Make ksu honor KRB5CCNAME again

Commit d439e370b70f7af4ed2da9c692a3be7dcf7b4ac6 (ticket 8800) caused
ksu to ignore KRB5CCNAME from the environment.  ksu uses euid
switching to access the source cache, and should honor KRB5CCNAME to
find the ccache to potentially authorize the su operation.

Add a helper function init_ksu_context() to create the ksu context,
with explicit code to honor KRB5CCNAME using
krb5_cc_set_default_name().

ticket: 8895
tags: pullup
target_version: 1.18-next

diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index dc417e6ecc5d92fd108649c36bd9c374535f5cf5..af128617294b422168bfbdec79980cda4a1c38a8 100644 (file)
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -48,6 +48,7 @@ int quiet = 0;
 static int set_env_var (char *, char *);
 static void sweep_up (krb5_context, krb5_ccache);
 static char * ontty (void);
+static krb5_error_code init_ksu_context(krb5_context *);
 static krb5_error_code set_ccname_env(krb5_context, krb5_ccache);
 static void print_status( const char *fmt, ...)
 #if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7)
@@ -129,7 +130,7 @@ main (argc, argv)
 
     unsetenv ("KRB5_CONFIG");
 
-    retval = krb5_init_secure_context(&ksu_context);
+    retval = init_ksu_context(&ksu_context);
     if (retval) {
         com_err(argv[0], retval, _("while initializing krb5"));
         exit(1);
@@ -794,6 +795,34 @@ main (argc, argv)
     }
 }
 
+static krb5_error_code
+init_ksu_context(krb5_context *context_out)
+{
+    krb5_error_code retval;
+    const char *env_ccname;
+    krb5_context context;
+
+    *context_out = NULL;
+
+    retval = krb5_init_secure_context(&context);
+    if (retval)
+        return retval;
+
+    /* We want to obey KRB5CCNAME in this context even though this is a setuid
+     * program.  (It will only be used when operating as the real uid.) */
+    env_ccname = getenv(KRB5_ENV_CCNAME);
+    if (env_ccname != NULL) {
+        retval = krb5_cc_set_default_name(context, env_ccname);
+        if (retval) {
+            krb5_free_context(context);
+            return retval;
+        }
+    }
+
+    *context_out = context;
+    return 0;
+}
+
 /* Set KRB5CCNAME in the environment to point to ccache.  Print an error
  * message on failure. */
 static krb5_error_code