From 2e1304b9d55d24a3846f4dc9c794d0c197af4438 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Mon, 24 Dec 2018 03:37:08 +0000 Subject: [PATCH] kinit: don't leave dangling temporary ccaches kinit does not destroy ccaches created with krb5_cc_new_unique() if ticket acquisition fails. This was leaving dangling keyring entries with the keyring ccache. --- kuser/kinit.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/kuser/kinit.c b/kuser/kinit.c index e0229dde7..0fbc899ad 100644 --- a/kuser/kinit.c +++ b/kuser/kinit.c @@ -383,7 +383,7 @@ renew_validate(krb5_context context, out: if (tempccache) - krb5_cc_close(context, tempccache); + krb5_cc_destroy(context, tempccache); if (out) krb5_free_creds(context, out); krb5_free_cred_contents(context, &in); @@ -780,7 +780,7 @@ out: if (ctx) krb5_init_creds_free(context, ctx); if (tempccache) - krb5_cc_close(context, tempccache); + krb5_cc_destroy(context, tempccache); if (enctype) free(enctype); @@ -1223,6 +1223,7 @@ main(int argc, char **argv) #ifdef HAVE_SIGACTION struct sigaction sa; #endif + krb5_boolean unique_ccache = FALSE; setprogname(argv[0]); @@ -1312,6 +1313,7 @@ main(int argc, char **argv) krb5_cc_get_type(context, ccache), krb5_cc_get_name(context, ccache)); setenv("KRB5CCNAME", s, 1); + unique_ccache = TRUE; } else { ret = krb5_cc_cache_match(context, principal, &ccache); if (ret) { @@ -1331,6 +1333,8 @@ main(int argc, char **argv) krb5_cc_close(context, ccache); ret = get_switched_ccache(context, type, principal, &ccache); + if (ret == 0) + unique_ccache = TRUE; } } } @@ -1379,12 +1383,17 @@ main(int argc, char **argv) krb5_afslog(context, ccache, NULL, NULL); #endif + if (unique_ccache) + krb5_cc_destroy(context, ccache); exit(ret != 0); } ret = get_new_tickets(context, principal, ccache, ticket_life, 1); - if (ret) + if (ret) { + if (unique_ccache) + krb5_cc_destroy(context, ccache); exit(1); + } #ifndef NO_AFS if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())