Context Navigation

krb5-kuserok-scripts.patch @ 1989

Last change on this file since 1989 was 1820, checked in by achernya, 13 years ago
(Hopefully) final version of the Scripts krb5 patch, that removes the function into which the .k5login filename generating code was refactored into
File size: 5.0 KB

krb5-1.9/src/lib/krb5/os/kuserok.c

# scripts.mit.edu krb5 kuserok patch
# Copyright (C) 2006  Tim Abbott <tabbott@mit.edu>
#               2011  Alexander Chernyakhovsky <achernya@mit.edu>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
#
# See /COPYRIGHT in this repository for more information.
#

-                      old
+                      new
 #if !defined(_WIN32)            /* Not yet for Windows */
 #include <stdio.h>
 #include <pwd.h>
+#include <sys/wait.h>
 #if defined(_AIX) && defined(_IBMR2)
 #include <sys/access.h>
 …
 enum result { ACCEPT, REJECT, PASS };
 /*
- * Find the k5login filename for luser, either in the user's homedir or in a
- * configured directory under the username.
- */
-static krb5_error_code
-get_k5login_filename(krb5_context context, const char *luser,
-                     const char *homedir, char **filename_out)
+{
-    krb5_error_code ret;
-    char *dir, *filename;
-    *filename_out = NULL;
-    ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
-                             KRB5_CONF_K5LOGIN_DIRECTORY, NULL, NULL, &dir);
-    if (ret != 0)
-        return ret;
-    if (dir == NULL) {
-        /* Look in the user's homedir. */
-        if (asprintf(&filename, "%s/.k5login", homedir) < 0)
-            return ENOMEM;
-    } else {
-        /* Look in the configured directory. */
-        if (asprintf(&filename, "%s/%s", dir, luser) < 0)
-            ret = ENOMEM;
-        profile_release_string(dir);
-        if (ret)
-            return ret;
+    }
-    *filename_out = filename;
-    return 0;
+}
-/*
  * Determine whether principal is authorized to log in as luser according to
  * the user's k5login file.  Return ACCEPT if the k5login file authorizes the
  * principal, PASS if the k5login file does not exist, or REJECT if the k5login
 …
 static enum result
 k5login_ok(krb5_context context, krb5_principal principal, const char *luser)
+{
     int authoritative = TRUE, gobble;
+    int authoritative = TRUE;
     enum result result = REJECT;
+    char *filename = NULL, *princname = NULL;
+    char *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ];
+    struct stat sbuf;
+    char *princname = NULL;
+    char pwbuf[BUFSIZ];
     struct passwd pwx, *pwd;
     FILE *fp = NULL;
+    int pid, status;
     if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS,
                             KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE,
 …
     if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
         goto cleanup;
-    if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0)
-        goto cleanup;
-    if (access(filename, F_OK) != 0) {
-        result = PASS;
-        goto cleanup;
+    }
     if (krb5_unparse_name(context, principal, &princname) != 0)
         goto cleanup;
+    fp = fopen(filename, "r");
+    if (fp == NULL)
+    if ((pid = fork()) == -1)
         goto cleanup;
+    set_cloexec_file(fp);
+    /* For security reasons, the .k5login file must be owned either by
+     * the user or by root. */
+    if (fstat(fileno(fp), &sbuf))
+        goto cleanup;
+    if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid))
+        goto cleanup;
+    /* Check each line. */
+    while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) {
+        newline = strrchr(linebuf, '\n');
+        if (newline != NULL)
+            *newline = '\0';
+        if (strcmp(linebuf, princname) == 0)
+            result = ACCEPT;
+        /* Clean up the rest of the line if necessary. */
+        if (newline == NULL)
+            while (((gobble = getc(fp)) != EOF) && gobble != '\n');
+    if (pid == 0) {
+        char *args[4];
+#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
+        args[0] = ADMOF_PATH;
+        args[1] = (char *) luser;
+        args[2] = princname;
+        args[3] = NULL;
+        execv(ADMOF_PATH, args);
+        exit(1);
+    }
+    if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) {
+        result = ACCEPT;
+    }
 cleanup:
     free(princname);
-    free(filename);
-    if (fp != NULL)
-        fclose(fp);
     /* If k5login files are non-authoritative, never reject. */
     return (!authoritative && result == REJECT) ? PASS : result;
+}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: branches/fc15-dev/server/common/patches/krb5-kuserok-scripts.patch @ 1989

krb5-1.9/src/lib/krb5/os/kuserok.c

Download in other formats: