/src/clients/ksu/ksu.M +++ b/src/clients/ksu/ksu.M @@ -37,9 +37,6 @@ ksu \- Kerberized super-user .B \-c .I source_cache_name ] [ -.B \-C -.I target_cache_name -] [ .B \-k ] [ .B \-D @@ -169,10 +166,8 @@ The real and effective user ID are changed to that of the target user. The target user's shell is then invoked (the shell name is specified in the password file). Upon termination of the shell, ksu deletes the target cache (unless -ksu is invoked with -.B \-k - or ' -.B \-C .' options). +ksu is invoked with the +.B \-k option). This is implemented by first doing a fork and then an exec, instead of just exec, as done by su. .br @@ -287,19 +282,7 @@ option is not used then the name is obtained from KRB5CCNAME environment variable. If KRB5CCNAME is not defined the source cache name is set to krb5cc_<source uid>. -.TP 10 -\fB\-C \fItarget_cache_name -Specify the target cache name (e.g. -.B \-C -FILE:/tmp/target_cache). -If '.' is specified (e.g. ksu -\-C .) ksu uses the source -cache and does not create a new target cache. Note: -this case requires both source and target user -to have read and write permissions for the source cache. -If -.B \-C -option is not used, the default target cache name is +The target cache name is automatically set to krb5cc_<target uid>.(gen_sym()), where gen_sym generates a new number such that the resulting cache does not already exist. @@ -313,8 +296,7 @@ target shell or a command ( command). Without .B \-k, -ksu deletes the target cache -(unless ksu was invoked with '-C .' option). +ksu deletes the target cache. .TP 10 \fB\-D turn on debug mode. @@ -359,7 +341,7 @@ if you want the tickets for other then the default principal. Note that the .B \-z option is mutually -exclusive with '-C .' and -Z options. +exclusive with the -Z option. .TP 10 \fB\-Z Don't copy any tickets from the source cache to the @@ -368,7 +350,7 @@ where the default principal name of the cache is initialized to the target principal name. Note that .B \-Z option is mutually -exclusive with '-C .' and -z options. +exclusive with the -z option. .TP 10 \fB\-q suppress the printing of status messages. diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c index 77a4996..58d3031 100644 --- a/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c @@ -42,7 +42,7 @@ int quiet = 0; #define _DEF_CSH "/bin/csh" static int set_env_var PROTOTYPE((char *, char *)); -static void sweep_up PROTOTYPE((krb5_context, int, krb5_ccache)); +static void sweep_up PROTOTYPE((krb5_context, krb5_ccache)); static char * ontty PROTOTYPE((void)); #ifdef HAVE_STDARG_H static void print_status( const char *fmt, ...) @@ -61,7 +61,6 @@ char * get_dir_of_file(); void usage (){ fprintf(stderr, "Usage: %s [target user] [-n principal] [-c source cachename] [-C target cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name); - } /* for Ultrix and friends ... */ @@ -69,8 +68,6 @@ void usage (){ #define MAXHOSTNAMELEN 64 #endif -#define DEBUG - /* These are file static so sweep_up can get to them*/ static uid_t source_uid, target_uid; @@ -86,7 +83,6 @@ char *localhostname = NULL; opt_info options; int option=0; int statusp=0; -int use_source_cache = 0; krb5_error_code retval = 0; krb5_principal client = NULL; krb5_ccache cc_target = NULL; @@ -106,7 +102,7 @@ krb5_boolean auth_val; krb5_boolean authorization_val = FALSE; int path_passwd = 0; int done =0,i,j; -uid_t ruid; +uid_t ruid = getuid (); struct passwd *pwd=NULL, *target_pwd ; char * shell; char ** params; @@ -142,6 +138,11 @@ char * dir_of_cc_source; if (strrchr(argv[0], '/')) argv[0] = strrchr(argv[0], '/')+1; prog_name = argv[0]; + if (strlen (prog_name) > 50) { + /* this many chars *after* last / ?? */ + com_err(prog_name, 0, "program name too long - quitting to avoid triggering system logging bugs"); + exit (1); + } #ifndef LOG_NDELAY @@ -176,7 +177,10 @@ char * dir_of_cc_source; } } - + if (krb5_seteuid (ruid)) { + com_err (prog_name, errno, "while setting euid to source user"); + exit (1); + } while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkql:e:")) != -1)){ switch (option) { case 'r': @@ -232,22 +236,24 @@ char * dir_of_cc_source; options.princ = 1; break; +#ifdef DEBUG case 'D': auth_debug = 1; - break; + break; +#endif case 'z': some_rest_copy = 1; - if(all_rest_copy || use_source_cache){ + if(all_rest_copy) { fprintf(stderr, - "-z option is mutually exclusive with -Z and -C .