Kerberos as a site-wide authentication mechanism has it's benefits, but the software that's typically used to drive it is getting a little long in the tooth. ksu, the kerberized equivalent to su, is only a partial implementation of what su does; there's no argument to ksu that says "this is a login shell, please set up the necessary environment". Even su has a couple of failings; in particular, if you're an X user, you're probably familiar with how su - doesn't bring your X authentication data along for the ride.
So, I fixed both of those a while back, with a really ugly shell script. Just in case anyone else might find it handy, here it is:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | #!/bin/sh
# Replacement for raw "ksu" in kerberized environments;
# behaves more like "su -", and retains xauth data.
if [ $# -lt 1 ]
then
echo "Usage: `basename $0` <target user> [ <command> [ <arg> ] ... ]"
exit 2
fi
TARGET_USER="$1"
shift
# be a basic login shell if no command is specified.
if [ -z "$*" ]
then
TARGET_CMD='-l'
else
TARGET_CMD="-c '$*'"
fi
# FD 4 becomes stdin
exec 4>&0
xauth list | sed -e 's/^/add /' | {
# FD 3 becomes xauth output
# FD 0 becomes stdin again
# FD 4 is closed
exec 3>&0 0>&4 4>&-
exec /usr/bin/env -u PATH -u LD_LIBRARY_PATH \
/usr/krb5/bin/ksu "${TARGET_USER}" -e /bin/bash -l -c "
xauth -q <&3
cd
exec /usr/bin/env DISPLAY='${DISPLAY}' "'"$SHELL"'" ${TARGET_CMD} 3>&-"
}
|
