1 | 0000 # scripts.mit.edu krb5 kuserok patch |
---|
2 | 0001 # Copyright (C) 2006 Tim Abbott <tabbott@mit.edu> |
---|
3 | 0002 # |
---|
4 | 0003 # This program is free software; you can redistribute it and/or |
---|
5 | 0004 # modify it under the terms of the GNU General Public License |
---|
6 | 0005 # as published by the Free Software Foundation; either version 2 |
---|
7 | 0006 # of the License, or (at your option) any later version. |
---|
8 | 0007 # |
---|
9 | 0008 # This program is distributed in the hope that it will be useful, |
---|
10 | 0009 # but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
11 | 0010 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
12 | 0011 # GNU General Public License for more details. |
---|
13 | 0012 # |
---|
14 | 0013 # You should have received a copy of the GNU General Public License |
---|
15 | 0014 # along with this program; if not, write to the Free Software |
---|
16 | 0015 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA |
---|
17 | 0016 # |
---|
18 | 0017 # See /COPYRIGHT in this repository for more information. |
---|
19 | 0018 # |
---|
20 | 0019 --- krb5-1.4.3/src/lib/krb5/os/kuserok.c.old 2006-09-09 19:03:33.000000000 -0400 |
---|
21 | 0020 +++ krb5-1.4.3/src/lib/krb5/os/kuserok.c 2006-09-09 19:50:48.000000000 -0400 |
---|
22 | 0021 @@ -31,6 +31,7 @@ |
---|
23 | 0022 #if !defined(_WIN32) /* Not yet for Windows */ |
---|
24 | 0023 #include <stdio.h> |
---|
25 | 0024 #include <pwd.h> |
---|
26 | 0025 +#include <sys/wait.h> |
---|
27 | 0026 |
---|
28 | 0027 #if defined(_AIX) && defined(_IBMR2) |
---|
29 | 0028 #include <sys/access.h> |
---|
30 | 0029 @@ -64,7 +65,6 @@ |
---|
31 | 0030 { |
---|
32 | 0031 struct stat sbuf; |
---|
33 | 0032 struct passwd *pwd; |
---|
34 | 0033 - char pbuf[MAXPATHLEN]; |
---|
35 | 0034 krb5_boolean isok = FALSE; |
---|
36 | 0035 FILE *fp; |
---|
37 | 0036 char kuser[MAX_USERNAME]; |
---|
38 | 0037 @@ -72,70 +72,35 @@ |
---|
39 | 0038 char linebuf[BUFSIZ]; |
---|
40 | 0039 char *newline; |
---|
41 | 0040 int gobble; |
---|
42 | 0041 + int pid, status; |
---|
43 | 0042 |
---|
44 | 0043 /* no account => no access */ |
---|
45 | 0044 char pwbuf[BUFSIZ]; |
---|
46 | 0045 struct passwd pwx; |
---|
47 | 0046 if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0) |
---|
48 | 0047 return(FALSE); |
---|
49 | 0048 - (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); |
---|
50 | 0049 - pbuf[sizeof(pbuf) - 1] = '\0'; |
---|
51 | 0050 - (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf)); |
---|
52 | 0051 - |
---|
53 | 0052 - if (access(pbuf, F_OK)) { /* not accessible */ |
---|
54 | 0053 - /* |
---|
55 | 0054 - * if he's trying to log in as himself, and there is no .k5login file, |
---|
56 | 0055 - * let him. To find out, call |
---|
57 | 0056 - * krb5_aname_to_localname to convert the principal to a name |
---|
58 | 0057 - * which we can string compare. |
---|
59 | 0058 - */ |
---|
60 | 0059 - if (!(krb5_aname_to_localname(context, principal, |
---|
61 | 0060 - sizeof(kuser), kuser)) |
---|
62 | 0061 - && (strcmp(kuser, luser) == 0)) { |
---|
63 | 0062 - return(TRUE); |
---|
64 | 0063 - } |
---|
65 | 0064 - } |
---|
66 | 0065 if (krb5_unparse_name(context, principal, &princname)) |
---|
67 | 0066 return(FALSE); /* no hope of matching */ |
---|
68 | 0067 |
---|
69 | 0068 - /* open ~/.k5login */ |
---|
70 | 0069 - if ((fp = fopen(pbuf, "r")) == NULL) { |
---|
71 | 0070 - free(princname); |
---|
72 | 0071 - return(FALSE); |
---|
73 | 0072 - } |
---|
74 | 0073 - /* |
---|
75 | 0074 - * For security reasons, the .k5login file must be owned either by |
---|
76 | 0075 - * the user himself, or by root. Otherwise, don't grant access. |
---|
77 | 0076 - */ |
---|
78 | 0077 - if (fstat(fileno(fp), &sbuf)) { |
---|
79 | 0078 - fclose(fp); |
---|
80 | 0079 - free(princname); |
---|
81 | 0080 - return(FALSE); |
---|
82 | 0081 - } |
---|
83 | 0082 - if ((sbuf.st_uid != pwd->pw_uid) && sbuf.st_uid) { |
---|
84 | 0083 - fclose(fp); |
---|
85 | 0084 - free(princname); |
---|
86 | 0085 - return(FALSE); |
---|
87 | 0086 - } |
---|
88 | 0087 - |
---|
89 | 0088 - /* check each line */ |
---|
90 | 0089 - while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) { |
---|
91 | 0090 - /* null-terminate the input string */ |
---|
92 | 0091 - linebuf[BUFSIZ-1] = '\0'; |
---|
93 | 0092 - newline = NULL; |
---|
94 | 0093 - /* nuke the newline if it exists */ |
---|
95 | 0094 - if ((newline = strchr(linebuf, '\n'))) |
---|
96 | 0095 - *newline = '\0'; |
---|
97 | 0096 - if (!strcmp(linebuf, princname)) { |
---|
98 | 0097 - isok = TRUE; |
---|
99 | 0098 - continue; |
---|
100 | 0099 - } |
---|
101 | 0100 - /* clean up the rest of the line if necessary */ |
---|
102 | 0101 - if (!newline) |
---|
103 | 0102 - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); |
---|
104 | 0103 - } |
---|
105 | 0104 + if ((pid = fork()) == -1) { |
---|
106 | 0105 + free(princname); |
---|
107 | 0106 + return(FALSE); |
---|
108 | 0107 + } |
---|
109 | 0108 + if (pid == 0) { |
---|
110 | 0109 + char *args[4]; |
---|
111 | 0110 +#define ADMOF_PATH "/usr/local/sbin/admof" |
---|
112 | 0111 + args[0] = ADMOF_PATH; |
---|
113 | 0112 + args[1] = (char *) luser; |
---|
114 | 0113 + args[2] = princname; |
---|
115 | 0114 + args[3] = NULL; |
---|
116 | 0115 + execv(ADMOF_PATH, args); |
---|
117 | 0116 + exit(1); |
---|
118 | 0117 + } |
---|
119 | 0118 + if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) { |
---|
120 | 0119 + isok=TRUE; |
---|
121 | 0120 + } |
---|
122 | 0121 + |
---|
123 | 0122 free(princname); |
---|
124 | 0123 - fclose(fp); |
---|
125 | 0124 return(isok); |
---|
126 | 0125 } |
---|