\n"); + "-z option is mutually exclusive with -Z.\n"); errflg++; } break; case 'Z': all_rest_copy = 1; - if(some_rest_copy || use_source_cache){ + if(some_rest_copy) { fprintf(stderr, - "-Z option is mutually exclusive with -z and -C .\n"); + "-Z option is mutually exclusive with -z.\n"); errflg++; } break; @@ -258,10 +264,10 @@ char * dir_of_cc_source; cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1; if( stat( cc_source_tag_tmp, &st_temp)){ - fprintf(stderr,"File %s does not exist\n", - cc_source_tag_tmp); - errflg++; - + com_err (prog_name, errno, + "while looking for credentials file %s", + cc_source_tag_tmp); + exit (1); } } else { @@ -313,10 +319,9 @@ char * dir_of_cc_source; } /***********************************/ - ruid = getuid(); source_user = getlogin(); /*checks for the the login name in /etc/utmp*/ - /* verify that that the user exists and get his passwd structure */ + /* verify that that the user exists and get his passwd structure */ if (source_user == NULL ||(pwd = getpwnam(source_user)) == NULL || pwd->pw_uid != ruid){ @@ -327,6 +332,12 @@ char * dir_of_cc_source; fprintf(stderr, "ksu: who are you?\n"); exit(1); } + if (pwd->pw_uid != ruid) { + fprintf (stderr, "Your uid doesn't match your passwd entry?!\n"); + exit (1); + } + /* Okay, now we have *some* passwd entry that matches the + current real uid. */ /* allocate space and copy the usernamane there */ source_user = xstrdup(pwd->pw_name); @@ -357,23 +368,17 @@ char * dir_of_cc_source; else cc_source_tag_tmp++; } - if (krb5_seteuid(source_uid)) { - com_err ( prog_name, errno, "while setting euid to source user"); - exit(1); - } - + /* get a handle for the cache */ if ((retval = krb5_cc_resolve(ksu_context, cc_source_tag, &cc_source))){ com_err(prog_name, retval,"while getting source cache"); exit(1); } - if(!use_source_cache) { - if (((retval = krb5_cc_set_flags(ksu_context, cc_source, 0x0)) != 0) - && (retval != KRB5_FCC_NOFILE)) { + if (((retval = krb5_cc_set_flags(ksu_context, cc_source, 0x0)) != 0) + && (retval != KRB5_FCC_NOFILE)) { com_err(prog_name, retval, "while opening ccache"); exit(1); - } } if ((retval = get_best_princ_for_target(ksu_context, source_uid, target_uid, source_user, target_user, cc_source, @@ -409,29 +414,6 @@ char * dir_of_cc_source; exit(1); } - if (stat(cc_source_tag_tmp, &st_temp)){ - if (use_source_cache){ - - dir_of_cc_source = get_dir_of_file(cc_source_tag_tmp); - - - if (access(dir_of_cc_source, R_OK | W_OK )){ - fprintf(stderr, - "%s does not have correct permissions for %s\n", - source_user, cc_source_tag); - exit(1); - } - - if ((retval = krb5_cc_initialize(ksu_context, cc_source, - client))){ - com_err(prog_name, retval, - "while initializing source cache"); - exit(1); - } - } - } - - if (cc_target_tag == NULL) { cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE ,sizeof(char)); @@ -450,8 +432,7 @@ char * dir_of_cc_source; } - dir_of_cc_target = get_dir_of_file( use_source_cache ? - cc_source_tag_tmp: cc_target_tag_tmp); + dir_of_cc_target = get_dir_of_file(cc_target_tag_tmp); if (access(dir_of_cc_target, R_OK | W_OK )){ fprintf(stderr, @@ -475,48 +456,33 @@ char * dir_of_cc_source; The cache is owned by the target user.*/ - if (! use_source_cache){ - - /* if root ksu's to a regular user, then - then only the credentials for that particular user - should be copied */ + /* if root ksu's to a regular user, then + then only the credentials for that particular user + should be copied */ - if ((source_uid == 0) && (target_uid != 0)) { + if ((source_uid == 0) && (target_uid != 0)) { - if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source, - cc_target_tag, client, &cc_target, &stored, target_uid))){ - com_err (prog_name, retval, - "while copying cache %s to %s", - krb5_cc_get_name(ksu_context, cc_source),cc_target_tag); - exit(1); - } - - } else{ - if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, - client,&cc_target, &stored, target_uid))){ - com_err (prog_name, retval, - "while