[28509] in CVS-changelog-for-Kerberos-V5
krb5 commit: In ksu, without the -e flag, also check .k5users
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Aug 6 12:12:04 2014
Date: Wed, 6 Aug 2014 12:09:42 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201408061609.s76G9g0e029278@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/3a32e1e6e644c6092f48cf6b6f2d0b8635b3dd52
commit 3a32e1e6e644c6092f48cf6b6f2d0b8635b3dd52
Author: Nalin Dahyabhai <nalin@redhat.com>
Date: Wed Jul 30 17:12:31 2014 -0400
In ksu, without the -e flag, also check .k5users
When ksu was explicitly told to spawn a shell, a line in .k5users which
listed "*" as the allowed command would cause the principal named on the
line to be considered as a candidate for authentication.
When ksu was not passed a command to run, which implicitly meant that
the invoking user wanted to run the target user's login shell, knowledge
that the principal was a valid candidate was ignored, which could cause
a less optimal choice of the default target principal.
This doesn't impact the authorization checks which we perform later.
ticket: 7983 (new)
src/clients/ksu/heuristic.c | 19 ++++++-------------
1 files changed, 6 insertions(+), 13 deletions(-)
diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c
index c7e691c..99b54e5 100644
--- a/src/clients/ksu/heuristic.c
+++ b/src/clients/ksu/heuristic.c
@@ -264,20 +264,13 @@ get_authorized_princ_names(luser, cmd, princ_list)
close_time(k5users_flag,users_fp, k5login_flag, login_fp);
- if (cmd) {
- retval = list_union(k5login_list, k5users_filt_list, &combined_list);
- if (retval){
- close_time(k5users_flag,users_fp, k5login_flag,login_fp);
- return retval;
- }
- *princ_list = combined_list;
- return 0;
- } else {
- if (k5users_filt_list != NULL)
- free(k5users_filt_list);
- *princ_list = k5login_list;
- return 0;
+ retval = list_union(k5login_list, k5users_filt_list, &combined_list);
+ if (retval){
+ close_time(k5users_flag,users_fp, k5login_flag,login_fp);
+ return retval;
}
+ *princ_list = combined_list;
+ return 0;
}
static void close_time(k5users_flag, users_fp, k5login_flag, login_fp)
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
