From: Iain Patterson Date: Fri, 15 Jan 2010 14:06:57 +0000 (+0000) Subject: Handle Kerberos credentials when becoming users other than root. X-Git-Url: http://git.iain.cx/?a=commitdiff_plain;h=be06f9cecd3d053c651c03cd4bec7b51f9494a90;p=profile.git Handle Kerberos credentials when becoming users other than root. --- diff --git a/.become/all b/.become/all index 6fa142d..239dca0 100644 --- a/.become/all +++ b/.become/all @@ -1,6 +1,7 @@ cd export TERMINFO=$BECOME_HOME/.terminfo . $BECOME_HOME/.profile.d/ps1.bashrc +. $BECOME_HOME/.profile.d/krb5.bashrc __ps1 vim=$($BECOME_HOME/opt/bin/find_working vim 2>/dev/null) if [ -n "$vim" ]; then diff --git a/.profile.d/krb5.bashrc b/.profile.d/krb5.bashrc index b5e50fb..973101f 100644 --- a/.profile.d/krb5.bashrc +++ b/.profile.d/krb5.bashrc @@ -3,7 +3,7 @@ alias pssh='ssh -o preferredauthentications=password,keyboard-interactive' if [ -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then if tty -s; then - if [ $UID -gt 0 ]; then + if [ ! "$SUDO_UID" ]; then if klist -s 2>/dev/null; then # We already have a ticket cache. Renew it. kinit -R &>/dev/null @@ -55,14 +55,21 @@ if [ -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then # By now we should have found a cache if there's one to find. klist -s 2>/dev/null || kinit fi - elif [ -n "$KRB5CCNAME" ]; then + elif [ ! -z "$KRB5CCNAME" ]; then # Don't break permissions of inherited cache under sudo. cache="${KRB5CCNAME##FILE:}" if [ ! "$cache" = "$KRB5CCNAME" ]; then ccname="${cache/_$SUDO_UID/_sudo_$SUDO_UID}_$$" - cat "$cache" > "$ccname" export KRB5CCNAME="FILE:$ccname" - klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit + if cat "$cache" > "$ccname" 2>/dev/null; then + klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit $PRINCIPAL + else + # XXX: Don't kinit every time if we aren't root. + # TODO: Split the "set my cache" and "get my credentials" parts so + # that becoming a user other than root will work without + # extraneous kinits. + rm "$ccname" 2>/dev/null + fi trap "kdestroy 2>/dev/null" EXIT fi fi diff --git a/opt/bin/become b/opt/bin/become index abe1b85..add9600 100755 --- a/opt/bin/become +++ b/opt/bin/become @@ -6,8 +6,9 @@ if [ -z "$user" ]; then exit 1 fi +PRINCIPAL=$(klist 2>/dev/null | sed -n 's/^Default principal: //p') BECOME="$HOME/.become" profile="$BECOME/$user" [ -f "$profile" ] || profile="$BECOME/all" -exec sudo -H -u "$user" env BECOME_HOME="$HOME" /bin/bash --rcfile "$profile" +exec sudo -H -u "$user" env BECOME_HOME="$HOME" PRINCIPAL=$PRINCIPAL /bin/bash --rcfile "$profile"