source: server/common/patches/krb5-kuserok-scripts.patch @ 483

Last change on this file since 483 was 125, checked in by jbarnold, 18 years ago
created two admofs for different selinux labels
File size: 3.8 KB
  • krb5-1.4.3/src/lib/krb5/os/kuserok.c

    # scripts.mit.edu krb5 kuserok patch
    # Copyright (C) 2006  Tim Abbott <tabbott@mit.edu>
    #
    # This program is free software; you can redistribute it and/or
    # modify it under the terms of the GNU General Public License
    # as published by the Free Software Foundation; either version 2
    # of the License, or (at your option) any later version.
    #
    # This program is distributed in the hope that it will be useful,
    # but WITHOUT ANY WARRANTY; without even the implied warranty of
    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    # GNU General Public License for more details.
    #
    # You should have received a copy of the GNU General Public License
    # along with this program; if not, write to the Free Software
    # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
    #
    # See /COPYRIGHT in this repository for more information.
    #
    old new  
    3131#if !defined(_WIN32)            /* Not yet for Windows */
    3232#include <stdio.h>
    3333#include <pwd.h>
     34#include <sys/wait.h>
    3435
    3536#if defined(_AIX) && defined(_IBMR2)
    3637#include <sys/access.h>
     
    6465{
    6566    struct stat sbuf;
    6667    struct passwd *pwd;
    67     char pbuf[MAXPATHLEN];
    6868    krb5_boolean isok = FALSE;
    6969    FILE *fp;
    7070    char kuser[MAX_USERNAME];
     
    7272    char linebuf[BUFSIZ];
    7373    char *newline;
    7474    int gobble;
     75    int pid, status;
    7576
    7677    /* no account => no access */
    7778    char pwbuf[BUFSIZ];
    7879    struct passwd pwx;
    7980    if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
    8081        return(FALSE);
    81     (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
    82     pbuf[sizeof(pbuf) - 1] = '\0';
    83     (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));
    84 
    85     if (access(pbuf, F_OK)) {    /* not accessible */
    86         /*
    87          * if he's trying to log in as himself, and there is no .k5login file,
    88          * let him.  To find out, call
    89          * krb5_aname_to_localname to convert the principal to a name
    90          * which we can string compare.
    91          */
    92         if (!(krb5_aname_to_localname(context, principal,
    93                                       sizeof(kuser), kuser))
    94             && (strcmp(kuser, luser) == 0)) {
    95             return(TRUE);
    96         }
    97     }
    9882    if (krb5_unparse_name(context, principal, &princname))
    9983        return(FALSE);                  /* no hope of matching */
    10084
    101     /* open ~/.k5login */
    102     if ((fp = fopen(pbuf, "r")) == NULL) {
    103         free(princname);
    104         return(FALSE);
    105     }
    106     /*
    107      * For security reasons, the .k5login file must be owned either by
    108      * the user himself, or by root.  Otherwise, don't grant access.
    109      */
    110     if (fstat(fileno(fp), &sbuf)) {
    111         fclose(fp);
    112         free(princname);
    113         return(FALSE);
    114     }
    115     if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) {
    116         fclose(fp);
    117         free(princname);
    118         return(FALSE);
    119     }
    120 
    121     /* check each line */
    122     while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
    123         /* null-terminate the input string */
    124         linebuf[BUFSIZ-1] = '\0';
    125         newline = NULL;
    126         /* nuke the newline if it exists */
    127         if ((newline = strchr(linebuf, '\n')))
    128             *newline = '\0';
    129         if (!strcmp(linebuf, princname)) {
    130             isok = TRUE;
    131             continue;
    132         }
    133         /* clean up the rest of the line if necessary */
    134         if (!newline)
    135             while (((gobble = getc(fp)) != EOF) && gobble != '\n');
    136     }
     85    if ((pid = fork()) == -1) {
     86       free(princname);
     87       return(FALSE);
     88    }
     89    if (pid == 0) {
     90       char *args[4];
     91#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
     92       args[0] = ADMOF_PATH;
     93       args[1] = (char *) luser;
     94       args[2] = princname;
     95       args[3] = NULL;
     96       execv(ADMOF_PATH, args);
     97       exit(1);
     98    }
     99    if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) {
     100       isok=TRUE;
     101    }
     102   
    137103    free(princname);
    138     fclose(fp);
    139104    return(isok);
    140105}
    141106
Note: See TracBrowser for help on using the repository browser.