X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=plugins%2Fsudoers%2Fauth%2Fkerb5.c;h=3ba7b8c5b81e4f20d4547bf1e2348b14d0c67207;hb=ca5f7615983706c51b50ac5a8bfc4e123263df0e;hp=f94865dd4e9ed8ef9851553f2fa4d94b725d33c1;hpb=0b21e55969badb5a284e97d31432c3f9139bed27;p=debian%2Fsudo diff --git a/plugins/sudoers/auth/kerb5.c b/plugins/sudoers/auth/kerb5.c index f94865d..3ba7b8c 100644 --- a/plugins/sudoers/auth/kerb5.c +++ b/plugins/sudoers/auth/kerb5.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005, 2007-2008, 2010-2011 + * Copyright (c) 1999-2005, 2007-2008, 2010-2012 * Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any @@ -70,6 +70,12 @@ static struct _sudo_krb5_data { } sudo_krb5_data = { NULL, NULL, NULL }; typedef struct _sudo_krb5_data *sudo_krb5_datap; +#ifdef SUDO_KRB5_INSTANCE +static const char *sudo_krb5_instance = SUDO_KRB5_INSTANCE; +#else +static const char *sudo_krb5_instance = NULL; +#endif + #ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC static krb5_error_code krb5_get_init_creds_opt_alloc(krb5_context context, @@ -88,9 +94,10 @@ krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opts) #endif int -kerb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth) +sudo_krb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth) { static char *krb5_prompt; + debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH) if (krb5_prompt == NULL) { krb5_context sudo_context; @@ -109,7 +116,7 @@ kerb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth) log_error(NO_EXIT|NO_MAIL, _("%s: unable to unparse princ ('%s'): %s"), auth->name, pw->pw_name, error_message(error)); - return AUTH_FAILURE; + debug_return_int(AUTH_FAILURE); } /* Only rewrite prompt if user didn't specify their own. */ @@ -120,37 +127,40 @@ kerb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth) } *promptp = krb5_prompt; - return AUTH_SUCCESS; + debug_return_int(AUTH_SUCCESS); } int -kerb5_init(struct passwd *pw, sudo_auth *auth) +sudo_krb5_init(struct passwd *pw, sudo_auth *auth) { krb5_context sudo_context; - krb5_ccache ccache; - krb5_principal princ; krb5_error_code error; - char cache_name[64]; + char cache_name[64], *pname = pw->pw_name; + debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH) auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */ + if (sudo_krb5_instance != NULL) { + easprintf(&pname, "%s%s%s", pw->pw_name, + sudo_krb5_instance[0] != '/' ? "/" : "", sudo_krb5_instance); + } + #ifdef HAVE_KRB5_INIT_SECURE_CONTEXT error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context)); #else error = krb5_init_context(&(sudo_krb5_data.sudo_context)); #endif if (error) - return AUTH_FAILURE; + goto done; sudo_context = sudo_krb5_data.sudo_context; - if ((error = krb5_parse_name(sudo_context, pw->pw_name, - &(sudo_krb5_data.princ)))) { + error = krb5_parse_name(sudo_context, pname, &(sudo_krb5_data.princ)); + if (error) { log_error(NO_EXIT|NO_MAIL, - _("%s: unable to parse '%s': %s"), auth->name, pw->pw_name, + _("%s: unable to parse '%s': %s"), auth->name, pname, error_message(error)); - return AUTH_FAILURE; + goto done; } - princ = sudo_krb5_data.princ; (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld", (long) getpid()); @@ -159,32 +169,35 @@ kerb5_init(struct passwd *pw, sudo_auth *auth) log_error(NO_EXIT|NO_MAIL, _("%s: unable to resolve ccache: %s"), auth->name, error_message(error)); - return AUTH_FAILURE; + goto done; } - ccache = sudo_krb5_data.ccache; - return AUTH_SUCCESS; +done: + if (sudo_krb5_instance != NULL) + efree(pname); + debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS); } #ifdef HAVE_KRB5_VERIFY_USER int -kerb5_verify(struct passwd *pw, char *pass, sudo_auth *auth) +sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth) { krb5_context sudo_context; krb5_principal princ; krb5_ccache ccache; krb5_error_code error; + debug_decl(sudo_krb5_verify, SUDO_DEBUG_AUTH) sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context; princ = ((sudo_krb5_datap) auth->data)->princ; ccache = ((sudo_krb5_datap) auth->data)->ccache; error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL); - return error ? AUTH_FAILURE : AUTH_SUCCESS; + debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS); } #else int -kerb5_verify(struct passwd *pw, char *pass, sudo_auth *auth) +sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth) { krb5_context sudo_context; krb5_principal princ; @@ -192,6 +205,7 @@ kerb5_verify(struct passwd *pw, char *pass, sudo_auth *auth) krb5_ccache ccache; krb5_error_code error; krb5_get_init_creds_opt *opts = NULL; + debug_decl(sudo_krb5_verify, SUDO_DEBUG_AUTH) sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context; princ = ((sudo_krb5_datap) auth->data)->princ; @@ -248,16 +262,17 @@ done: } if (creds) krb5_free_cred_contents(sudo_context, creds); - return error ? AUTH_FAILURE : AUTH_SUCCESS; + debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS); } #endif int -kerb5_cleanup(struct passwd *pw, sudo_auth *auth) +sudo_krb5_cleanup(struct passwd *pw, sudo_auth *auth) { krb5_context sudo_context; krb5_principal princ; krb5_ccache ccache; + debug_decl(sudo_krb5_cleanup, SUDO_DEBUG_AUTH) sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context; princ = ((sudo_krb5_datap) auth->data)->princ; @@ -271,7 +286,7 @@ kerb5_cleanup(struct passwd *pw, sudo_auth *auth) krb5_free_context(sudo_context); } - return AUTH_SUCCESS; + debug_return_int(AUTH_SUCCESS); } #ifndef HAVE_KRB5_VERIFY_USER @@ -289,6 +304,7 @@ verify_krb_v5_tgt(krb5_context sudo_context, krb5_creds *cred, char *auth_name) krb5_error_code error; krb5_principal server; krb5_verify_init_creds_opt vopt; + debug_decl(verify_krb_v5_tgt, SUDO_DEBUG_AUTH) /* * Get the server principal for the local host. @@ -299,7 +315,7 @@ verify_krb_v5_tgt(krb5_context sudo_context, krb5_creds *cred, char *auth_name) log_error(NO_EXIT|NO_MAIL, _("%s: unable to get host principal: %s"), auth_name, error_message(error)); - return -1; + debug_return_int(-1); } /* Initialize verify opts and set secure mode */ @@ -314,6 +330,6 @@ verify_krb_v5_tgt(krb5_context sudo_context, krb5_creds *cred, char *auth_name) log_error(NO_EXIT|NO_MAIL, _("%s: Cannot verify TGT! Possible attack!: %s"), auth_name, error_message(error)); - return error; + debug_return_int(error); } #endif