Lines 66-71
Link Here
|
66 |
|
66 |
|
67 |
#include "conv.h" |
67 |
#include "conv.h" |
68 |
#include "log.h" |
68 |
#include "log.h" |
|
|
69 |
#include "perms.h" |
69 |
#include "prompter.h" |
70 |
#include "prompter.h" |
70 |
#include "stash.h" |
71 |
#include "stash.h" |
71 |
#include "userinfo.h" |
72 |
#include "userinfo.h" |
Lines 833-838
v5_get_creds(krb5_context ctx,
Link Here
|
833 |
const char *realm; |
834 |
const char *realm; |
834 |
struct pam_message message; |
835 |
struct pam_message message; |
835 |
struct _pam_krb5_prompter_data prompter_data; |
836 |
struct _pam_krb5_prompter_data prompter_data; |
|
|
837 |
struct _pam_krb5_perms *saved_perms; |
836 |
krb5_principal service_principal; |
838 |
krb5_principal service_principal; |
837 |
krb5_creds tmpcreds; |
839 |
krb5_creds tmpcreds; |
838 |
krb5_ccache ccache; |
840 |
krb5_ccache ccache; |
Lines 884-903
v5_get_creds(krb5_context ctx,
Link Here
|
884 |
"from %s", krb5_cc_default_name(ctx)); |
886 |
"from %s", krb5_cc_default_name(ctx)); |
885 |
} |
887 |
} |
886 |
memset(&ccache, 0, sizeof(ccache)); |
888 |
memset(&ccache, 0, sizeof(ccache)); |
887 |
if (krb5_cc_default(ctx, &ccache) == 0) { |
889 |
/* In case we're setuid/setgid, switch to the caller's |
|
|
890 |
* permissions. */ |
891 |
saved_perms = _pam_krb5_switch_perms(); |
892 |
if ((saved_perms != NULL) && |
893 |
(krb5_cc_default(ctx, &ccache) == 0)) { |
888 |
tmpcreds.client = userinfo->principal_name; |
894 |
tmpcreds.client = userinfo->principal_name; |
889 |
tmpcreds.server = service_principal; |
895 |
tmpcreds.server = service_principal; |
890 |
i = krb5_cc_retrieve_cred(ctx, ccache, 0, |
896 |
i = krb5_cc_retrieve_cred(ctx, ccache, 0, |
891 |
&tmpcreds, creds); |
897 |
&tmpcreds, creds); |
892 |
/* FIXME: check if the creds are expired? |
898 |
/* FIXME: check if the creds are expired? |
893 |
* What's the right error code if we check, and |
899 |
* What's the right error code if we check, and |
894 |
* they are? */ |
900 |
* they are? */ |
895 |
memset(&tmpcreds, 0, sizeof(tmpcreds)); |
901 |
memset(&tmpcreds, 0, sizeof(tmpcreds)); |
896 |
krb5_cc_close(ctx, ccache); |
902 |
krb5_cc_close(ctx, ccache); |
|
|
903 |
/* In case we're setuid/setgid, restore the |
904 |
* previous permissions. */ |
905 |
if (saved_perms != NULL) { |
906 |
if (_pam_krb5_restore_perms(saved_perms) != 0) { |
907 |
krb5_free_cred_contents(ctx, creds); |
908 |
memset(creds, 0, sizeof(*creds)); |
909 |
krb5_free_principal(ctx, service_principal); |
910 |
return PAM_SYSTEM_ERR; |
911 |
} |
912 |
saved_perms = NULL; |
913 |
} |
897 |
} else { |
914 |
} else { |
898 |
warn("error opening default ccache"); |
915 |
warn("error opening default ccache"); |
899 |
i = KRB5_CC_NOTFOUND; |
916 |
i = KRB5_CC_NOTFOUND; |
900 |
} |
917 |
} |
|
|
918 |
/* In case we're setuid/setgid, switch back to the |
919 |
* previous permissions if we didn't already. */ |
920 |
if (saved_perms != NULL) { |
921 |
if (_pam_krb5_restore_perms(saved_perms) != 0) { |
922 |
krb5_free_cred_contents(ctx, creds); |
923 |
memset(creds, 0, sizeof(*creds)); |
924 |
krb5_free_principal(ctx, service_principal); |
925 |
return PAM_SYSTEM_ERR; |
926 |
} |
927 |
saved_perms = NULL; |
928 |
} |
901 |
krb5_free_principal(ctx, service_principal); |
929 |
krb5_free_principal(ctx, service_principal); |
902 |
} else { |
930 |
} else { |
903 |
warn("error parsing TGT principal name (%s) " |
931 |
warn("error parsing TGT principal name (%s) " |