source: trunk/server/common/patches/krb5-kuserok-scripts.patch @ 1759

Last change on this file since 1759 was 1693, checked in by ezyang, 14 years ago
Merge Fedora 13 development back to trunk.
File size: 3.8 KB
RevLine 
[1]1# scripts.mit.edu krb5 kuserok patch
2# Copyright (C) 2006  Tim Abbott <tabbott@mit.edu>
3#
4# This program is free software; you can redistribute it and/or
5# modify it under the terms of the GNU General Public License
6# as published by the Free Software Foundation; either version 2
7# of the License, or (at your option) any later version.
8#
9# This program is distributed in the hope that it will be useful,
10# but WITHOUT ANY WARRANTY; without even the implied warranty of
11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12# GNU General Public License for more details.
13#
14# You should have received a copy of the GNU General Public License
15# along with this program; if not, write to the Free Software
16# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
17#
18# See /COPYRIGHT in this repository for more information.
19#
[1069]20--- krb5-1.6.3/src/lib/krb5/os/kuserok.c.old    2009-04-08 06:17:06.000000000 -0400
21+++ krb5-1.6.3/src/lib/krb5/os/kuserok.c        2009-04-08 06:17:18.000000000 -0400
[1]22@@ -31,6 +31,7 @@
23 #if !defined(_WIN32)           /* Not yet for Windows */
24 #include <stdio.h>
25 #include <pwd.h>
26+#include <sys/wait.h>
27 
28 #if defined(_AIX) && defined(_IBMR2)
29 #include <sys/access.h>
[1069]30@@ -71,7 +72,6 @@
[1]31 {
32     struct stat sbuf;
33     struct passwd *pwd;
34-    char pbuf[MAXPATHLEN];
35     krb5_boolean isok = FALSE;
36     FILE *fp;
37     char kuser[MAX_USERNAME];
[1693]38@@ -79,71 +79,35 @@
[1]39     char linebuf[BUFSIZ];
40     char *newline;
41     int gobble;
42+    int pid, status;
43 
44     /* no account => no access */
45     char pwbuf[BUFSIZ];
46     struct passwd pwx;
47     if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
48        return(FALSE);
49-    (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
50-    pbuf[sizeof(pbuf) - 1] = '\0';
51-    (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));
52-
53-    if (access(pbuf, F_OK)) {   /* not accessible */
54-       /*
55-        * if he's trying to log in as himself, and there is no .k5login file,
56-        * let him.  To find out, call
57-        * krb5_aname_to_localname to convert the principal to a name
58-        * which we can string compare.
59-        */
60-       if (!(krb5_aname_to_localname(context, principal,
61-                                     sizeof(kuser), kuser))
62-           && (strcmp(kuser, luser) == 0)) {
63-           return(TRUE);
64-       }
65-    }
66     if (krb5_unparse_name(context, principal, &princname))
67        return(FALSE);                  /* no hope of matching */
68 
69-    /* open ~/.k5login */
70-    if ((fp = fopen(pbuf, "r")) == NULL) {
71-       free(princname);
72-       return(FALSE);
73-    }
[1693]74-    set_cloexec_file(fp);
[1]75-    /*
76-     * For security reasons, the .k5login file must be owned either by
77-     * the user himself, or by root.  Otherwise, don't grant access.
78-     */
79-    if (fstat(fileno(fp), &sbuf)) {
80-       fclose(fp);
81-       free(princname);
82-       return(FALSE);
[1069]83+    if ((pid = fork()) == -1) {
84+       free(princname);
85+       return(FALSE);
86     }
[35]87-    if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) {
[1]88-       fclose(fp);
89-       free(princname);
90-       return(FALSE);
[1069]91+    if (pid == 0) {
92+       char *args[4];
93+#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
94+       args[0] = ADMOF_PATH;
95+       args[1] = (char *) luser;
96+       args[2] = princname;
97+       args[3] = NULL;
98+       execv(ADMOF_PATH, args);
99+       exit(1);
100     }
[1]101-
102-    /* check each line */
103-    while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
104-       /* null-terminate the input string */
105-       linebuf[BUFSIZ-1] = '\0';
106-       newline = NULL;
107-       /* nuke the newline if it exists */
108-       if ((newline = strchr(linebuf, '\n')))
109-           *newline = '\0';
110-       if (!strcmp(linebuf, princname)) {
111-           isok = TRUE;
112-           continue;
113-       }
114-       /* clean up the rest of the line if necessary */
115-       if (!newline)
116-           while (((gobble = getc(fp)) != EOF) && gobble != '\n');
117+    if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) {
118+       isok=TRUE;
[1069]119     }
[1]120+   
121     free(princname);
122-    fclose(fp);
123     return(isok);
124 }
125 
Note: See TracBrowser for help on using the repository browser.