In ksu, don't stat() not-on-disk ccache residuals

Don't assume that ccache residual names are filenames which we can stat() usefully. Instead, use helper functions to call the library routines to try to read the default principal name from caches, and use whether or not that succeeds as an indication of whether or not there's a ccache in a given location. ticket: 7728
greghudson · Aug 8, 2014 · 9ebae7c · 9ebae7c
1 parent 74e775a
commit 9ebae7c
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 100 deletions.
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
@@ -62,12 +62,9 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
 {
     int i=0;
     krb5_ccache  * cc_other;
-    const char * cc_def_name;
-    const char * cc_other_name;
     krb5_error_code retval=0;
     krb5_creds ** cc_def_creds_arr = NULL;
     krb5_creds ** cc_other_creds_arr = NULL;
-    struct stat st_temp;
 
     cc_other = (krb5_ccache *)  xcalloc(1, sizeof (krb5_ccache));
 
@@ -76,16 +73,13 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
         return retval;
     }
 
-    cc_def_name = krb5_cc_get_name(context, cc_def);
-    cc_other_name = krb5_cc_get_name(context, *cc_other);
-
-    if ( ! stat(cc_def_name, &st_temp)){
+    if (ks_ccache_is_initialized(context, cc_def)) {
         if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
             return retval;
         }
     }
 
-    if (!lstat( cc_other_name, &st_temp))
+    if (ks_ccache_name_is_initialized(context, cc_other_tag))
         return EINVAL;
 
     if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
@@ -540,24 +534,18 @@ krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal)
     krb5_ccache cct;
     krb5_principal primary_principal;
 {
-    const char * cct_name;
-    const char * ccs_name;
     krb5_error_code retval=0;
     krb5_principal temp_principal;
     krb5_creds ** ccs_creds_arr = NULL;
     int i=0;
-    struct stat st_temp;
 
-    ccs_name = krb5_cc_get_name(context, ccs);
-    cct_name = krb5_cc_get_name(context, cct);
-
-    if ( ! stat(ccs_name, &st_temp)){
+    if (ks_ccache_is_initialized(context, ccs)) {
         if ((retval = krb5_get_nonexp_tkts(context,  ccs, &ccs_creds_arr))){
             return retval;
         }
     }
 
-    if ( ! stat(cct_name, &st_temp)){
+    if (ks_ccache_is_initialized(context, cct)) {
         if ((retval = krb5_cc_get_principal(context, cct, &temp_principal))){
             return retval;
         }
@@ -643,12 +631,10 @@ krb5_error_code krb5_ccache_filter (context, cc, prst)
     krb5_creds ** cc_creds_arr = NULL;
     const char * cc_name;
     krb5_boolean stored;
-    struct stat st_temp;
 
     cc_name = krb5_cc_get_name(context, cc);
 
-    if ( ! stat(cc_name, &st_temp)){
-
+    if (ks_ccache_is_initialized(context, cc)) {
         if (auth_debug) {
             fprintf(stderr,"putting cache %s through a filter for -z option\n",                     cc_name);
         }
@@ -713,12 +699,8 @@ krb5_error_code  krb5_find_princ_in_cache (context, cc, princ, found)
 {
     krb5_error_code retval;
     krb5_creds ** creds_list = NULL;
-    const char * cc_name;
-    struct stat st_temp;
-
-    cc_name = krb5_cc_get_name(context, cc);
 
