From: Nalin Dahyabhai <nalin@redhat.com>
Date: Thu, 24 Jul 2014 19:39:53 +0000 (-0400)
Subject: In ksu, merge krb5_ccache_copy() and _restricted()
X-Git-Tag: krb5-1.13-alpha1~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=74e775ac6d937c9d22be4fc1d429e5e62705fb7d;p=thirdparty%2Fkrb5.git

In ksu, merge krb5_ccache_copy() and _restricted()

Other than whether or not they limit the creds it stores to the new
ccache based on the principal name of the client for whom the creds were
issued, there's no meaningful difference between what these two
functions do.  Merge them.
---

diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index 9916c75f30..118fc53569 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -47,12 +47,14 @@ void show_credential();
 */
 
 krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
-                                  primary_principal, cc_out, stored, target_uid)
+                                  primary_principal, restrict_creds, cc_out,
+                                  stored, target_uid)
 /* IN */
     krb5_context context;
     krb5_ccache cc_def;
     char *cc_other_tag;
     krb5_principal primary_principal;
+    krb5_boolean restrict_creds;
     uid_t target_uid;
     /* OUT */
     krb5_ccache *cc_out;
@@ -83,9 +85,6 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
         }
     }
 
-    *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
-                                           primary_principal);
-
     if (!lstat( cc_other_name, &st_temp))
         return EINVAL;
 
@@ -98,8 +97,16 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
         return retval;
     }
 
-    retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr,
-                                  cc_other_creds_arr);
+    if (restrict_creds) {
+        retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr,
+                                       cc_other_creds_arr, primary_principal,
+                                       stored);
+    } else {
+        *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
+                                               primary_principal);
+        retval = krb5_store_all_creds(context, *cc_other, cc_def_creds_arr,
+                                      cc_other_creds_arr);
+    }
 
     if (cc_def_creds_arr){
         while (cc_def_creds_arr[i]){
@@ -623,93 +630,6 @@ krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst,
     *stored = temp_stored;
     return 0;
 }
-/******************************************************************
-krb5_cache_copy_restricted
-
-gets rid of any expired tickets in the secondary cache,
-copies the default cache into the secondary cache,
-only credentials that are for prst are copied.
-
-the algorithm may look a bit funny,
-but I had to do it this way, since cc_remove function did not come
-with k5 beta 3 release.
-************************************************************************/
-
-krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag,
-                                             prst, cc_out, stored, target_uid)
-    krb5_context context;
-    krb5_ccache cc_def;
-    char *cc_other_tag;
-    krb5_principal prst;
-    uid_t target_uid;
-    /* OUT */
-    krb5_ccache *cc_out;
-    krb5_boolean *stored;
-{
-
-    int i=0;
-    krb5_ccache  * cc_other;
-    const char * cc_def_name;
-    const char * cc_other_name;
-    krb5_error_code retval=0;
-    krb5_creds ** cc_def_creds_arr = NULL;
-    krb5_creds ** cc_other_creds_arr = NULL;
-    struct stat st_temp;
-
-    cc_other = (krb5_ccache *)  xcalloc(1, sizeof (krb5_ccache));
-
-    if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){
-        com_err(prog_name, retval, _("resolving ccache %s"), cc_other_tag);
-        return retval;
-    }
-
-    cc_def_name = krb5_cc_get_name(context, cc_def);
-    cc_other_name = krb5_cc_get_name(context, *cc_other);
-
-    if ( ! stat(cc_def_name, &st_temp)){
-        if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
-            return retval;
-        }
-
-    }
-
-    if (!lstat( cc_other_name, &st_temp)) {
-        return EINVAL;
-    }
-
-    if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
-        return errno;
-    }
-
-
-    if ((retval = krb5_cc_initialize(context, *cc_other, prst))){
-        return retval;
-    }
-
-    retval = krb5_store_some_creds(context, * cc_other,
-                                   cc_def_creds_arr, cc_other_creds_arr, prst, stored);
-
-
-
-    if (cc_def_creds_arr){
-        while (cc_def_creds_arr[i]){
-            krb5_free_creds(context, cc_def_creds_arr[i]);
-            i++;
-        }
-    }
-
-    i=0;
-
-    if(cc_other_creds_arr){
-        while (cc_other_creds_arr[i]){
-            krb5_free_creds(context, cc_other_creds_arr[i]);
-            i++;
-        }
-    }
-
-    *cc_out = *cc_other;
-    return retval;
-}
 
 krb5_error_code krb5_ccache_filter (context, cc, prst)
     krb5_context context;
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index f2c0811fc4..9e0c613034 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -107,7 +107,7 @@ extern krb5_error_code get_best_principal
 /* ccache.c */
 extern krb5_error_code krb5_ccache_copy
 (krb5_context, krb5_ccache, char *, krb5_principal,
- krb5_ccache *, krb5_boolean *, uid_t);
+ krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t);
 
 extern krb5_error_code krb5_store_all_creds
 (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **);
@@ -141,10 +141,6 @@ extern krb5_error_code krb5_store_some_creds
 (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **,
  krb5_principal, krb5_boolean *);
 
-extern krb5_error_code krb5_ccache_copy_restricted
-(krb5_context, krb5_ccache, char *, krb5_principal,
- krb5_ccache *, krb5_boolean *, uid_t);
-
 extern krb5_error_code krb5_ccache_refresh
 (krb5_context, krb5_ccache);
 
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 233eb52ef3..62f3bc0563 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -117,6 +117,7 @@ main (argc, argv)
     krb5_principal  kdc_server;
     krb5_boolean zero_password;
     char * dir_of_cc_target;
+    krb5_boolean restrict_creds;
 
     options.opt = KRB5_DEFAULT_OPTIONS;
     options.lifetime = KRB5_DEFAULT_TKT_LIFE;
@@ -464,25 +465,13 @@ main (argc, argv)
        then only the credentials for that particular user
        should be copied */
 
-    if ((source_uid == 0) && (target_uid != 0)) {
-
-        if ((retval = krb5_ccache_copy_restricted(ksu_context,  cc_source,
-                                                  cc_target_tag, client,
-                                                  &cc_target, &stored,
-                                                  target_uid))){
-            com_err(prog_name, retval, _("while copying cache %s to %s"),
-                    krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
-            exit(1);
-        }
-
-    } else {
-        if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag,
-                                       client,&cc_target, &stored, target_uid))) {
-            com_err(prog_name, retval, _("while copying cache %s to %s"),
-                    krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
-            exit(1);
-        }
-
+    restrict_creds = (source_uid == 0) && (target_uid != 0);
+    retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, client,
+                              restrict_creds, &cc_target, &stored, target_uid);
+    if (retval) {
+        com_err(prog_name, retval, _("while copying cache %s to %s"),
+                krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
+        exit(1);
     }
 
     /* Become root for authentication*/