source: branches/fc15-dev/server/common/patches/krb5-kuserok-scripts.patch @ 1989

Last change on this file since 1989 was 1820, checked in by achernya, 13 years ago
(Hopefully) final version of the Scripts krb5 patch, that removes the function into which the .k5login filename generating code was refactored into
File size: 5.0 KB
RevLine 
[1]1# scripts.mit.edu krb5 kuserok patch
2# Copyright (C) 2006  Tim Abbott <tabbott@mit.edu>
[1807]3#               2011  Alexander Chernyakhovsky <achernya@mit.edu>
[1]4#
5# This program is free software; you can redistribute it and/or
6# modify it under the terms of the GNU General Public License
7# as published by the Free Software Foundation; either version 2
8# of the License, or (at your option) any later version.
9#
10# This program is distributed in the hope that it will be useful,
11# but WITHOUT ANY WARRANTY; without even the implied warranty of
12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13# GNU General Public License for more details.
14#
15# You should have received a copy of the GNU General Public License
16# along with this program; if not, write to the Free Software
17# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
18#
19# See /COPYRIGHT in this repository for more information.
20#
[1807]21--- krb5-1.9/src/lib/krb5/os/kuserok.c.old      2011-04-16 19:09:58.000000000 -0400
22+++ krb5-1.9/src/lib/krb5/os/kuserok.c  2011-04-16 19:34:23.000000000 -0400
23@@ -32,6 +32,7 @@
24 #if !defined(_WIN32)            /* Not yet for Windows */
[1]25 #include <stdio.h>
26 #include <pwd.h>
27+#include <sys/wait.h>
28 
29 #if defined(_AIX) && defined(_IBMR2)
30 #include <sys/access.h>
[1820]31@@ -51,39 +52,6 @@
32 enum result { ACCEPT, REJECT, PASS };
33 
34 /*
35- * Find the k5login filename for luser, either in the user's homedir or in a
36- * configured directory under the username.
37- */
38-static krb5_error_code
39-get_k5login_filename(krb5_context context, const char *luser,
40-                     const char *homedir, char **filename_out)
41-{
42-    krb5_error_code ret;
43-    char *dir, *filename;
44-
45-    *filename_out = NULL;
46-    ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
47-                             KRB5_CONF_K5LOGIN_DIRECTORY, NULL, NULL, &dir);
48-    if (ret != 0)
49-        return ret;
50-
51-    if (dir == NULL) {
52-        /* Look in the user's homedir. */
53-        if (asprintf(&filename, "%s/.k5login", homedir) < 0)
54-            return ENOMEM;
55-    } else {
56-        /* Look in the configured directory. */
57-        if (asprintf(&filename, "%s/%s", dir, luser) < 0)
58-            ret = ENOMEM;
59-        profile_release_string(dir);
60-        if (ret)
61-            return ret;
62-    }
63-    *filename_out = filename;
64-    return 0;
65-}
66-
67-/*
68  * Determine whether principal is authorized to log in as luser according to
69  * the user's k5login file.  Return ACCEPT if the k5login file authorizes the
70  * principal, PASS if the k5login file does not exist, or REJECT if the k5login
71@@ -93,13 +61,12 @@
[1810]72 static enum result
73 k5login_ok(krb5_context context, krb5_principal principal, const char *luser)
74 {
75-    int authoritative = TRUE, gobble;
76+    int authoritative = TRUE;
77     enum result result = REJECT;
[1820]78-    char *filename = NULL, *princname = NULL;
[1810]79-    char *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ];
80-    struct stat sbuf;
[1820]81+    char *princname = NULL;
[1810]82+    char pwbuf[BUFSIZ];
[1807]83     struct passwd pwx, *pwd;
[1810]84-    FILE *fp = NULL;
[1]85+    int pid, status;
86 
[1807]87     if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS,
88                             KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE,
[1820]89@@ -110,46 +77,29 @@
[1]90     if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
[1807]91         goto cleanup;
92 
93-    if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0)
94-        goto cleanup;
[1]95-
[1807]96-    if (access(filename, F_OK) != 0) {
97-        result = PASS;
98-        goto cleanup;
[1]99-    }
[1807]100-
101     if (krb5_unparse_name(context, principal, &princname) != 0)
102         goto cleanup;
[1]103 
[1807]104-    fp = fopen(filename, "r");
105-    if (fp == NULL)
106+    if ((pid = fork()) == -1)
107         goto cleanup;
[1693]108-    set_cloexec_file(fp);
[1807]109-
110-    /* For security reasons, the .k5login file must be owned either by
111-     * the user or by root. */
112-    if (fstat(fileno(fp), &sbuf))
113-        goto cleanup;
114-    if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid))
115-        goto cleanup;
116-
117-    /* Check each line. */
118-    while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) {
119-        newline = strrchr(linebuf, '\n');
120-        if (newline != NULL)
121-            *newline = '\0';
122-        if (strcmp(linebuf, princname) == 0)
123-            result = ACCEPT;
124-        /* Clean up the rest of the line if necessary. */
125-        if (newline == NULL)
126-            while (((gobble = getc(fp)) != EOF) && gobble != '\n');
127+   
[1069]128+    if (pid == 0) {
[1807]129+        char *args[4];
[1069]130+#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
[1807]131+        args[0] = ADMOF_PATH;
132+        args[1] = (char *) luser;
133+        args[2] = princname;
134+        args[3] = NULL;
135+        execv(ADMOF_PATH, args);
136+        exit(1);
[1069]137     }
[1807]138 
[1]139+    if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) {
[1807]140+        result = ACCEPT;
141+    }
[1]142+   
[1807]143 cleanup:
[1]144     free(princname);
[1820]145-    free(filename);
[1810]146-    if (fp != NULL)
147-        fclose(fp);
148     /* If k5login files are non-authoritative, never reject. */
149     return (!authoritative && result == REJECT) ? PASS : result;
150 }
Note: See TracBrowser for help on using the repository browser.