if [ ! "$cache" = "$KRB5CCNAME" ]; then
ccname="${cache/_$SUDO_UID/_${UID}_sudo_$SUDO_UID}_$$"
export KRB5CCNAME="FILE:$ccname"
- if cat "$cache" > "$ccname" 2>/dev/null; then
- klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit $PRINCIPAL
- else
- # XXX: Don't kinit every time if we aren't root.
- # TODO: Split the "set my cache" and "get my credentials" parts so
- # that becoming a user other than root will work without
- # extraneous kinits.
- rm "$ccname" 2>/dev/null
- fi
+ (
+ umask 077
+ if cat "$cache" > "$ccname" 2>/dev/null; then
+ klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit $PRINCIPAL
+ elif [ -n "$KRB5BASE64" ]; then
+ if [ -n "$KRB5OPENSSL" ]; then
+ builtin echo "$KRB5BASE64" | $KRB5OPENSSL enc -a -d -out "$ccname"
+ fi
+ unset KRB5BASE64 KRB5OPENSSL
+ else
+ # XXX: Don't kinit every time if we aren't root.
+ # TODO: Split the "set my cache" and "get my credentials" parts so
+ # that becoming a user other than root will work without
+ # extraneous kinits.
+ rm "$ccname" 2>/dev/null
+ fi
+ )
trap "kdestroy 2>/dev/null" EXIT
fi
fi
#!/bin/bash
+kerberos=0
+while getopts ":k" opt; do
+ case $opt in
+ k) kerberos=1
+ esac
+done
+shift $((OPTIND-1))
+
user="$1"; shift
if [ -z "$user" ]; then
- echo >&2 "Usage: become <user>"
+ echo >&2 "Usage: become [-k] <user>"
+ echo >&2 "Options: -k Delegate Kerberos credentials even if target user is not root."
exit 1
fi
echo >&3 "cd"
echo >&3 "PROFILE_HOME='$HOME'"
- [ -n "$PRINCIPAL" ] && echo >&3 "PRINCIPAL='$PRINCIPAL'"
+ if [ -n "$PRINCIPAL" ]; then
+ echo >&3 "PRINCIPAL='$PRINCIPAL'"
+ if [ $kerberos = 1 ]; then
+ ccname=$(klist 2>/dev/null | sed -n 's/^Ticket cache: FILE://p')
+ if [ -f "$ccname" ]; then
+ openssl=$(find_working openssl)
+ if [ -n "$openssl" ]; then
+ echo >&3 "KRB5OPENSSL='$openssl'"
+ echo >&3 "KRB5BASE64='$($openssl enc -a -in $ccname)'"
+ fi
+ fi
+ fi
+ fi
if [ -n "$DISPLAY" -a -n "$COOKIE" ]; then
echo >&3 "xauth add $COOKIE"
else
git://git.iain.cx/iain / profile.git / commitdiff