copying cache %s to %s", - krb5_cc_get_name(ksu_context, cc_source), - cc_target_tag); - exit(1); - } - - } - - } - else{ - cc_target = cc_source; - cc_target_tag = (char *) cc_source_tag; - cc_target_tag_tmp = (char *) cc_source_tag_tmp; - - if ((retval=krb5_find_princ_in_cache(ksu_context, cc_target,client, &stored))){ - com_err (prog_name, retval, - "while searching for client in source ccache"); - exit(1); - } + if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source, + cc_target_tag, client, &cc_target, &stored, target_uid))){ + com_err (prog_name, retval, + "while copying cache %s to %s", + krb5_cc_get_name(ksu_context, cc_source),cc_target_tag); + exit(1); + } + } else { + if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, + client,&cc_target, &stored, target_uid))) { + com_err (prog_name, retval, + "while copying cache %s to %s", + krb5_cc_get_name(ksu_context, cc_source), + cc_target_tag); + exit(1); + } + } - /* Become root for authentication*/ + + /* Become root for authentication*/ if (krb5_seteuid(0)) { com_err(prog_name, errno, "while reclaiming root uid"); @@ -532,7 +498,7 @@ char * dir_of_cc_source; &kdc_server))){ com_err(prog_name, retval, "while creating tgt for local realm"); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } @@ -544,8 +510,7 @@ char * dir_of_cc_source; if (zero_password == FALSE){ fprintf(stderr,"Goodbye\n"); - sweep_up(ksu_context, use_source_cache, - cc_target); + sweep_up(ksu_context, cc_target); exit(1); } @@ -574,7 +539,7 @@ char * dir_of_cc_source; syslog(LOG_WARNING, "'%s %s' authentication failed for %s%s", prog_name,target_user,source_user,ontty()); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } @@ -585,7 +550,7 @@ char * dir_of_cc_source; to properly handle races in chown if this code is ever re-enabled. */ /* cache the tickets if possible in the source cache */ - if (!path_passwd && !use_source_cache){ + if (!path_passwd){ if ((retval = krb5_ccache_overwrite(ksu_context, cc_target, cc_source, client))){ @@ -593,7 +558,7 @@ char * dir_of_cc_source; "while copying cache %s to %s", krb5_cc_get_name(ksu_context, cc_target), krb5_cc_get_name(ksu_context, cc_source)); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } if (chown(cc_source_tag_tmp, source_uid, source_gid)){ @@ -607,7 +572,7 @@ char * dir_of_cc_source; if ((retval = krb5_unparse_name(ksu_context, client, &client_name))) { com_err (prog_name, retval, "When unparsing name"); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } @@ -619,7 +584,7 @@ char * dir_of_cc_source; /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, "while switching to target for authorization check"); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } @@ -627,13 +592,13 @@ char * dir_of_cc_source; cmd, &authorization_val, &exec_cmd))){ com_err(prog_name,retval,"while checking authorization"); krb5_seteuid(0); /*So we have some chance of sweeping up*/ - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } if (krb5_seteuid(0)) { com_err(prog_name, errno, "while switching back from target after authorization check"); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } if (authorization_val == TRUE){ @@ -678,7 +643,7 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/ } - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } } @@ -686,7 +651,7 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/ if( some_rest_copy){ if ((retval = krb5_ccache_filter(ksu_context, cc_target, client))){ com_err(prog_name,retval,"while calling cc_filter"); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } } @@ -715,7 +680,7 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/ if (!standard_shell(target_pwd->pw_shell) && source_uid) { fprintf(stderr, "ksu: permission denied (shell).