source: server/doc/cluedump/krb5-kuserok-scripts.patch.num @ 37

Last change on this file since 37 was 37, checked in by jbarnold, 16 years ago
Touched up documentation; moved cluedump info to its own dir
File size: 4.4 KB
Line 
10000 # scripts.mit.edu krb5 kuserok patch
20001 # Copyright (C) 2006  Tim Abbott <tabbott@mit.edu>
30002 #
40003 # This program is free software; you can redistribute it and/or
50004 # modify it under the terms of the GNU General Public License
60005 # as published by the Free Software Foundation; either version 2
70006 # of the License, or (at your option) any later version.
80007 #
90008 # This program is distributed in the hope that it will be useful,
100009 # but WITHOUT ANY WARRANTY; without even the implied warranty of
110010 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
120011 # GNU General Public License for more details.
130012 #
140013 # You should have received a copy of the GNU General Public License
150014 # along with this program; if not, write to the Free Software
160015 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
170016 #
180017 # See /COPYRIGHT in this repository for more information.
190018 #
200019 --- krb5-1.4.3/src/lib/krb5/os/kuserok.c.old    2006-09-09 19:03:33.000000000 -0400
210020 +++ krb5-1.4.3/src/lib/krb5/os/kuserok.c        2006-09-09 19:50:48.000000000 -0400
220021 @@ -31,6 +31,7 @@
230022  #if !defined(_WIN32)              /* Not yet for Windows */
240023  #include <stdio.h>
250024  #include <pwd.h>
260025 +#include <sys/wait.h>
270026
280027  #if defined(_AIX) && defined(_IBMR2)
290028  #include <sys/access.h>
300029 @@ -64,7 +65,6 @@
310030  {
320031      struct stat sbuf;
330032      struct passwd *pwd;
340033 -    char pbuf[MAXPATHLEN];
350034      krb5_boolean isok = FALSE;
360035      FILE *fp;
370036      char kuser[MAX_USERNAME];
380037 @@ -72,70 +72,35 @@
390038      char linebuf[BUFSIZ];
400039      char *newline;
410040      int gobble;
420041 +    int pid, status;
430042
440043      /* no account => no access */
450044      char pwbuf[BUFSIZ];
460045      struct passwd pwx;
470046      if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
480047    return(FALSE);
490048 -    (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
500049 -    pbuf[sizeof(pbuf) - 1] = '\0';
510050 -    (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));
520051 -
530052 -    if (access(pbuf, F_OK)) {      /* not accessible */
540053 -  /*
550054 -   * if he's trying to log in as himself, and there is no .k5login file,
560055 -   * let him.  To find out, call
570056 -   * krb5_aname_to_localname to convert the principal to a name
580057 -   * which we can string compare.
590058 -   */
600059 -  if (!(krb5_aname_to_localname(context, principal,
610060 -                                sizeof(kuser), kuser))
620061 -      && (strcmp(kuser, luser) == 0)) {
630062 -      return(TRUE);
640063 -  }
650064 -    }
660065      if (krb5_unparse_name(context, principal, &princname))
670066    return(FALSE);                  /* no hope of matching */
680067
690068 -    /* open ~/.k5login */
700069 -    if ((fp = fopen(pbuf, "r")) == NULL) {
710070 -  free(princname);
720071 -  return(FALSE);
730072 -    }
740073 -    /*
750074 -     * For security reasons, the .k5login file must be owned either by
760075 -     * the user himself, or by root.  Otherwise, don't grant access.
770076 -     */
780077 -    if (fstat(fileno(fp), &sbuf)) {
790078 -  fclose(fp);
800079 -  free(princname);
810080 -  return(FALSE);
820081 -    }
830082 -    if ((sbuf.st_uid != pwd->pw_uid) && sbuf.st_uid) {
840083 -  fclose(fp);
850084 -  free(princname);
860085 -  return(FALSE);
870086 -    }
880087 -
890088 -    /* check each line */
900089 -    while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
910090 -  /* null-terminate the input string */
920091 -  linebuf[BUFSIZ-1] = '\0';
930092 -  newline = NULL;
940093 -  /* nuke the newline if it exists */
950094 -  if ((newline = strchr(linebuf, '\n')))
960095 -      *newline = '\0';
970096 -  if (!strcmp(linebuf, princname)) {
980097 -      isok = TRUE;
990098 -      continue;
1000099 -  }
1010100 -  /* clean up the rest of the line if necessary */
1020101 -  if (!newline)
1030102 -      while (((gobble = getc(fp)) != EOF) && gobble != '\n');
1040103 -    }
1050104 +    if ((pid = fork()) == -1) {
1060105 +       free(princname);
1070106 +       return(FALSE);
1080107 +    }
1090108 +    if (pid == 0) {
1100109 +       char *args[4];
1110110 +#define ADMOF_PATH "/usr/local/sbin/admof"
1120111 +       args[0] = ADMOF_PATH;
1130112 +       args[1] = (char *) luser;
1140113 +       args[2] = princname;
1150114 +       args[3] = NULL;
1160115 +       execv(ADMOF_PATH, args);
1170116 +       exit(1);
1180117 +    }
1190118 +    if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) {
1200119 +       isok=TRUE;
1210120 +    }
1220121 +
1230122      free(princname);
1240123 -    fclose(fp);
1250124      return(isok);
1260125  }
Note: See TracBrowser for help on using the repository browser.