source: branches/fc15-dev/server/common/patches/krb5-kuserok-scripts.patch @ 1810

Last change on this file since 1810 was 1810, checked in by achernya, 11 years ago
Updated krb5 patch to get rid of now-unused variables.
File size: 3.7 KB
  • krb5-1.9/src/lib/krb5/os/kuserok.c

    # scripts.mit.edu krb5 kuserok patch
    # Copyright (C) 2006  Tim Abbott <tabbott@mit.edu>
    #               2011  Alexander Chernyakhovsky <achernya@mit.edu>
    #
    # This program is free software; you can redistribute it and/or
    # modify it under the terms of the GNU General Public License
    # as published by the Free Software Foundation; either version 2
    # of the License, or (at your option) any later version.
    #
    # This program is distributed in the hope that it will be useful,
    # but WITHOUT ANY WARRANTY; without even the implied warranty of
    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    # GNU General Public License for more details.
    #
    # You should have received a copy of the GNU General Public License
    # along with this program; if not, write to the Free Software
    # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
    #
    # See /COPYRIGHT in this repository for more information.
    #
    old new  
    3232#if !defined(_WIN32)            /* Not yet for Windows */
    3333#include <stdio.h>
    3434#include <pwd.h>
     35#include <sys/wait.h>
    3536
    3637#if defined(_AIX) && defined(_IBMR2)
    3738#include <sys/access.h>
     
    9394static enum result
    9495k5login_ok(krb5_context context, krb5_principal principal, const char *luser)
    9596{
    96     int authoritative = TRUE, gobble;
     97    int authoritative = TRUE;
    9798    enum result result = REJECT;
    9899    char *filename = NULL, *princname = NULL;
    99     char *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ];
    100     struct stat sbuf;
     100    char pwbuf[BUFSIZ];
    101101    struct passwd pwx, *pwd;
    102     FILE *fp = NULL;
     102    int pid, status;
    103103
    104104    if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS,
    105105                            KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE,
     
    110110    if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
    111111        goto cleanup;
    112112
    113     if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0)
    114         goto cleanup;
    115 
    116     if (access(filename, F_OK) != 0) {
    117         result = PASS;
    118         goto cleanup;
    119     }
    120 
    121113    if (krb5_unparse_name(context, principal, &princname) != 0)
    122114        goto cleanup;
    123115
    124     fp = fopen(filename, "r");
    125     if (fp == NULL)
     116    if ((pid = fork()) == -1)
    126117        goto cleanup;
    127     set_cloexec_file(fp);
    128 
    129     /* For security reasons, the .k5login file must be owned either by
    130      * the user or by root. */
    131     if (fstat(fileno(fp), &sbuf))
    132         goto cleanup;
    133     if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid))
    134         goto cleanup;
    135 
    136     /* Check each line. */
    137     while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) {
    138         newline = strrchr(linebuf, '\n');
    139         if (newline != NULL)
    140             *newline = '\0';
    141         if (strcmp(linebuf, princname) == 0)
    142             result = ACCEPT;
    143         /* Clean up the rest of the line if necessary. */
    144         if (newline == NULL)
    145             while (((gobble = getc(fp)) != EOF) && gobble != '\n');
     118   
     119    if (pid == 0) {
     120        char *args[4];
     121#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
     122        args[0] = ADMOF_PATH;
     123        args[1] = (char *) luser;
     124        args[2] = princname;
     125        args[3] = NULL;
     126        execv(ADMOF_PATH, args);
     127        exit(1);
    146128    }
    147129
     130    if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) {
     131        result = ACCEPT;
     132    }
     133   
    148134cleanup:
    149135    free(princname);
    150136    free(filename);
    151     if (fp != NULL)
    152         fclose(fp);
    153137    /* If k5login files are non-authoritative, never reject. */
    154138    return (!authoritative && result == REJECT) ? PASS : result;
    155139}
Note: See TracBrowser for help on using the repository browser.