From 660f496b9c001ed24521f65b1eebe69a499ab10b Mon Sep 17 00:00:00 2001 From: Iain Patterson Date: Mon, 4 Jan 2010 15:22:46 +0000 Subject: [PATCH] Handle credentials cache when sudoing. If we become root and a credentials cache is already available then take a copy of it and use the copy. Don't look for existing caches if we don't already have one. That gets complicated. --- .profile.d/krb5.bashrc | 101 +++++++++++++++++++++++++++---------------------- 1 file changed, 56 insertions(+), 45 deletions(-) diff --git a/.profile.d/krb5.bashrc b/.profile.d/krb5.bashrc index 08dfb53..3bf40eb 100644 --- a/.profile.d/krb5.bashrc +++ b/.profile.d/krb5.bashrc @@ -1,59 +1,70 @@ alias kssh='ssh -o preferredauthentications=gssapi-with-mic' alias pssh='ssh -o preferredauthentications=password,keyboard-interactive' -if [ $UID -gt 0 -a -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then +if [ -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then if tty -s; then - if klist -s 2>/dev/null; then - # We already have a ticket cache. Renew it. - kinit -R &>/dev/null - else - # Try to find an existing cache but only if we are using FILE: caches. - default=$((unset KRB5CCNAME; klist 2>&1) | sed -n 's/.*FILE:\([^)]*\).*/\1/p') - if [ ! -z "$default" ]; then - # Check for Exceed onDemand stupidity. - if [ "$KRB5CCNAME" = "FILE:" ]; then - unset KRB5CCNAME - fi + if [ $UID -gt 0 ]; then + if klist -s 2>/dev/null; then + # We already have a ticket cache. Renew it. + kinit -R &>/dev/null + else + # Try to find an existing cache but only if we are using FILE: caches. + default=$((unset KRB5CCNAME; klist 2>&1) | sed -n 's/.*FILE:\([^)]*\).*/\1/p') + if [ ! -z "$default" ]; then + # Check for Exceed onDemand stupidity. + if [ "$KRB5CCNAME" = "FILE:" ]; then + unset KRB5CCNAME + fi - # Check for bogus FILE: KRB5CCNAME. - if [ ! -z "$KRB5CCNAME" -a "${KRB5CCNAME##*:}" = "$KRB5CCNAME" ]; then - export KRB5CCNAME="FILE:$KRB5CCNAME" - fi + # Check for bogus FILE: KRB5CCNAME. + if [ ! -z "$KRB5CCNAME" -a "${KRB5CCNAME##*:}" = "$KRB5CCNAME" ]; then + export KRB5CCNAME="FILE:$KRB5CCNAME" + fi - # Find the file. - ccname="${KRB5CCNAME##FILE:}" - if [ "$ccname" = "$KRB5CCNAME" ]; then - # Our cache isn't a file cache. Throw it away. - ccname="$default" - unset KRB5CCNAME - fi + # Find the file. + ccname="${KRB5CCNAME##FILE:}" + if [ "$ccname" = "$KRB5CCNAME" ]; then + # Our cache isn't a file cache. Throw it away. + ccname="$default" + unset KRB5CCNAME + fi - # Remember if nullglob was on. - shopt -q nullglob - ng=$? - # Turn it on so we can look for caches safely. - shopt -s nullglob - - for cache in $default*; do - if klist -s -c "$cache"; then - if [ ! "$cache" = "$ccname" ]; then - # It may not be safe to simply point the environment to this - # cache as it may belong to a session which is about to end. - # Therefore we copy it. - cp -p "$cache" "$ccname" || continue + # Remember if nullglob was on. + shopt -q nullglob + ng=$? + # Turn it on so we can look for caches safely. + shopt -s nullglob + + for cache in $default*; do + if klist -s -c "$cache"; then + if [ ! "$cache" = "$ccname" ]; then + # It may not be safe to simply point the environment to this + # cache as it may belong to a session which is about to end. + # Therefore we copy it. + cp -p "$cache" "$ccname" || continue + fi + kinit -R &>/dev/null + break fi - kinit -R &>/dev/null - break - fi - done + done + + # Maybe turn nocaseglob back off. + [ $ng = 0 ] || shopt -u nullglob + fi - # Maybe turn nocaseglob back off. - [ $ng = 0 ] || shopt -u nullglob + # By now we should have found a cache if there's one to find. + klist -s 2>/dev/null || kinit + fi + elif [ -n "$KRB5CCNAME" ]; then + # Don't break permissions of inherited cache under sudo. + cache="${KRB5CCNAME##FILE:}" + if [ ! "$cache" = "$KRB5CCNAME" ]; then + ccname="${cache/_$SUDO_UID/_sudo_$SUDO_UID}_$$" + cat "$cache" > "$ccname" + export KRB5CCNAME="FILE:$ccname" + klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit fi fi - - # By now we should have found a cache if there's one to find. - klist -s 2>/dev/null || kinit fi fi -- 2.7.4