From: Iain Patterson Date: Fri, 5 Mar 2010 12:14:01 +0000 (+0000) Subject: Allow passing Kerberos credentials when becoming. X-Git-Url: http://git.iain.cx/?a=commitdiff_plain;h=b3d373ad52b5671234fbe6361e509fef08ac2111;p=profile.git Allow passing Kerberos credentials when becoming. Use the -k flag to become to pass Kerberos credentials to the target user even if this is not root. --- diff --git a/.profile.d/krb5.bashrc b/.profile.d/krb5.bashrc index 979bd71..9a1f2e9 100644 --- a/.profile.d/krb5.bashrc +++ b/.profile.d/krb5.bashrc @@ -61,15 +61,23 @@ if [ -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then if [ ! "$cache" = "$KRB5CCNAME" ]; then ccname="${cache/_$SUDO_UID/_${UID}_sudo_$SUDO_UID}_$$" export KRB5CCNAME="FILE:$ccname" - if cat "$cache" > "$ccname" 2>/dev/null; then - klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit $PRINCIPAL - else - # XXX: Don't kinit every time if we aren't root. - # TODO: Split the "set my cache" and "get my credentials" parts so - # that becoming a user other than root will work without - # extraneous kinits. - rm "$ccname" 2>/dev/null - fi + ( + umask 077 + if cat "$cache" > "$ccname" 2>/dev/null; then + klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit $PRINCIPAL + elif [ -n "$KRB5BASE64" ]; then + if [ -n "$KRB5OPENSSL" ]; then + builtin echo "$KRB5BASE64" | $KRB5OPENSSL enc -a -d -out "$ccname" + fi + unset KRB5BASE64 KRB5OPENSSL + else + # XXX: Don't kinit every time if we aren't root. + # TODO: Split the "set my cache" and "get my credentials" parts so + # that becoming a user other than root will work without + # extraneous kinits. + rm "$ccname" 2>/dev/null + fi + ) trap "kdestroy 2>/dev/null" EXIT fi fi diff --git a/opt/bin/become b/opt/bin/become index f7f037e..9be0b9b 100755 --- a/opt/bin/become +++ b/opt/bin/become @@ -1,8 +1,17 @@ #!/bin/bash +kerberos=0 +while getopts ":k" opt; do + case $opt in + k) kerberos=1 + esac +done +shift $((OPTIND-1)) + user="$1"; shift if [ -z "$user" ]; then - echo >&2 "Usage: become " + echo >&2 "Usage: become [-k] " + echo >&2 "Options: -k Delegate Kerberos credentials even if target user is not root." exit 1 fi @@ -22,7 +31,19 @@ if [ -n "$file" ]; then echo >&3 "cd" echo >&3 "PROFILE_HOME='$HOME'" - [ -n "$PRINCIPAL" ] && echo >&3 "PRINCIPAL='$PRINCIPAL'" + if [ -n "$PRINCIPAL" ]; then + echo >&3 "PRINCIPAL='$PRINCIPAL'" + if [ $kerberos = 1 ]; then + ccname=$(klist 2>/dev/null | sed -n 's/^Ticket cache: FILE://p') + if [ -f "$ccname" ]; then + openssl=$(find_working openssl) + if [ -n "$openssl" ]; then + echo >&3 "KRB5OPENSSL='$openssl'" + echo >&3 "KRB5BASE64='$($openssl enc -a -in $ccname)'" + fi + fi + fi + fi if [ -n "$DISPLAY" -a -n "$COOKIE" ]; then echo >&3 "xauth add $COOKIE" else