1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-16 03:24:07 +00:00
freebsd-ports/security/krb5/files/patch-as
2003-08-08 01:20:18 +00:00

196 lines
5.5 KiB
Plaintext

--- clients/ksu/main.c.orig Wed Aug 14 12:14:49 2002
+++ clients/ksu/main.c Tue Jul 29 18:46:00 2003
@@ -32,6 +32,10 @@
#include <signal.h>
#include <grp.h>
+#ifdef LOGIN_CAP
+#include <login_cap.h>
+#endif
+
/* globals */
char * prog_name;
int auth_debug =0;
@@ -61,7 +65,7 @@
ill specified arguments to commands */
void usage (){
- fprintf(stderr, "Usage: %s [target user] [-n principal] [-c source cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name);
+ fprintf(stderr, "Usage: %s [target user] [-m] [-n principal] [-c source cachename] [-C target cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name);
}
/* for Ultrix and friends ... */
@@ -77,6 +81,7 @@
int argc;
char ** argv;
{
+ int asme = 0;
int hp =0;
int some_rest_copy = 0;
int all_rest_copy = 0;
@@ -91,6 +96,7 @@
char * cc_target_tag = NULL;
char * target_user = NULL;
char * source_user;
+ char * source_shell;
krb5_ccache cc_source = NULL;
const char * cc_source_tag = NULL;
@@ -117,6 +123,11 @@
krb5_principal kdc_server;
krb5_boolean zero_password;
char * dir_of_cc_target;
+
+#ifdef LOGIN_CAP
+ login_cap_t *lc;
+ int setwhat;
+#endif
options.opt = KRB5_DEFAULT_OPTIONS;
options.lifetime = KRB5_DEFAULT_TKT_LIFE;
@@ -181,7 +192,7 @@
com_err (prog_name, errno, "while setting euid to source user");
exit (1);
}
- while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkql:e:")) != -1)){
+ while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkmql:e:")) != -1)){
switch (option) {
case 'r':
options.opt |= KDC_OPT_RENEWABLE;
@@ -227,6 +238,9 @@
errflg++;
}
break;
+ case 'm':
+ asme = 1;
+ break;
case 'n':
if ((retval = krb5_parse_name(ksu_context, optarg, &client))){
com_err(prog_name, retval, "when parsing name %s", optarg);
@@ -341,6 +355,7 @@
/* allocate space and copy the usernamane there */
source_user = xstrdup(pwd->pw_name);
+ source_shell = xstrdup(pwd->pw_shell);
source_uid = pwd->pw_uid;
source_gid = pwd->pw_gid;
@@ -672,43 +687,64 @@
/* get the shell of the user, this will be the shell used by su */
target_pwd = getpwnam(target_user);
- if (target_pwd->pw_shell)
- shell = xstrdup(target_pwd->pw_shell);
- else {
- shell = _DEF_CSH; /* default is cshell */
+ if (asme) {
+ if (source_shell && *source_shell) {
+ shell = strdup(source_shell);
+ } else {
+ shell = _DEF_CSH;
+ }
+ } else {
+ if (target_pwd->pw_shell)
+ shell = strdup(target_pwd->pw_shell);
+ else {
+ shell = _DEF_CSH; /* default is cshell */
+ }
}
#ifdef HAVE_GETUSERSHELL
/* insist that the target login uses a standard shell (root is omited) */
- if (!standard_shell(target_pwd->pw_shell) && source_uid) {
- fprintf(stderr, "ksu: permission denied (shell).\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
+ if (asme) {
+ if (!standard_shell(pwd->pw_shell) && source_uid) {
+ fprintf(stderr, "ksu: permission denied (shell).\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ } else {
+ if (!standard_shell(target_pwd->pw_shell) && source_uid) {
+ fprintf(stderr, "ksu: permission denied (shell).\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
}
#endif /* HAVE_GETUSERSHELL */
- if (target_pwd->pw_uid){
-
- if(set_env_var("USER", target_pwd->pw_name)){
+ if (!asme) {
+ if (target_pwd->pw_uid){
+ if (set_env_var("USER", target_pwd->pw_name)){
+ fprintf(stderr,"ksu: couldn't set environment variable USER\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ }
+
+ if (set_env_var( "HOME", target_pwd->pw_dir)){
fprintf(stderr,"ksu: couldn't set environment variable USER\n");
sweep_up(ksu_context, cc_target);
exit(1);
- }
- }
-
- if(set_env_var( "HOME", target_pwd->pw_dir)){
- fprintf(stderr,"ksu: couldn't set environment variable USER\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
+ }
- if(set_env_var( "SHELL", shell)){
- fprintf(stderr,"ksu: couldn't set environment variable USER\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
+ if (set_env_var( "SHELL", shell)){
+ fprintf(stderr,"ksu: couldn't set environment variable USER\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ }
+
+#ifdef LOGIN_CAP
+ lc = login_getpwclass(pwd);
+#endif
/* set the cc env name to target */
@@ -718,7 +754,19 @@
sweep_up(ksu_context, cc_target);
exit(1);
}
-
+
+#ifdef LOGIN_CAP
+ setwhat = LOGIN_SETUSER|LOGIN_SETGROUP|LOGIN_SETRESOURCES|LOGIN_SETPRIORITY;
+ setwhat |= LOGIN_SETPATH|LOGIN_SETUMASK|LOGIN_SETENV;
+ /*
+ * Don't touch resource/priority settings if -m has been
+ * used or -l and -c hasn't, and we're not su'ing to root.
+ */
+ if (target_pwd->pw_uid)
+ setwhat &= ~(LOGIN_SETPRIORITY|LOGIN_SETRESOURCES);
+ if (setusercontext(lc, target_pwd, target_pwd->pw_uid, setwhat) < 0)
+ err(1, "setusercontext");
+#else
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -759,6 +807,7 @@
sweep_up(ksu_context, cc_target);
exit(1);
}
+#endif
if (access( cc_target_tag_tmp, R_OK | W_OK )){
com_err(prog_name, errno,