From 325e12ccd9b27a3fa227b2c8dd331a168f7dfdbb Mon Sep 17 00:00:00 2001 From: Iain Patterson Date: Fri, 30 Apr 2010 14:08:45 +0100 Subject: [PATCH] KRB5CCNAME fixes. Always pass KRB5CCNAME to became. Though many vendors' sudo configurations will retain it in the environment there is no guarantee that will happen. Canonicalise KRB5CCNAME which may sometimes be set to a file path without the FILE: prefix, eg by krenew. --- .profile.d/krb5.bashrc | 5 +++++ opt/bin/become | 1 + 2 files changed, 6 insertions(+) diff --git a/.profile.d/krb5.bashrc b/.profile.d/krb5.bashrc index 4c5f71d..9c56dda 100644 --- a/.profile.d/krb5.bashrc +++ b/.profile.d/krb5.bashrc @@ -4,6 +4,11 @@ alias pssh='ssh -o preferredauthentications=password,keyboard-interactive' unalias kinit 2>/dev/null if [ 1 = 0 -a -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then if [ -t 0 ]; then + # Canonicalise the cache name. + if [ -n "$KRB5CCNAME" -a "${KRB5CCNAME##*:}" = "$KRB5CCNAME" ]; then + export KRB5CCNAME="FILE:$KRB5CCNAME" + fi + if [ ! "$SUDO_UID" ]; then if klist -s 2>/dev/null; then # We already have a ticket cache. Renew it. diff --git a/opt/bin/become b/opt/bin/become index e874ae5..f39fc49 100755 --- a/opt/bin/become +++ b/opt/bin/become @@ -53,6 +53,7 @@ if exec 3>"$file" && exec <"$file" && rm "$file"; then if [ $kerberos = 1 ]; then ccname=$(klist 2>/dev/null | sed -n 's/^Ticket cache: FILE://p') if [ -f "$ccname" ]; then + echo >&3 "export KRB5CCNAME='$KRB5CCNAME'" openssl=$(find_working openssl) if [ -n "$openssl" ]; then echo >&3 "KRB5OPENSSL='$openssl'" -- 2.20.1