From b22da5088ecf6853cb901aba30a7aa5cf805a413 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Fri, 20 Apr 2007 10:41:11 +0000
Subject: [PATCH] First, it allows root to ignore the naming conventions. 
 Second, it allows root to always perform any operation on any ccache.  Note
 that root could do this anyway with FILE ccaches

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20470 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kcm/acl.c      |  5 +++--
 kcm/client.c   | 31 ++++++++++++++++++++++++++-----
 kcm/kcm_locl.h |  2 ++
 3 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/kcm/acl.c b/kcm/acl.c
index dc13e0df6..94cf111ab 100644
--- a/kcm/acl.c
+++ b/kcm/acl.c
@@ -93,12 +93,13 @@ kcm_access(krb5_context context,
 
     mask = 0;
 
-    if (client->uid == ccache->uid) {
+    /* Root may do whatever they like */
+    if (client->uid == ccache->uid || CLIENT_IS_ROOT(client)) {
 	if (read_p)
 	    mask |= S_IRUSR;
 	if (write_p)
 	    mask |= S_IWUSR;
-    } else if (client->gid == ccache->gid) {
+    } else if (client->gid == ccache->gid || CLIENT_IS_ROOT(client->uid)) {
 	if (read_p)
 	    mask |= S_IRGRP;
 	if (write_p)
diff --git a/kcm/client.c b/kcm/client.c
index 888b38e03..d0e34bf64 100644
--- a/kcm/client.c
+++ b/kcm/client.c
@@ -31,6 +31,7 @@
  */
 
 #include "kcm_locl.h"
+#include <pwd.h>
 
 RCSID("$Id$");
 
@@ -116,17 +117,18 @@ kcm_ccache_new_client(krb5_context context,
 		bad = 0;
 	}
 
-	if (bad)
+	/* Allow root to create badly-named ccaches */
+	if (bad && CLIENT_IS_ROOT(client))
 	    return KRB5_CC_BADNAME;
     }
 	
     ret = kcm_ccache_resolve(context, name, &ccache);
     if (ret == 0) {
-	if (ccache->uid != client->uid ||
-	    ccache->gid != client->gid)
+	if ((ccache->uid != client->uid ||
+	     ccache->gid != client->gid) && !CLIENT_IS_ROOT(client))
 	    return KRB5_FCC_PERM;
-    } else if (ret != KRB5_FCC_NOFILE) {
-	return ret;
+    } else if (ret != KRB5_FCC_NOFILE && !(CLIENT_IS_ROOT(client) && ret == KRB5_FCC_PERM)) {
+		return ret;
     }
 
     if (ret == KRB5_FCC_NOFILE) {
@@ -158,6 +160,25 @@ kcm_ccache_new_client(krb5_context context,
 	return ret;
     }
 
+    /* 
+     * Finally, if the user is root and the cache was created under
+     * another user's name, chown the cache to that user and their
+     * default gid.
+     */
+    if (CLIENT_IS_ROOT(client)) {
+	uid_t uid;
+	int matches = sscanf(name,"%ld:",&uid);
+	if (matches == 0)
+	    matches = sscanf(name,"%ld",&uid);
+	if (matches == 1) {
+	    struct passwd *pwd = getpwuid(uid);
+	    if (pwd != NULL) {
+		gid_t gid = pwd->pw_gid;
+		kcm_chown(context, client, ccache, uid, gid);
+	    }
+	}
+    }
+    
     *ccache_p = ccache;
     return 0;
 }
diff --git a/kcm/kcm_locl.h b/kcm/kcm_locl.h
index 32035ee9f..34e994088 100644
--- a/kcm/kcm_locl.h
+++ b/kcm/kcm_locl.h
@@ -140,6 +140,8 @@ typedef struct kcm_client {
     gid_t gid;
 } kcm_client;
 
+#define CLIENT_IS_ROOT(client) ((client)->uid == 0)
+
 /* Dispatch table */
 /* passed in OPERATION | ... ; returns STATUS | ... */
 typedef krb5_error_code (*kcm_method)(krb5_context, kcm_client *, kcm_operation, krb5_storage *, krb5_storage *);