In ksu, merge krb5_ccache_copy() and _restricted()

Other than whether or not they limit the creds it stores to the new
ccache based on the principal name of the client for whom the creds were
issued, there's no meaningful difference between what these two
functions do.  Merge them.

diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index 9916c75f305aafb00e4b5716011b8b126499dcff..118fc5356933c319a7036e25907a15ef972accf2 100644 (file)
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -47,12 +47,14 @@ void show_credential();
 */
 
 krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
-                                  primary_principal, cc_out, stored, target_uid)
+                                  primary_principal, restrict_creds, cc_out,
+                                  stored, target_uid)
 /* IN */
     krb5_context context;
     krb5_ccache cc_def;
     char *cc_other_tag;
     krb5_principal primary_principal;
+    krb5_boolean restrict_creds;
     uid_t target_uid;
     /* OUT */
     krb5_ccache *cc_out;
@@ -83,9 +85,6 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
         }
     }
 
-    *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
-                                           primary_principal);
-
     if (!lstat( cc_other_name, &st_temp))
         return EINVAL;
 
@@ -98,8 +97,16 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
         return retval;
     }
 
-    retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr,
-                                  cc_other_creds_arr);
+    if (restrict_creds) {
+        retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr,
+                                       cc_other_creds_arr, primary_principal,
+                                       stored);
+    } else {
+        *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
+                                               primary_principal);
+        retval = krb5_store_all_creds(context, *cc_other, cc_def_creds_arr,
+                                      cc_other_creds_arr);
+    }
 
     if (cc_def_creds_arr){
         while (cc_def_creds_arr[i]){
@@ -623,93 +630,6 @@ krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst,
     *stored = temp_stored;
     return 0;
 }
-/******************************************************************
-krb5_cache_copy_restricted
-
-gets rid of any expired tickets in the secondary cache,
-copies the default cache into the secondary cache,
-only credentials that are for prst are copied.
-
-the algorithm may look a bit funny,
-but I had to do it this way, since cc_remove function did not come
-with k5 beta 3 release.
-************************************************************************/
-
-krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag,
-                                             prst, cc_out, stored, target_uid)
-    krb5_context context;
-    krb5_ccache cc_def;
-    char *cc_other_tag;
-    krb5_principal prst;
-    uid_t target_uid;
-    /* OUT */
-    krb5_ccache *cc_out;
-    krb5_boolean *stored;
-{
-
-    int i=0;
-    krb5_ccache  * cc_other;
-    const char * cc_def_name;
-    const char * cc_other_name;
-    krb5_error_code retval=0;
-    krb5_creds ** cc_def_creds_arr = NULL;
-    krb5_creds ** cc_other_creds_arr = NULL;
-    struct stat st_temp;
-
-    cc_other = (krb5_ccache *)  xcalloc(1, sizeof (krb5_ccache));
-
-    if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){
-        com_err(prog_name, retval, _("resolving ccache %s"), cc_other_tag);
-        return retval;
-    }
-
-    cc_def_name = krb5_cc_get_name(context, cc_def);
-    cc_other_name = krb5_cc_get_name(context, *cc_other);
-
-    if ( ! stat(cc_def_name, &st_temp)){
-        if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
-            return retval;
-        }
-
-    }
-
-    if (!lstat( cc_other_name, &st_temp)) {
-        return EINVAL;
-    }
-
-    if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
-        return errno;
-    }
-
-
-    if ((retval = krb5_cc_initialize(context, *cc_other, prst))){
-        return retval;
-    }
-
-    retval = krb5_store_some_creds(context, * cc_other,
-                                   cc_def_creds_arr, cc_other_creds_arr, prst, stored);
-
-
-
-    if (cc_def_creds_arr){
-        while (cc_def_creds_arr[i]){
-            krb5_free_creds(context, cc_def_creds_arr[i]);
-            i++;
-        }
-    }
-
-    i=0;
-
-    if(cc_other_creds_arr){
-        while (cc_other_creds_arr[i]){
-            krb5_free_creds(context, cc_other_creds_arr[i]);
-            i++;
-        }
-    }
-
-    *cc_out = *cc_other;
-    return retval;
-}
 
 krb5_error_code krb5_ccache_filter (context, cc, prst)
     krb5_context context;

diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index f2c0811fc47172de0ce6777eddf3b8b8eb144a62..9e0c6130342e05a76c0fd38567cc61682293b25d 100644 (file)
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -107,7 +107,7 @@ extern krb5_error_code get_best_principal
 /* ccache.c */
 extern krb5_error_code krb5_ccache_copy
 (krb5_context, krb5_ccache, char *, krb5_principal,
- krb5_ccache *, krb5_boolean *, uid_t);
+ krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t);
 
 extern krb5_error_code krb5_store_all_creds
 (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **);
@@ -141,10 +141,6 @@ extern krb5_error_code krb5_store_some_creds
 (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **,
  krb5_principal, krb5_boolean *);
 
-extern krb5_error_code krb5_ccache_copy_restricted
-(krb5_context, krb5_ccache, char *, krb5_principal,
- krb5_ccache *, krb5_boolean *, uid_t);
-
 extern krb5_error_code krb5_ccache_refresh
 (krb5_context, krb5_ccache);
 

diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 233eb52ef3c1869990ea6c82857146c5d14fce7b..62f3bc05638e53225fa72560a16751cca8806840 100644 (file)
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -117,6 +117,7 @@ main (argc, argv)
     krb5_principal  kdc_server;
     krb5_boolean zero_password;
     char * dir_of_cc_target;
+    krb5_boolean restrict_creds;
 
     options.opt = KRB5_DEFAULT_OPTIONS;
     options.lifetime = KRB5_DEFAULT_TKT_LIFE;
@@ -464,25 +465,13 @@ main (argc, argv)
        then only the credentials for that particular user
        should be copied */
 
-    if ((source_uid == 0) && (target_uid != 0)) {
-
-        if ((retval = krb5_ccache_copy_restricted(ksu_context,  cc_source,
-                                                  cc_target_tag, client,
-                                                  &cc_target, &stored,
-                                                  target_uid))){
-            com_err(prog_name, retval, _("while copying cache %s to %s"),
-                    krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
-            exit(1);
-        }
-
-    } else {
-        if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag,
-                                       client,&cc_target, &stored, target_uid))) {
-            com_err(prog_name, retval, _("while copying cache %s to %s"),
-                    krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
-            exit(1);
-        }
-
+    restrict_creds = (source_uid == 0) && (target_uid != 0);
+    retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, client,
+                              restrict_creds, &cc_target, &stored, target_uid);
+    if (retval) {
+        com_err(prog_name, retval, _("while copying cache %s to %s"),
+                krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
+        exit(1);
     }
 
     /* Become root for authentication*/