\n"); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } #endif /* HAVE_GETUSERSHELL */ @@ -724,20 +689,20 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/ if(set_env_var("USER", target_pwd->pw_name)){ fprintf(stderr,"ksu: couldn't set environment variable USER\n"); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } } if(set_env_var( "HOME", target_pwd->pw_dir)){ fprintf(stderr,"ksu: couldn't set environment variable USER\n"); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } if(set_env_var( "SHELL", shell)){ fprintf(stderr,"ksu: couldn't set environment variable USER\n"); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } @@ -746,26 +711,21 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/ if(set_env_var( KRB5_ENV_CCNAME, cc_target_tag)){ fprintf(stderr,"ksu: couldn't set environment variable %s\n", KRB5_ENV_CCNAME); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } - - if (!use_source_cache){ - - } - /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { perror("ksu: setgid"); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } if (initgroups(target_user, target_pwd->pw_gid)) { fprintf(stderr, "ksu: initgroups failed.\n"); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } @@ -785,14 +745,14 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/ */ if (setluid((uid_t) pwd->pw_uid) < 0) { perror("setluid"); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } #endif /* HAVE_SETLUID */ if (setuid(target_pwd->pw_uid) < 0) { perror("ksu: setuid"); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); } @@ -827,11 +787,11 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/ fprintf(stderr, "program to be execed %s\n",params[0]); } - if( keep_target_cache || use_source_cache ) { + if( keep_target_cache ) { execv(params[0], params); com_err(prog_name, errno, "while trying to execv %s", params[0]); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit(1); }else{ statusp = 1; @@ -858,11 +818,11 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/ if (ret_pid == -1) { com_err(prog_name, errno, "while calling waitpid"); } - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit (statusp); case -1: com_err(prog_name, errno, "while trying to fork."); - sweep_up(ksu_context, use_source_cache, cc_target); + sweep_up(ksu_context, cc_target); exit (1); case 0: execv(params[0], params); @@ -920,27 +880,24 @@ char * env_var_buf; } -static void sweep_up(context, use_source_cache, cc) +static void sweep_up(context, cc) krb5_context context; - int use_source_cache; krb5_ccache cc; { -krb5_error_code retval; -char * cc_name; -struct stat st_temp; + krb5_error_code retval; + char * cc_name; + struct stat st_temp; -krb5_seteuid(0); -krb5_seteuid(target_uid); + krb5_seteuid(0); + krb5_seteuid(target_uid); -if (! use_source_cache){ - cc_name = krb5_cc_get_name(context, cc); - if ( ! stat(cc_name, &st_temp)){ - if ((retval = krb5_cc_destroy(context, cc))){ - com_err(prog_name, retval, - "while destroying cache"); - } - } + cc_name = krb5_cc_get_name(context, cc); + if ( ! stat(cc_name, &st_temp)){ + if ((retval = krb5_cc_destroy(context, cc))){ + com_err(prog_name, retval, + "while destroying cache"); } + } } /***************************************************************** get_params is to be called for the -a option or -e option to diff --git a/src/clients/ksu/setenv.c b/src/clients/ksu/setenv.c index 96d4a1e..2633a9d 100644 --- a/src/clients/ksu/setenv.c +++ b/src/clients/ksu/setenv.c @@ -25,6 +25,7 @@ * Set the value of the environmental variable "name" to be * "value". If rewrite is set, replace any current value. */ +#ifndef HAVE_SETENV setenv(name, value, rewrite) register char *name, *value; int rewrite; @@ -77,11 +78,13 @@ setenv(name, value, rewrite) for (*C++ = '='; *C++ = *value++;); return(0); } +#endif /* * unsetenv(name) -- * Delete environmental variable "name". */ +#ifndef HAVE_UNSETENV void unsetenv(name) char *name; @@ -96,6 +99,7 @@ unsetenv(name) if (!(*P = *(P + 1))) break; } +#endif /* * Copyright (c) 1987 Regents of the University of California. * All rights reserved. @@ -119,6 +123,7 @@ unsetenv(name) * getenv -- * Returns ptr to value associated with name, if any, else NULL. */ +#ifndef HAVE_GETENV char * getenv(name) char *name; @@ -128,6 +133,7 @@ getenv(name) return(_findenv(name, &offset)); } +#endif /* * _findenv -- @@ -136,9 +142,8 @@ getenv(name) * environmental array, for use by setenv(3) and unsetenv(3). * Explicitly removes '=' in argument name. * - * This routine *should* be a static; don't use it. */ -char * +static char * _findenv(name, offset) register char *name; int *offset; |