From: Todd C. Miller Date: Sun, 15 Jul 2007 19:44:46 +0000 (+0000) Subject: Add support for krb5_ccname in ldap.conf. If specified, it will X-Git-Tag: SUDO_1_7_0~485 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=af18ed5e9d1039eaf8d158e28df18239a54741e6;p=sudo Add support for krb5_ccname in ldap.conf. If specified, it will override the default value of KRB5CCNAME in the environment for the duration of the call to ldap_sasl_interactive_bind_s(). --- diff --git a/ldap.c b/ldap.c index f965d925c..57bdb3ef4 100644 --- a/ldap.c +++ b/ldap.c @@ -114,6 +114,7 @@ struct ldap_config { char *tls_keyfile; char *sasl_authid; char *rootsasl_authid; + char *krb5_ccname; } ldap_conf; /* @@ -570,6 +571,7 @@ sudo_ldap_read_config() MATCH_S("sudoers_base", ldap_conf.base) else MATCH_I("sudoers_debug", ldap_conf.debug) +#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S else MATCH_B("use_sasl", ldap_conf.use_sasl) else @@ -578,6 +580,9 @@ sudo_ldap_read_config() MATCH_B("rootuse_sasl", ldap_conf.rootuse_sasl) else MATCH_S("rootsasl_authid", ldap_conf.rootsasl_authid) + else + MATCH_S("krb5_ccname", ldap_conf.krb5_ccname) +#endif else { /* @@ -655,6 +660,26 @@ sudo_ldap_read_config() fclose(f); } } +#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S + /* + * Make sure we can open the file specified by krb5_ccname. + */ + if (ldap_conf.krb5_ccname != NULL) { + if (strncasecmp(ldap_conf.krb5_ccname, "FILE:", 5) == 0 || + strncasecmp(ldap_conf.krb5_ccname, "WRFILE:", 7) == 0) { + value = ldap_conf.krb5_ccname + + (ldap_conf.krb5_ccname[4] == ':' ? 5 : 7); + if ((f = fopen(value, "r")) != NULL) { + fclose(f); + } else { + /* Can't open it, just ignore the entry. */ + efree(ldap_conf.krb5_ccname); + ldap_conf.krb5_ccname = NULL; + } + } + } +#endif + return(TRUE); } @@ -873,7 +898,7 @@ sudo_ldap_sasl_interact(ld, flags, v_authid, v_interact) for (;interact->id != SASL_CB_LIST_END; interact++) { if (interact->id != SASL_CB_USER) - return (LDAP_PARAM_ERROR); + return(LDAP_PARAM_ERROR); if (authid != NULL) interact->result = authid; @@ -883,7 +908,7 @@ sudo_ldap_sasl_interact(ld, flags, v_authid, v_interact) interact->result = ""; interact->len = strlen(interact->result); } - return (LDAP_SUCCESS); + return(LDAP_SUCCESS); } #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */ @@ -995,14 +1020,18 @@ sudo_ldap_open() #endif /* HAVE_LDAP_START_TLS_S */ #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S - /* XXX - should use krb5_ccname from ldap.conf too! */ if (ldap_conf.rootuse_sasl == TRUE || (ldap_conf.rootuse_sasl != FALSE && ldap_conf.use_sasl == TRUE)) { void *authid = ldap_conf.rootsasl_authid ? ldap_conf.rootsasl_authid : ldap_conf.sasl_authid; + if (ldap_conf.krb5_ccname != NULL) + sudo_setenv("KRB5CCNAME", ldap_conf.krb5_ccname, TRUE); rc = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI", NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, authid); + /* XXX - should unset if no user_ccname */ + if (user_ccname != NULL) + sudo_setenv("KRB5CCNAME", user_ccname, TRUE); if (rc != LDAP_SUCCESS) { fprintf(stderr, "ldap_sasl_interactive_bind_s(): %d : %s\n", rc, ldap_err2string(rc)); diff --git a/sudo.c b/sudo.c index e0d30a59b..c79b3b841 100644 --- a/sudo.c +++ b/sudo.c @@ -565,6 +565,10 @@ init_vars(sudo_mode, envp) for (ep = envp; *ep; ep++) { switch (**ep) { + case 'K': + if (strncmp("KRB5CCNAME=", *ep, 11) == 0) + user_ccname = *ep + 11; + break; case 'P': if (strncmp("PATH=", *ep, 5) == 0) user_path = *ep + 5; diff --git a/sudo.h b/sudo.h index c1438076b..e9eb05e5b 100644 --- a/sudo.h +++ b/sudo.h @@ -50,6 +50,7 @@ struct sudo_user { char *cmnd_base; char *cmnd_safe; char *class_name; + char *krb5_ccname; int ngroups; gid_t *groups; struct list_member *env_vars; @@ -138,6 +139,7 @@ struct sudo_user { #define user_prompt (sudo_user.prompt) #define user_host (sudo_user.host) #define user_shost (sudo_user.shost) +#define user_ccname (sudo_user.krb5_ccname) #define safe_cmnd (sudo_user.cmnd_safe) #define login_class (sudo_user.class_name) #define runas_pw (sudo_user._runas_pw)