source: branches/fc15-dev/server/common/patches/krb5-kuserok-scripts.patch @ 1810

Last change on this file since 1810 was 1810, checked in by achernya, 11 years ago
Updated krb5 patch to get rid of now-unused variables.
File size: 3.7 KB
RevLine 
[1]1# scripts.mit.edu krb5 kuserok patch
2# Copyright (C) 2006  Tim Abbott <tabbott@mit.edu>
[1807]3#               2011  Alexander Chernyakhovsky <achernya@mit.edu>
[1]4#
5# This program is free software; you can redistribute it and/or
6# modify it under the terms of the GNU General Public License
7# as published by the Free Software Foundation; either version 2
8# of the License, or (at your option) any later version.
9#
10# This program is distributed in the hope that it will be useful,
11# but WITHOUT ANY WARRANTY; without even the implied warranty of
12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13# GNU General Public License for more details.
14#
15# You should have received a copy of the GNU General Public License
16# along with this program; if not, write to the Free Software
17# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
18#
19# See /COPYRIGHT in this repository for more information.
20#
[1807]21--- krb5-1.9/src/lib/krb5/os/kuserok.c.old      2011-04-16 19:09:58.000000000 -0400
22+++ krb5-1.9/src/lib/krb5/os/kuserok.c  2011-04-16 19:34:23.000000000 -0400
23@@ -32,6 +32,7 @@
24 #if !defined(_WIN32)            /* Not yet for Windows */
[1]25 #include <stdio.h>
26 #include <pwd.h>
27+#include <sys/wait.h>
28 
29 #if defined(_AIX) && defined(_IBMR2)
30 #include <sys/access.h>
[1810]31@@ -93,13 +94,12 @@
32 static enum result
33 k5login_ok(krb5_context context, krb5_principal principal, const char *luser)
34 {
35-    int authoritative = TRUE, gobble;
36+    int authoritative = TRUE;
37     enum result result = REJECT;
38     char *filename = NULL, *princname = NULL;
39-    char *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ];
40-    struct stat sbuf;
41+    char pwbuf[BUFSIZ];
[1807]42     struct passwd pwx, *pwd;
[1810]43-    FILE *fp = NULL;
[1]44+    int pid, status;
45 
[1807]46     if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS,
47                             KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE,
[1810]48@@ -110,46 +110,30 @@
[1]49     if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
[1807]50         goto cleanup;
51 
52-    if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0)
53-        goto cleanup;
[1]54-
[1807]55-    if (access(filename, F_OK) != 0) {
56-        result = PASS;
57-        goto cleanup;
[1]58-    }
[1807]59-
60     if (krb5_unparse_name(context, principal, &princname) != 0)
61         goto cleanup;
[1]62 
[1807]63-    fp = fopen(filename, "r");
64-    if (fp == NULL)
65+    if ((pid = fork()) == -1)
66         goto cleanup;
[1693]67-    set_cloexec_file(fp);
[1807]68-
69-    /* For security reasons, the .k5login file must be owned either by
70-     * the user or by root. */
71-    if (fstat(fileno(fp), &sbuf))
72-        goto cleanup;
73-    if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid))
74-        goto cleanup;
75-
76-    /* Check each line. */
77-    while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) {
78-        newline = strrchr(linebuf, '\n');
79-        if (newline != NULL)
80-            *newline = '\0';
81-        if (strcmp(linebuf, princname) == 0)
82-            result = ACCEPT;
83-        /* Clean up the rest of the line if necessary. */
84-        if (newline == NULL)
85-            while (((gobble = getc(fp)) != EOF) && gobble != '\n');
86+   
[1069]87+    if (pid == 0) {
[1807]88+        char *args[4];
[1069]89+#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
[1807]90+        args[0] = ADMOF_PATH;
91+        args[1] = (char *) luser;
92+        args[2] = princname;
93+        args[3] = NULL;
94+        execv(ADMOF_PATH, args);
95+        exit(1);
[1069]96     }
[1807]97 
[1]98+    if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) {
[1807]99+        result = ACCEPT;
100+    }
[1]101+   
[1807]102 cleanup:
[1]103     free(princname);
[1807]104     free(filename);
[1810]105-    if (fp != NULL)
106-        fclose(fp);
107     /* If k5login files are non-authoritative, never reject. */
108     return (!authoritative && result == REJECT) ? PASS : result;
109 }
Note: See TracBrowser for help on using the repository browser.