(doit): move creation of users ticket file to later to avoid
seteuid/setuid dance. this breaks DCE, so remove support for it completely. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16414 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
@@ -74,13 +74,6 @@ static int do_keepalive = 1;
|
||||
static int do_version;
|
||||
static int do_help = 0;
|
||||
|
||||
#if defined(KRB5) && defined(DCE)
|
||||
int dfsk5ok = 0;
|
||||
int dfspag = 0;
|
||||
int dfsfwd = 0;
|
||||
krb5_ticket *user_ticket;
|
||||
#endif
|
||||
|
||||
static void
|
||||
syslog_and_die (const char *m, ...)
|
||||
__attribute__ ((format (printf, 1, 2)));
|
||||
@@ -454,10 +447,6 @@ recv_krb5_auth (int s, u_char *buf,
|
||||
}
|
||||
}
|
||||
|
||||
#if defined(DCE)
|
||||
user_ticket = ticket;
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif /* KRB5 */
|
||||
@@ -645,15 +634,9 @@ setup_environment (char ***env, const struct passwd *pwd)
|
||||
syslog_and_die ("asprintf: out of memory");
|
||||
}
|
||||
asprintf (&e[i++], "SSH_CLIENT=only_to_make_bash_happy");
|
||||
#if defined(DCE)
|
||||
if (getenv("KRB5CCNAME"))
|
||||
if (asprintf (&e[i++], "KRB5CCNAME=%s", getenv("KRB5CCNAME")) == -1)
|
||||
syslog_and_die ("asprintf: out of memory");
|
||||
#else
|
||||
if (do_unique_tkfile)
|
||||
if (asprintf (&e[i++], "KRB5CCNAME=%s", tkfile) == -1)
|
||||
syslog_and_die ("asprintf: out of memory");
|
||||
#endif
|
||||
e[i++] = NULL;
|
||||
*env = e;
|
||||
}
|
||||
@@ -782,10 +765,6 @@ doit (void)
|
||||
if (client_user == NULL || server_user == NULL || cmd == NULL)
|
||||
syslog_and_die("mising client/server/cmd");
|
||||
|
||||
#if defined(DCE) && defined(_AIX)
|
||||
esetenv("AUTHSTATE", "DCE", 1);
|
||||
#endif
|
||||
|
||||
pwd = getpwnam (server_user);
|
||||
if (pwd == NULL)
|
||||
fatal (s, NULL, "Login incorrect.");
|
||||
@@ -825,34 +804,6 @@ doit (void)
|
||||
#endif
|
||||
|
||||
|
||||
#ifdef KRB5
|
||||
{
|
||||
int fd;
|
||||
|
||||
if (!do_unique_tkfile)
|
||||
snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_%lu",
|
||||
(unsigned long)pwd->pw_uid);
|
||||
else if (*tkfile=='\0') {
|
||||
snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_XXXXXX");
|
||||
fd = mkstemp(tkfile+5);
|
||||
close(fd);
|
||||
unlink(tkfile+5);
|
||||
}
|
||||
|
||||
if (kerberos_status)
|
||||
krb5_start_session();
|
||||
}
|
||||
chown(tkfile + 5, pwd->pw_uid, -1);
|
||||
|
||||
#if defined(DCE)
|
||||
if (kerberos_status) {
|
||||
esetenv("KRB5CCNAME", tkfile, 1);
|
||||
dfspag = krb5_dfs_pag(context, kerberos_status, user_ticket->client, server_user);
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_SETLOGIN
|
||||
if (setlogin(pwd->pw_name) < 0)
|
||||
syslog(LOG_ERR, "setlogin() failed: %m");
|
||||
@@ -884,6 +835,25 @@ doit (void)
|
||||
fatal (s, "dup2", "Cannot dup stderr.");
|
||||
}
|
||||
|
||||
#ifdef KRB5
|
||||
{
|
||||
int fd;
|
||||
|
||||
if (!do_unique_tkfile)
|
||||
snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_%lu",
|
||||
(unsigned long)pwd->pw_uid);
|
||||
else if (*tkfile=='\0') {
|
||||
snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_XXXXXX");
|
||||
fd = mkstemp(tkfile+5);
|
||||
close(fd);
|
||||
unlink(tkfile+5);
|
||||
}
|
||||
|
||||
if (kerberos_status)
|
||||
krb5_start_session();
|
||||
}
|
||||
#endif
|
||||
|
||||
setup_environment (&env, pwd);
|
||||
|
||||
if (do_encrypt) {
|
||||
|
||||
Reference in New Issue
Block a user