From 241b1db8730fccf3d3adfd935daf290a3948452a Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Thu, 5 Jan 2012 15:39:05 -0500
Subject: [PATCH] Add --enable-kerb5-instance configure option to allow people
 using Kerberos V authentication to use a custom instance.  Adapted from a
 diff by Michael E Burr.

---
 INSTALL                      |  7 +++++++
 config.h.in                  |  4 ++++
 configure                    | 27 +++++++++++++++++++++++++++
 configure.in                 | 13 +++++++++++++
 plugins/sudoers/auth/kerb5.c | 36 +++++++++++++++++++++++-------------
 5 files changed, 74 insertions(+), 13 deletions(-)

diff --git a/INSTALL b/INSTALL
index 7c9d32a68..c6fb02d1f 100644
--- a/INSTALL
+++ b/INSTALL
@@ -180,6 +180,13 @@ Special features/options:
 	does not use the Kerberos cookie scheme.  Will not work for
 	Kerberos V older than version 1.1.
 
+  --enable-kerb5-instance=string
+        By default, the user name is used as the principal name
+        when authenticating via Kerberos V.  If this option is
+        enabled, the specified instance string will be appended to
+        the user name (separated by a slash) when creating the
+        principal name.
+
   --with-ldap[=DIR]
 	Enable LDAP support.  If specified, DIR is the base directory
 	containing the LDAP include and lib directories.  Please see
diff --git a/config.h.in b/config.h.in
index 823b6d954..461ac1621 100644
--- a/config.h.in
+++ b/config.h.in
@@ -767,6 +767,10 @@
 /* The name of the sudoers plugin, including extension. */
 #undef SUDOERS_PLUGIN
 
+/* An instance string to append to the username (separated by a slash) for
+   Kerberos V authentication */
+#undef SUDO_KRB5_INSTANCE
+
 /* The umask that the sudo-run prog should use. */
 #undef SUDO_UMASK
 
diff --git a/configure b/configure
index 718013fdf..5b99394e0 100755
--- a/configure
+++ b/configure
@@ -891,6 +891,7 @@ enable_sia
 enable_largefile
 with_pam_login
 enable_pam_session
+enable_kerb5_instance
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1547,6 +1548,8 @@ Optional Features:
   --disable-sia           Disable SIA on Digital UNIX
   --disable-largefile     omit support for large files
   --disable-pam-session   Disable PAM session support
+  --enable-kerb5-instance instance string to append to the username (separated
+                          by a slash)
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -18399,6 +18402,29 @@ done
 
     fi
     LIBS="$_LIBS"
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use an instance name for Kerberos V" >&5
+$as_echo_n "checking whether to use an instance name for Kerberos V... " >&6; }
+    # Check whether --enable-kerb5-instance was given.
+if test "${enable_kerb5_instance+set}" = set; then :
+  enableval=$enable_kerb5_instance;  case "$enableval" in
+	    yes)	as_fn_error $? "\"must give --enable-kerb5-instance an argument.\"" "$LINENO" 5
+			;;
+	    no)		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+			;;
+	    *)		cat >>confdefs.h <<EOF
+#define SUDO_KRB5_INSTANCE "$enableval"
+EOF
+
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $enableval" >&5
+$as_echo "$enableval" >&6; }
+			;;
+	esac
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
 fi
 
 if test ${with_AFS-'no'} = "yes"; then
@@ -22126,5 +22152,6 @@ fi
 
 
 
+
 
 
diff --git a/configure.in b/configure.in
index 86512b3d0..9a9d21ad9 100644
--- a/configure.in
+++ b/configure.in
@@ -2584,6 +2584,18 @@ if test ${with_kerb5-'no'} != "no"; then
   	AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS)
     fi
     LIBS="$_LIBS"
+    AC_MSG_CHECKING(whether to use an instance name for Kerberos V)
+    AC_ARG_ENABLE(kerb5-instance,
+    [AS_HELP_STRING([--enable-kerb5-instance], [instance string to append to the username (separated by a slash)])],
+	[ case "$enableval" in
+	    yes)	AC_MSG_ERROR(["must give --enable-kerb5-instance an argument."])
+			;;
+	    no)		AC_MSG_RESULT(no)
+			;;
+	    *)		SUDO_DEFINE_UNQUOTED(SUDO_KRB5_INSTANCE, "$enableval")
+			AC_MSG_RESULT([$enableval])
+			;;
+	esac], AC_MSG_RESULT(no))
 fi
 