-    if ( ! stat(cc_name, &st_temp)){
+    if (ks_ccache_is_initialized(context, cc)) {
         if ((retval = krb5_get_nonexp_tkts(context, cc, &creds_list))){
             return retval;
         }
@@ -727,3 +709,33 @@ krb5_error_code  krb5_find_princ_in_cache (context, cc, princ, found)
     *found = krb5_find_princ_in_cred_list(context, creds_list, princ);
     return 0;
 }
+
+krb5_boolean
+ks_ccache_name_is_initialized(krb5_context context, const char *cctag)
+{
+    krb5_boolean result;
+    krb5_ccache cc;
+
+    if (krb5_cc_resolve(context, cctag, &cc) != 0)
+        return FALSE;
+    result = ks_ccache_is_initialized(context, cc);
+    krb5_cc_close(context, cc);
+
+    return result;
+}
+
+krb5_boolean
+ks_ccache_is_initialized(krb5_context context, krb5_ccache cc)
+{
+    krb5_principal princ;
+    krb5_error_code retval;
+
+    if (cc == NULL)
+        return FALSE;
+
+    retval = krb5_cc_get_principal(context, cc, &princ);
+    if (retval == 0)
+        krb5_free_principal(context, princ);
+
+    return retval == 0;
+}
diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c
@@ -397,12 +397,8 @@ krb5_error_code find_either_ticket (context, cc, client, end_server, found)
     krb5_principal kdc_server;
     krb5_error_code retval;
     krb5_boolean temp_found = FALSE;
-    const char * cc_source_name;
-    struct stat st_temp;
 
-    cc_source_name = krb5_cc_get_name(context, cc);
-
-    if ( ! stat(cc_source_name, &st_temp)){
+    if (ks_ccache_is_initialized(context, cc)) {
 
         retval = find_ticket(context, cc, client, end_server, &temp_found);
         if (retval)
@@ -539,7 +535,6 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
 {
 
     princ_info princ_trials[10];
-    const char * cc_source_name;
     krb5_principal cc_def_princ = NULL;
     krb5_principal temp_client;
     krb5_principal target_client;
@@ -551,18 +546,14 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
     struct stat tb;
     int count =0;
     int i;
-    struct stat st_temp;
 
     *path_out = 0;
 
     /* -n option was specified client is set we are done */
     if (options->princ)
         return 0;
 
-    cc_source_name = krb5_cc_get_name(context, cc_source);
-
-
-    if (! stat(cc_source_name, &st_temp)) {
+    if (ks_ccache_is_initialized(context, cc_source)) {
         retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
         if (retval)
             return retval;

diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
@@ -141,6 +141,12 @@ extern krb5_error_code krb5_store_some_creds
 (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **,
  krb5_principal, krb5_boolean *);
 
+extern krb5_boolean ks_ccache_name_is_initialized
+(krb5_context, const char *);
+
+extern krb5_boolean ks_ccache_is_initialized
+(krb5_context, krb5_ccache);
+
 extern krb5_error_code krb5_ccache_refresh
 (krb5_context, krb5_ccache);
 
@@ -198,8 +204,6 @@ extern int standard_shell (char *);
 
 extern krb5_error_code get_params (int *, int, char **, char ***);
 
-extern char *get_dir_of_file (const char *);
-
 /* heuristic.c */
 extern krb5_error_code get_all_princ_from_file (FILE *, char ***);
 

diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
@@ -51,7 +51,6 @@ static void print_status( const char *fmt, ...)
     __attribute__ ((__format__ (__printf__, 1, 2)))
 #endif
     ;
-char * get_dir_of_file();
 
 /* Note -e and -a options are mutually exclusive */
 /* insure the proper specification of target user as well as catching
@@ -96,7 +95,6 @@ main (argc, argv)
     const char * cc_source_tag = NULL;
     uid_t source_gid;
     const char * cc_source_tag_tmp = NULL;
-    char * cc_target_tag_tmp=NULL;
     char * cmd = NULL, * exec_cmd = NULL;
     int errflg = 0;
     krb5_boolean auth_val;
@@ -112,11 +110,9 @@ main (argc, argv)
     extern char * getpass(), *crypt();
     int pargc;
     char ** pargv;
-    struct stat  st_temp;
     krb5_boolean stored = FALSE;
     krb5_principal  kdc_server;
     krb5_boolean zero_password;
-    char * dir_of_cc_target;
     krb5_boolean restrict_creds;
 
     options.opt = KRB5_DEFAULT_OPTIONS;
@@ -266,9 +262,10 @@ main (argc, argv)
                 if ( strchr(cc_source_tag, ':')){
                     cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
 
