source: server/common/patches/krb5-kuserok-scripts.patch @ 406

Last change on this file since 406 was 125, checked in by jbarnold, 16 years ago
created two admofs for different selinux labels
File size: 3.8 KB
RevLine 
[1]1# scripts.mit.edu krb5 kuserok patch
2# Copyright (C) 2006  Tim Abbott <tabbott@mit.edu>
3#
4# This program is free software; you can redistribute it and/or
5# modify it under the terms of the GNU General Public License
6# as published by the Free Software Foundation; either version 2
7# of the License, or (at your option) any later version.
8#
9# This program is distributed in the hope that it will be useful,
10# but WITHOUT ANY WARRANTY; without even the implied warranty of
11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12# GNU General Public License for more details.
13#
14# You should have received a copy of the GNU General Public License
15# along with this program; if not, write to the Free Software
16# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
17#
18# See /COPYRIGHT in this repository for more information.
19#
20--- krb5-1.4.3/src/lib/krb5/os/kuserok.c.old    2006-09-09 19:03:33.000000000 -0400
21+++ krb5-1.4.3/src/lib/krb5/os/kuserok.c        2006-09-09 19:50:48.000000000 -0400
22@@ -31,6 +31,7 @@
23 #if !defined(_WIN32)           /* Not yet for Windows */
24 #include <stdio.h>
25 #include <pwd.h>
26+#include <sys/wait.h>
27 
28 #if defined(_AIX) && defined(_IBMR2)
29 #include <sys/access.h>
30@@ -64,7 +65,6 @@
31 {
32     struct stat sbuf;
33     struct passwd *pwd;
34-    char pbuf[MAXPATHLEN];
35     krb5_boolean isok = FALSE;
36     FILE *fp;
37     char kuser[MAX_USERNAME];
38@@ -72,70 +72,35 @@
39     char linebuf[BUFSIZ];
40     char *newline;
41     int gobble;
42+    int pid, status;
43 
44     /* no account => no access */
45     char pwbuf[BUFSIZ];
46     struct passwd pwx;
47     if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
48        return(FALSE);
49-    (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
50-    pbuf[sizeof(pbuf) - 1] = '\0';
51-    (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));
52-
53-    if (access(pbuf, F_OK)) {   /* not accessible */
54-       /*
55-        * if he's trying to log in as himself, and there is no .k5login file,
56-        * let him.  To find out, call
57-        * krb5_aname_to_localname to convert the principal to a name
58-        * which we can string compare.
59-        */
60-       if (!(krb5_aname_to_localname(context, principal,
61-                                     sizeof(kuser), kuser))
62-           && (strcmp(kuser, luser) == 0)) {
63-           return(TRUE);
64-       }
65-    }
66     if (krb5_unparse_name(context, principal, &princname))
67        return(FALSE);                  /* no hope of matching */
68 
69-    /* open ~/.k5login */
70-    if ((fp = fopen(pbuf, "r")) == NULL) {
71-       free(princname);
72-       return(FALSE);
73-    }
74-    /*
75-     * For security reasons, the .k5login file must be owned either by
76-     * the user himself, or by root.  Otherwise, don't grant access.
77-     */
78-    if (fstat(fileno(fp), &sbuf)) {
79-       fclose(fp);
80-       free(princname);
81-       return(FALSE);
82-    }
[35]83-    if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) {
[1]84-       fclose(fp);
85-       free(princname);
86-       return(FALSE);
87-    }
88-
89-    /* check each line */
90-    while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
91-       /* null-terminate the input string */
92-       linebuf[BUFSIZ-1] = '\0';
93-       newline = NULL;
94-       /* nuke the newline if it exists */
95-       if ((newline = strchr(linebuf, '\n')))
96-           *newline = '\0';
97-       if (!strcmp(linebuf, princname)) {
98-           isok = TRUE;
99-           continue;
100-       }
101-       /* clean up the rest of the line if necessary */
102-       if (!newline)
103-           while (((gobble = getc(fp)) != EOF) && gobble != '\n');
104-    }
105+    if ((pid = fork()) == -1) {
106+       free(princname);
107+       return(FALSE);
108+    }
109+    if (pid == 0) {
110+       char *args[4];
[125]111+#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
[1]112+       args[0] = ADMOF_PATH;
113+       args[1] = (char *) luser;
114+       args[2] = princname;
115+       args[3] = NULL;
116+       execv(ADMOF_PATH, args);
117+       exit(1);
118+    }
119+    if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) {
120+       isok=TRUE;
121+    }
122+   
123     free(princname);
124-    fclose(fp);
125     return(isok);
126 }
127 
Note: See TracBrowser for help on using the repository browser.