 dnl
@@ -3166,6 +3178,7 @@ AH_TEMPLATE(socklen_t, [Define to `unsigned int' if <sys/socket.h> doesn't defin
 AH_TEMPLATE(HAVE_STRUCT_UTMP_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmp'.])
 AH_TEMPLATE(HAVE_STRUCT_UTMPX_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmpx'.])
 AH_TEMPLATE(HAVE___FUNC__, [Define to 1 if the compiler supports the C99 __func__ variable.])
+AH_TEMPLATE(SUDO_KRB5_INSTANCE, [An instance string to append to the username (separated by a slash) for Kerberos V authentication])
 
 dnl
 dnl Bits to copy verbatim into config.h.in
diff --git a/plugins/sudoers/auth/kerb5.c b/plugins/sudoers/auth/kerb5.c
index daf5743c7..3ba7b8c5b 100644
--- a/plugins/sudoers/auth/kerb5.c
+++ b/plugins/sudoers/auth/kerb5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999-2005, 2007-2008, 2010-2011
+ * Copyright (c) 1999-2005, 2007-2008, 2010-2012
  *	Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -70,6 +70,12 @@ static struct _sudo_krb5_data {
 } sudo_krb5_data = { NULL, NULL, NULL };
 typedef struct _sudo_krb5_data *sudo_krb5_datap;
 
+#ifdef SUDO_KRB5_INSTANCE
+static const char *sudo_krb5_instance = SUDO_KRB5_INSTANCE;
+#else
+static const char *sudo_krb5_instance = NULL;
+#endif
+
 #ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
 static krb5_error_code
 krb5_get_init_creds_opt_alloc(krb5_context context,
@@ -128,31 +134,33 @@ int
 sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
 {
     krb5_context	sudo_context;
-    krb5_ccache		ccache;
-    krb5_principal	princ;
     krb5_error_code 	error;
-    char		cache_name[64];
+    char		cache_name[64], *pname = pw->pw_name;
     debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH)
 
     auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */
 
+    if (sudo_krb5_instance != NULL) {
+	easprintf(&pname, "%s%s%s", pw->pw_name,
+	    sudo_krb5_instance[0] != '/' ? "/" : "", sudo_krb5_instance);
+    }
+
 #ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
     error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
 #else
     error = krb5_init_context(&(sudo_krb5_data.sudo_context));
 #endif
     if (error)
-	debug_return_int(AUTH_FAILURE);
+	goto done;
     sudo_context = sudo_krb5_data.sudo_context;
 
-    if ((error = krb5_parse_name(sudo_context, pw->pw_name,
-	&(sudo_krb5_data.princ)))) {
+    error = krb5_parse_name(sudo_context, pname, &(sudo_krb5_data.princ));
+    if (error) {
 	log_error(NO_EXIT|NO_MAIL,
-		  _("%s: unable to parse '%s': %s"), auth->name, pw->pw_name,
+		  _("%s: unable to parse '%s': %s"), auth->name, pname,
 		  error_message(error));
-	debug_return_int(AUTH_FAILURE);
+	goto done;
     }
-    princ = sudo_krb5_data.princ;
 
     (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
 		    (long) getpid());
@@ -161,11 +169,13 @@ sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
 	log_error(NO_EXIT|NO_MAIL,
 		  _("%s: unable to resolve ccache: %s"), auth->name,
 		  error_message(error));
-	debug_return_int(AUTH_FAILURE);
+	goto done;
     }
-    ccache = sudo_krb5_data.ccache;
 
-    debug_return_int(AUTH_SUCCESS);
+done:
+    if (sudo_krb5_instance != NULL)
+	efree(pname);
+    debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
 }
 
 #ifdef HAVE_KRB5_VERIFY_USER
-- 
2.40.0