-                    if( stat( cc_source_tag_tmp, &st_temp)){
+                    if (!ks_ccache_name_is_initialized(ksu_context,
+                                                       cc_source_tag)) {
                         com_err(prog_name, errno,
-                                _("while looking for credentials file %s"),
+                                _("while looking for credentials cache %s"),
                                 cc_source_tag_tmp);
                         exit (1);
                     }
@@ -419,32 +416,18 @@ main (argc, argv)
         exit(1);
     }
 
-    if (cc_target_tag == NULL) {
-
-        cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE ,sizeof(char));
-        /* make sure that the new ticket file does not already exist
-           This is run as source_uid because it is reasonable to
-           require the source user to have write to where the target
-           cache will be created.*/
-
-        do {
-            snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d",
-                     KRB5_SECONDARY_CACHE,
-                     (long) target_uid, gen_sym());
-            cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1;
-
-        }while ( !stat ( cc_target_tag_tmp, &st_temp));
-    }
-
-
-    dir_of_cc_target = get_dir_of_file(cc_target_tag_tmp);
-
-    if (access(dir_of_cc_target, R_OK | W_OK )){
-        fprintf(stderr,
-                _("%s does not have correct permissions for %s\n"),
-                source_user, cc_target_tag);
-        exit(1);
-    }
+    /*
+     * Make sure that the new ticket file does not already exist.
+     * This is run as source_uid because it is reasonable to
+     * require the source user to have write to where the target
+     * cache will be created.
+     */
+    cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE, sizeof(char));
+    do {
+        snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d",
+                 KRB5_SECONDARY_CACHE,
+                 (long)target_uid, gen_sym());
+    } while (ks_ccache_name_is_initialized(ksu_context, cc_target_tag));
 
     if (auth_debug){
         fprintf(stderr, " source cache =  %s\n", cc_source_tag);
@@ -747,13 +730,6 @@ main (argc, argv)
         exit(1);
     }
 
-    if (access( cc_target_tag_tmp, R_OK | W_OK )){
-        com_err(prog_name, errno,
-                _("%s does not have correct permissions for %s, %s aborted"),
-                target_user, cc_target_tag_tmp, prog_name);
-        exit(1);
-    }
-
     if ( cc_source)
         krb5_cc_close(ksu_context, cc_source);
 
@@ -873,8 +849,6 @@ static void sweep_up(context, cc)
     krb5_ccache cc;
 {
     krb5_error_code retval;
-    const char * cc_name;
-    struct stat  st_temp;
 
     krb5_seteuid(0);
     if (krb5_seteuid(target_uid) < 0) {
@@ -883,8 +857,7 @@ static void sweep_up(context, cc)
         exit(1);
     }
 
-    cc_name = krb5_cc_get_name(context, cc);
-    if ( ! stat(cc_name, &st_temp)){
+    if (ks_ccache_is_initialized(context, cc)) {
         if ((retval = krb5_cc_destroy(context, cc)))
             com_err(prog_name, retval, _("while destroying cache"));
     }
@@ -937,26 +910,6 @@ void print_status(const char *fmt, ...)
     }
 }
 
-
-char *get_dir_of_file(path)
-    const char *path;
-{
-    char * temp_path;
-    char * ptr;
-
-    temp_path =  xstrdup(path);
-
-    if ((ptr = strrchr( temp_path, '/'))) {
-        *ptr = '\0';
-    } else {
-        free (temp_path);
-        temp_path = xmalloc(MAXPATHLEN);
-        if (temp_path)
-            getcwd(temp_path, MAXPATHLEN);
-    }
-    return temp_path;
-}
-
 krb5_error_code
 ksu_tgtname(context, server, client, tgtprinc)
     krb5_context context;