From djm@web.us.uu.net Fri Apr 14 12:12:19 2000 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id MAA03129 for ; Fri, 14 Apr 2000 12:12:18 -0400 (EDT) Received: from jenkins.web.us.uu.net by MIT.EDU with SMTP id AA02891; Fri, 14 Apr 00 12:14:09 EDT Received: from dagger.web.us.uu.net by jenkins.web.us.uu.net with ESMTP (peer crosschecked as: dagger.web.us.uu.net [208.211.134.28]) id MAA11529; Fri, 14 Apr 2000 12:12:15 -0400 (EDT) Received: by dagger.web.us.uu.net id MAA28324; Fri, 14 Apr 2000 12:11:52 -0400 Message-Id: Date: Fri, 14 Apr 2000 12:11:52 -0400 From: djm@web.us.uu.net (David J. MacKenzie) Reply-To: djm@web.us.uu.net To: krb5-bugs@MIT.EDU Cc: djm@web.us.uu.net Subject: addition of ksu -m option X-Send-Pr-Version: 3.99 >Number: 837 >Category: krb5-clients >Synopsis: krb5 ksu lacks the "as me" option >Confidential: no >Severity: non-critical >Priority: medium >Responsible: krb5-unassigned >State: open >Class: change-request >Submitter-Id: unknown >Arrival-Date: Fri Apr 14 12:13:00 EDT 2000 >Last-Modified: Fri Apr 14 13:10:00 EDT 2000 >Originator: David MacKenzie >Organization: UUNET Technologies >Release: krb5-1.1.1 >Environment: System: Linux dagger.web.us.uu.net 2.2.14-15mdk #2 Sat Mar 11 19:32:26 EST 2000 i686 unknown Architecture: i686 >Description: The BSD and GNU/Linux su programs have a helpful feature that is missing from the krb5 ksu: the -m option, which allows the use of the person's own login shell, dot files and environment. >How-To-Repeat: ksu -m >Fix: --- /homes/elves/djm/src/krb5-1.1.1/src/clients/ksu/ksu.M Fri Dec 17 15:44:39 1999 +++ src/clients/ksu/ksu.M Tue Mar 28 02:02:06 2000 @@ -42,6 +42,8 @@ ] [ .B \-k ] [ +.B \-m +] [ .B \-D ] [ .B \-r @@ -159,7 +161,11 @@ .SH EXECUTION OF THE TARGET SHELL Upon successful authentication and authorization, ksu proceeds in a similar fashion to su. The environment -is unmodified with the exception of USER, HOME and SHELL variables. +is unmodified with the exception +(unless ksu is invoked with the +.B \-m +option) +of the USER, HOME and SHELL variables. If the target user is not root, USER gets set to the target user name. Otherwise USER remains unchanged. Both HOME and SHELL are set to the target login's default values. --- /homes/elves/djm/src/krb5-1.1.1/src/clients/ksu/main.c Fri Dec 17 15:44:39 1999 +++ src/clients/ksu/main.c Tue Mar 28 02:05:48 2000 @@ -56,7 +56,7 @@ ill specified arguments to commands */ void usage (){ - fprintf(stderr, "Usage: %s [target user] [-n principal] [-c source cachename] [-C target cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name); + fprintf(stderr, "Usage: %s [target user] [-n principal] [-c source cachename] [-C target cachename] [-k] [-m] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name); } @@ -83,6 +83,7 @@ int option=0; int statusp=0; int use_source_cache = 0; +int asme = 0; krb5_error_code retval = 0; krb5_principal client = NULL; krb5_ccache cc_target = NULL; @@ -173,7 +174,7 @@ } - while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkql:e:")) != -1)){ + while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkql:e:m")) != -1)){ switch (option) { case 'r': options.opt |= KDC_OPT_RENEWABLE; @@ -219,6 +220,11 @@ errflg++; } break; +#ifdef HAVE_GETUSERSHELL + case 'm': + asme = 1; + break; +#endif case 'n': if ((retval = krb5_parse_name(ksu_context, optarg, &client))){ com_err(prog_name, retval, "when parsing name %s", optarg); @@ -329,6 +335,15 @@ source_uid = pwd->pw_uid; source_gid = pwd->pw_gid; +#ifdef HAVE_GETUSERSHELL + if (asme) { + if (pwd->pw_shell) + shell = strdup(pwd->pw_shell); + else { + shell = _DEF_CSH; /* default is cshell */ + } + } +#endif if (!strcmp(SOURCE_USER_LOGIN, target_user)){ target_user = xstrdup (source_user); @@ -371,6 +386,19 @@ exit(1); } } + + if (options.princ == 0 && target_uid == 0 && source_uid != 0) { + char *source_princ = xmalloc(strlen(source_user) + 6); + sprintf(source_princ, "%s/root", source_user); + + if ((retval = krb5_parse_name(ksu_context, source_princ, &client))){ + com_err(prog_name, retval, "when parsing name %s", source_princ); + errflg++; + } + free(source_princ); + options.princ = 1; + } + if ((retval = get_best_princ_for_target(ksu_context, source_uid, target_uid, source_user, target_user, cc_source, &options, cmd, localhostname, &client, &hp))){ @@ -699,11 +729,13 @@ /* get the shell of the user, this will be the shell used by su */ target_pwd = getpwnam(target_user); + if (!asme) { if (target_pwd->pw_shell) shell = xstrdup(target_pwd->pw_shell); else { shell = _DEF_CSH; /* default is cshell */ } + } #ifdef HAVE_GETUSERSHELL @@ -716,6 +748,7 @@ } #endif /* HAVE_GETUSERSHELL */ + if (!asme) { if (target_pwd->pw_uid){ if(set_env_var("USER", target_pwd->pw_name)){ @@ -736,6 +769,7 @@ sweep_up(ksu_context, use_source_cache, cc_target); exit(1); } + } /* set the cc env name to target */ >Audit-Trail: From: "David J. MacKenzie" To: krb5-bugs@MIT.EDU, krb5-unassigned@rt-11.mit.edu Cc: Subject: Re: krb5-clients/837: addition of ksu -m option Date: Fri, 14 Apr 2000 13:09:09 -0400 Errata: I accidentally included an unrelated hunk in the diff. The part that deals with the principal name should have only been included in bug report krb5-clients/839, so please disregard it in this report. >Unformatted: