From nobody Fri Sep 12 14:33:09 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cNcNQ320Mz67WQP; Fri, 12 Sep 2025 14:33:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cNcNQ0zdGz444y; Fri, 12 Sep 2025 14:33:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1757687590; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MyvJKiMpoIv4VqRBVoCVi8cNB6kBVEFsXBH8HzF1kPk=; b=TLJ0YQ0XPZ8Z15xSNjNWZ1i+t34EPObnOOQzxN9wE9fa+A/gsEVXV7qQDwqpxtDInDx/hY tmMmj3yzevVz4qH2vQSsjHEuElG6RTxH5+ZF2hV4TqD2rlwbW3JoKgBoiaKi+LCubUbbwa ENn9z6kumdb+yzo6ZGLYKoOadJQL91GbWoTuGiIWR8rHswY+1ZBTC8D2ID+Q8+dWcgX3ZX de6Qj9BtW6rK4ZGsNcwiPyhDeAYOzF++yc+s5i00vRFlID5EsJX4iGbBk5rs6flrSLyygW DA0WoZSqHW6aLb15sUINwBVfTY2EqFmWE3XE4b0RYg+7qx5P1RVSmEFBV1rnLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1757687590; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MyvJKiMpoIv4VqRBVoCVi8cNB6kBVEFsXBH8HzF1kPk=; b=UqxzGRpuxM5xcJFoJ5uB1pkmKqlQcie+3sHrUsN7mDufsHeJU/yMPKkg27GryCUnsU555q xMFt1Jv9CZSIp64AxoISzqMd3J/0Yzs18L6LlQMTCVTOrl9AvYCqO1YVtDIvL3jCqpzipI oYn4LXn2IPrLTT/kv32Dqj0t0j1UTEOAcPdbaQJi/WfTK5CNXWHmsc0k4lW4v1CdIOk+Uk Q3xx1+V3O0yzp9c+hQmCScz8unPay2N2e+fhp/f6jW17tnj+Zl/rDL5x3erH19cfeNYmW0 rvB1cnojTHio/TfQ5fiPIykj9mKkIFcAb0O5akbNBnHyJotdtOllS/bCWD/QDw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1757687590; a=rsa-sha256; cv=none; b=ozNUy/L86Jj6/sGThrtKGYMSXcITf6jGeBoxWhneg2EJVZz6NDQfcLjag4kjJ/qnmbuMyK AyMjRMgDFWn5dRXhNuXexs/i6vBEQGuAxoDezBw73rXRNZtVFOqvepE/DOr/BFN1zSLdaf 4UXGLimkwcGdrnAdRaYlVfTQ1g5cyBYBFe5zECg/lIseRHNk0QD0c8fkowASxWNjvfgoTD rUUJYW+x15VfC7y/YupBqAbxFlHdA8L4SmhLFSMLfL0q4EVpYObuZOMVVQZ+zqRTi3UvcY yBq6m8ysOlbGLLWVAnSSIgJ2HnXdZc3FKJnvvRHcZvla4QhDEaMYjxNvlSwWzA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cNcNQ0PMhzwqc; Fri, 12 Sep 2025 14:33:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58CEX9Nl009466; Fri, 12 Sep 2025 14:33:09 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58CEX9TA009463; Fri, 12 Sep 2025 14:33:09 GMT (envelope-from git) Date: Fri, 12 Sep 2025 14:33:09 GMT Message-Id: <202509121433.58CEX9TA009463@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Cy Schubert Subject: git: b0e7b55a0e90 - main - krb5: Enable PRINC_LOOK_AHEAD in ksu List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b0e7b55a0e90d737cf469b78e9785b492b3c0d0f Auto-Submitted: auto-generated The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=b0e7b55a0e90d737cf469b78e9785b492b3c0d0f commit b0e7b55a0e90d737cf469b78e9785b492b3c0d0f Author: Cy Schubert AuthorDate: 2025-09-10 20:13:08 +0000 Commit: Cy Schubert CommitDate: 2025-09-12 14:32:48 +0000 krb5: Enable PRINC_LOOK_AHEAD in ksu PRINC_LOOK_AHEAD is the upstream default. Normally ksu determines the target princiapl by (quoted from the man page) a. default principal of the source cache b. target_user@local_realm c. source_user@local_realm With PRINC_LOOK_AHEAD emabled, for each candidate in the above list, select an authorized principal that has the same realm name and first part of the principal name equal to the prefix of the candidate. For example if candidate a) is jqpublic@ISI.EDU and jqpublic/secure@ISI.EDU is authorized to access the target account then the default principal is set to jqpublic/secure@ISI.EDU. Case 2: source user is root. If the target user is non-root then the default principal name is target_user@local_realm. Else, if the source cache exists the default principal name is set to the default principal of the source cache. If the source cache does not exist, default principal name is set to root\@local_realm. This commit restores the same behaviour as Heimdal ksu. Reported by: Dan Mahoney Requested by: Dan Mahoney MFC after: 3 days MFC to: 15/stable Differential revision: https://reviews.freebsd.org/D52478 --- krb5/usr.bin/ksu/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/krb5/usr.bin/ksu/Makefile b/krb5/usr.bin/ksu/Makefile index aaec461ce0b0..93860e38ce5c 100644 --- a/krb5/usr.bin/ksu/Makefile +++ b/krb5/usr.bin/ksu/Makefile @@ -24,7 +24,8 @@ SRCS= authorization.c \ CFLAGS+=-I${KRB5_DIR}/include \ -I${KRB5_SRCTOP}/include \ - -DGET_TGT_VIA_PASSWD + -DGET_TGT_VIA_PASSWD \ + -DPRINC_LOOK_AHEAD MAN= ksu.1