diff options
| author | Bjorn Sandell <biorn@cvs.openbsd.org> | 2006-01-22 06:04:29 +0000 |
|---|---|---|
| committer | Bjorn Sandell <biorn@cvs.openbsd.org> | 2006-01-22 06:04:29 +0000 |
| commit | 27083ed6d6c3fb986af2909eb3993565b8502b84 (patch) | |
| tree | 14fcc2870c1ed9685793ad4f3787eda0c6bc2868 /usr.bin/passwd/krb5_passwd.c | |
| parent | ae39834e967e79a1c98550cc90226342112cebf2 (diff) | |
- drop privs before running krb5 code
- avoid calling krb5_get_init_creds_password(3) with principal == NULL
- try to change the kerberos password if there is a ticket file
help from millert@, ok beck@
Diffstat (limited to 'usr.bin/passwd/krb5_passwd.c')
| -rw-r--r-- | usr.bin/passwd/krb5_passwd.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/usr.bin/passwd/krb5_passwd.c b/usr.bin/passwd/krb5_passwd.c index af83baa73a1..2f608c28ae9 100644 --- a/usr.bin/passwd/krb5_passwd.c +++ b/usr.bin/passwd/krb5_passwd.c @@ -65,6 +65,12 @@ krb5_passwd(int argc, char **argv) char pwbuf[BUFSIZ]; krb5_creds cred; int result_code; + uid_t uid; + + uid = getuid(); + if (setresuid(uid, uid, uid)) { + errx(1, "can't drop privileges\n"); + } krb5_get_init_creds_opt_init (&opt); @@ -78,10 +84,13 @@ krb5_passwd(int argc, char **argv) if (argv[0]) { ret = krb5_parse_name(context, argv[0], &principal); - if (ret) - krb5_err(context, 1, ret, "krb5_parse_name"); - } else - principal = NULL; + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + } else { + ret = krb5_get_default_principal (context, &principal); + if (ret) + krb5_err (context, 1, ret, "krb5_get_default_principal"); + } ret = krb5_get_init_creds_password (context, &cred, principal, NULL, krb5_prompter_posix, NULL, 0, |