Imported Upstream version 1.8.4p4

[debian/sudo] / plugins / sudoers / auth / kerb5.c

diff --git a/plugins/sudoers/auth/kerb5.c b/plugins/sudoers/auth/kerb5.c
index f94865dd4e9ed8ef9851553f2fa4d94b725d33c1..3ba7b8c5b81e4f20d4547bf1e2348b14d0c67207 100644 (file)
--- a/plugins/sudoers/auth/kerb5.c
+++ b/plugins/sudoers/auth/kerb5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999-2005, 2007-2008, 2010-2011
+ * Copyright (c) 1999-2005, 2007-2008, 2010-2012
  *     Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -70,6 +70,12 @@ static struct _sudo_krb5_data {
 } sudo_krb5_data = { NULL, NULL, NULL };
 typedef struct _sudo_krb5_data *sudo_krb5_datap;
 
+#ifdef SUDO_KRB5_INSTANCE
+static const char *sudo_krb5_instance = SUDO_KRB5_INSTANCE;
+#else
+static const char *sudo_krb5_instance = NULL;
+#endif
+
 #ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
 static krb5_error_code
 krb5_get_init_creds_opt_alloc(krb5_context context,
@@ -88,9 +94,10 @@ krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opts)
 #endif
 
 int
-kerb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
+sudo_krb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
 {
     static char        *krb5_prompt;
+    debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH)
 
     if (krb5_prompt == NULL) {
        krb5_context    sudo_context;
@@ -109,7 +116,7 @@ kerb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
            log_error(NO_EXIT|NO_MAIL,
                      _("%s: unable to unparse princ ('%s'): %s"), auth->name,
                      pw->pw_name, error_message(error));
-           return AUTH_FAILURE;
+           debug_return_int(AUTH_FAILURE);
        }
 
        /* Only rewrite prompt if user didn't specify their own. */
@@ -120,37 +127,40 @@ kerb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
     }
     *promptp = krb5_prompt;
 
-    return AUTH_SUCCESS;
+    debug_return_int(AUTH_SUCCESS);
 }
 
 int
-kerb5_init(struct passwd *pw, sudo_auth *auth)
+sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
 {
     krb5_context       sudo_context;
-    krb5_ccache                ccache;
-    krb5_principal     princ;
     krb5_error_code    error;
-    char               cache_name[64];
+    char               cache_name[64], *pname = pw->pw_name;
+    debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH)
 
     auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */
 
+    if (sudo_krb5_instance != NULL) {
+       easprintf(&pname, "%s%s%s", pw->pw_name,
+           sudo_krb5_instance[0] != '/' ? "/" : "", sudo_krb5_instance);
+    }
+
 #ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
     error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
 #else
     error = krb5_init_context(&(sudo_krb5_data.sudo_context));
 #endif
     if (error)
-       return AUTH_FAILURE;
+       goto done;
     sudo_context = sudo_krb5_data.sudo_context;
 
-    if ((error = krb5_parse_name(sudo_context, pw->pw_name,
-       &(sudo_krb5_data.princ)))) {
+    error = krb5_parse_name(sudo_context, pname, &(sudo_krb5_data.princ));
+    if (error) {
        log_error(NO_EXIT|NO_MAIL,
-                 _("%s: unable to parse '%s': %s"), auth->name, pw->pw_name,
+                 _("%s: unable to parse '%s': %s"), auth->name, pname,
                  error_message(error));
-       return AUTH_FAILURE;
+       goto done;
     }
-    princ = sudo_krb5_data.princ;
 
     (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
                    (long) getpid());
@@ -159,32 +169,35 @@ kerb5_init(struct passwd *pw, sudo_auth *auth)
        log_error(NO_EXIT|NO_MAIL,
                  _("%s: unable to resolve ccache: %s"), auth->name,
                  error_message(error));
-       return AUTH_FAILURE;
+       goto done;
     }
-    ccache = sudo_krb5_data.ccache;
 
-    return AUTH_SUCCESS;
+done:
+    if (sudo_krb5_instance != NULL)
+       efree(pname);
+    debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
 }
 
 #ifdef HAVE_KRB5_VERIFY_USER
 int
-kerb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
+sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
 {
     krb5_context       sudo_context;
     krb5_principal     princ;
     krb5_ccache                ccache;
     krb5_error_code    error;
+    debug_decl(sudo_krb5_verify, SUDO_DEBUG_AUTH)
 
     sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
     princ = ((sudo_krb5_datap) auth->data)->princ;
     ccache = ((sudo_krb5_datap) auth->data)->ccache;
 
     error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL);
-    return error ? AUTH_FAILURE : AUTH_SUCCESS;
+    debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
 }
 #else
 int
-kerb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
+sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
 {
     krb5_context       sudo_context;
     krb5_principal     princ;
@@ -192,6 +205,7 @@ kerb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
     krb5_ccache                ccache;
     krb5_error_code    error;
     krb5_get_init_creds_opt *opts = NULL;
+    debug_decl(sudo_krb5_verify, SUDO_DEBUG_AUTH)
 
     sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
     princ = ((sudo_krb5_datap) auth->data)->princ;
@@ -248,16 +262,17 @@ done:
     }
     if (creds)
        krb5_free_cred_contents(sudo_context, creds);
-    return error ? AUTH_FAILURE : AUTH_SUCCESS;
+    debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
 }
 #endif
 
 int
-kerb5_cleanup(struct passwd *pw, sudo_auth *auth)
+sudo_krb5_cleanup(struct passwd *pw, sudo_auth *auth)
 {
     krb5_context       sudo_context;
     krb5_principal     princ;
     krb5_ccache                ccache;
+    debug_decl(sudo_krb5_cleanup, SUDO_DEBUG_AUTH)
 
     sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
     princ = ((sudo_krb5_datap) auth->data)->princ;
@@ -271,7 +286,7 @@ kerb5_cleanup(struct passwd *pw, sudo_auth *auth)
        krb5_free_context(sudo_context);
     }
 
-    return AUTH_SUCCESS;
+    debug_return_int(AUTH_SUCCESS);
 }
 
 #ifndef HAVE_KRB5_VERIFY_USER
@@ -289,6 +304,7 @@ verify_krb_v5_tgt(krb5_context sudo_context, krb5_creds *cred, char *auth_name)
     krb5_error_code    error;
     krb5_principal     server;
     krb5_verify_init_creds_opt vopt;
+    debug_decl(verify_krb_v5_tgt, SUDO_DEBUG_AUTH)
 
     /*
      * Get the server principal for the local host.
@@ -299,7 +315,7 @@ verify_krb_v5_tgt(krb5_context sudo_context, krb5_creds *cred, char *auth_name)
        log_error(NO_EXIT|NO_MAIL,
                  _("%s: unable to get host principal: %s"), auth_name,
                  error_message(error));
-       return -1;
+       debug_return_int(-1);
     }
 
     /* Initialize verify opts and set secure mode */
@@ -314,6 +330,6 @@ verify_krb_v5_tgt(krb5_context sudo_context, krb5_creds *cred, char *auth_name)
        log_error(NO_EXIT|NO_MAIL,
                  _("%s: Cannot verify TGT! Possible attack!: %s"),
                  auth_name, error_message(error));
-    return error;
+    debug_return_int(error);
 }
 #endif