From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 29 Nov 2018 16:59:25 +0000 (-0500)
Subject: Add ksu option for non-forwardable tickets
X-Git-Tag: krb5-1.18-beta1~206
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F872%2Fhead;p=thirdparty%2Fkrb5.git

Add ksu option for non-forwardable tickets

Add ksu -F and -P options to explicitly not request forwardable and
proxiable tickets.

ticket: 8761
---

diff --git a/doc/user/user_commands/ksu.rst b/doc/user/user_commands/ksu.rst
index 29487a8388..8d6c7ef793 100644
--- a/doc/user/user_commands/ksu.rst
+++ b/doc/user/user_commands/ksu.rst
@@ -12,7 +12,8 @@ SYNOPSIS
 [ **-c** *source_cache_name* ]
 [ **-k** ]
 [ **-r** time ]
-[ **-pf** ]
+[ **-p** | **-P**]
+[ **-f** | **-F**]
 [ **-l** *lifetime* ]
 [ **-z | Z** ]
 [ **-q** ]
@@ -247,7 +248,7 @@ OPTIONS
 
 Ticket granting ticket options:
 
-**-l** *lifetime* **-r** *time* **-pf**
+**-l** *lifetime* **-r** *time* **-p** **-P** **-f** **-F**
     The ticket granting ticket options only apply to the case where
     there are no appropriate tickets in the cache to authenticate the
     source user.  In this case if ksu is configured to prompt users
@@ -269,10 +270,20 @@ Ticket granting ticket options:
     specifies that the **proxiable** option should be requested for
     the ticket.
 
+**-P**
+    specifies that the **proxiable** option should not be requested
+    for the ticket, even if the default configuration is to ask for
+    proxiable tickets.
+
 **-f**
     option specifies that the **forwardable** option should be
     requested for the ticket.
 
+**-F**
+    option specifies that the **forwardable** option should not be
+    requested for the ticket, even if the default configuration is to
+    ask for forwardable tickets.
+
 **-e** *command* [*args* ...]
     ksu proceeds exactly the same as if it was invoked without the
     **-e** option, except instead of executing the target shell, ksu
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index d9596d9487..4f03dd8edf 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -66,7 +66,7 @@ static krb5_error_code resolve_target_cache(krb5_context ksu_context,
 void usage (){
     fprintf(stderr,
             _("Usage: %s [target user] [-n principal] [-c source cachename] "
-              "[-k] [-r time] [-pf] [-l lifetime] [-zZ] [-q] "
+              "[-k] [-r time] [-p|-P] [-f|-F] [-l lifetime] [-zZ] [-q] "
               "[-e command [args... ] ] [-a [args... ] ]\n"), prog_name);
 }
 
@@ -189,7 +189,8 @@ main (argc, argv)
         com_err (prog_name, errno, _("while setting euid to source user"));
         exit (1);
     }
-    while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkql:e:")) != -1)){
+    while (!done &&
+           (option = getopt(pargc, pargv,"n:c:r:a:zZDfFpPkql:e:")) != -1) {
         switch (option) {
         case 'r':
             if (strlen (optarg) >= 14)
@@ -217,9 +218,15 @@ main (argc, argv)
         case 'p':
             krb5_get_init_creds_opt_set_proxiable(options, 1);
             break;
+        case 'P':
+            krb5_get_init_creds_opt_set_proxiable(options, 0);
+            break;
         case 'f':
             krb5_get_init_creds_opt_set_forwardable(options, 1);
             break;
+        case 'F':
+            krb5_get_init_creds_opt_set_forwardable(options, 0);
+            break;
         case 'k':
             keep_target_cache =1;
             break;