[1] | 1 | # scripts.mit.edu krb5 kuserok patch |
---|
| 2 | # Copyright (C) 2006 Tim Abbott <tabbott@mit.edu> |
---|
[2066] | 3 | # 2011 Alexander Chernyakhovsky <achernya@mit.edu> |
---|
[1] | 4 | # |
---|
| 5 | # This program is free software; you can redistribute it and/or |
---|
| 6 | # modify it under the terms of the GNU General Public License |
---|
| 7 | # as published by the Free Software Foundation; either version 2 |
---|
| 8 | # of the License, or (at your option) any later version. |
---|
| 9 | # |
---|
| 10 | # This program is distributed in the hope that it will be useful, |
---|
| 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 13 | # GNU General Public License for more details. |
---|
| 14 | # |
---|
| 15 | # You should have received a copy of the GNU General Public License |
---|
| 16 | # along with this program; if not, write to the Free Software |
---|
| 17 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA |
---|
| 18 | # |
---|
| 19 | # See /COPYRIGHT in this repository for more information. |
---|
| 20 | # |
---|
[2066] | 21 | --- krb5-1.9/src/lib/krb5/os/kuserok.c.old 2011-04-16 19:09:58.000000000 -0400 |
---|
| 22 | +++ krb5-1.9/src/lib/krb5/os/kuserok.c 2011-04-16 19:34:23.000000000 -0400 |
---|
| 23 | @@ -32,6 +32,7 @@ |
---|
| 24 | #if !defined(_WIN32) /* Not yet for Windows */ |
---|
[1] | 25 | #include <stdio.h> |
---|
| 26 | #include <pwd.h> |
---|
| 27 | +#include <sys/wait.h> |
---|
| 28 | |
---|
| 29 | #if defined(_AIX) && defined(_IBMR2) |
---|
| 30 | #include <sys/access.h> |
---|
[2066] | 31 | @@ -51,39 +52,6 @@ |
---|
| 32 | enum result { ACCEPT, REJECT, PASS }; |
---|
| 33 | |
---|
| 34 | /* |
---|
| 35 | - * Find the k5login filename for luser, either in the user's homedir or in a |
---|
| 36 | - * configured directory under the username. |
---|
| 37 | - */ |
---|
| 38 | -static krb5_error_code |
---|
| 39 | -get_k5login_filename(krb5_context context, const char *luser, |
---|
| 40 | - const char *homedir, char **filename_out) |
---|
| 41 | -{ |
---|
| 42 | - krb5_error_code ret; |
---|
| 43 | - char *dir, *filename; |
---|
| 44 | - |
---|
| 45 | - *filename_out = NULL; |
---|
| 46 | - ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, |
---|
| 47 | - KRB5_CONF_K5LOGIN_DIRECTORY, NULL, NULL, &dir); |
---|
| 48 | - if (ret != 0) |
---|
| 49 | - return ret; |
---|
| 50 | - |
---|
| 51 | - if (dir == NULL) { |
---|
| 52 | - /* Look in the user's homedir. */ |
---|
| 53 | - if (asprintf(&filename, "%s/.k5login", homedir) < 0) |
---|
| 54 | - return ENOMEM; |
---|
| 55 | - } else { |
---|
| 56 | - /* Look in the configured directory. */ |
---|
| 57 | - if (asprintf(&filename, "%s/%s", dir, luser) < 0) |
---|
| 58 | - ret = ENOMEM; |
---|
| 59 | - profile_release_string(dir); |
---|
| 60 | - if (ret) |
---|
| 61 | - return ret; |
---|
| 62 | - } |
---|
| 63 | - *filename_out = filename; |
---|
| 64 | - return 0; |
---|
| 65 | -} |
---|
| 66 | - |
---|
| 67 | -/* |
---|
| 68 | * Determine whether principal is authorized to log in as luser according to |
---|
| 69 | * the user's k5login file. Return ACCEPT if the k5login file authorizes the |
---|
| 70 | * principal, PASS if the k5login file does not exist, or REJECT if the k5login |
---|
| 71 | @@ -93,13 +61,12 @@ |
---|
| 72 | static enum result |
---|
| 73 | k5login_ok(krb5_context context, krb5_principal principal, const char *luser) |
---|
[1] | 74 | { |
---|
[2066] | 75 | - int authoritative = TRUE, gobble; |
---|
| 76 | + int authoritative = TRUE; |
---|
| 77 | enum result result = REJECT; |
---|
| 78 | - char *filename = NULL, *princname = NULL; |
---|
| 79 | - char *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ]; |
---|
| 80 | - struct stat sbuf; |
---|
| 81 | + char *princname = NULL; |
---|
| 82 | + char pwbuf[BUFSIZ]; |
---|
| 83 | struct passwd pwx, *pwd; |
---|
| 84 | - FILE *fp = NULL; |
---|
[1] | 85 | + int pid, status; |
---|
| 86 | |
---|
[2066] | 87 | if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS, |
---|
| 88 | KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE, |
---|
| 89 | @@ -110,46 +77,29 @@ |
---|
[1] | 90 | if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0) |
---|
[2066] | 91 | goto cleanup; |
---|
| 92 | |
---|
| 93 | - if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0) |
---|
| 94 | - goto cleanup; |
---|
[1] | 95 | - |
---|
[2066] | 96 | - if (access(filename, F_OK) != 0) { |
---|
| 97 | - result = PASS; |
---|
| 98 | - goto cleanup; |
---|
[1] | 99 | - } |
---|
[2066] | 100 | - |
---|
| 101 | if (krb5_unparse_name(context, principal, &princname) != 0) |
---|
| 102 | goto cleanup; |
---|
[1] | 103 | |
---|
[2066] | 104 | - fp = fopen(filename, "r"); |
---|
| 105 | - if (fp == NULL) |
---|
| 106 | + if ((pid = fork()) == -1) |
---|
| 107 | goto cleanup; |
---|
[1693] | 108 | - set_cloexec_file(fp); |
---|
[2066] | 109 | - |
---|
| 110 | - /* For security reasons, the .k5login file must be owned either by |
---|
| 111 | - * the user or by root. */ |
---|
| 112 | - if (fstat(fileno(fp), &sbuf)) |
---|
| 113 | - goto cleanup; |
---|
| 114 | - if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) |
---|
| 115 | - goto cleanup; |
---|
| 116 | - |
---|
| 117 | - /* Check each line. */ |
---|
| 118 | - while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) { |
---|
| 119 | - newline = strrchr(linebuf, '\n'); |
---|
| 120 | - if (newline != NULL) |
---|
| 121 | - *newline = '\0'; |
---|
| 122 | - if (strcmp(linebuf, princname) == 0) |
---|
| 123 | - result = ACCEPT; |
---|
| 124 | - /* Clean up the rest of the line if necessary. */ |
---|
| 125 | - if (newline == NULL) |
---|
| 126 | - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); |
---|
| 127 | + |
---|
[1069] | 128 | + if (pid == 0) { |
---|
[2066] | 129 | + char *args[4]; |
---|
[1069] | 130 | +#define ADMOF_PATH "/usr/local/sbin/ssh-admof" |
---|
[2066] | 131 | + args[0] = ADMOF_PATH; |
---|
| 132 | + args[1] = (char *) luser; |
---|
| 133 | + args[2] = princname; |
---|
| 134 | + args[3] = NULL; |
---|
| 135 | + execv(ADMOF_PATH, args); |
---|
| 136 | + exit(1); |
---|
[1069] | 137 | } |
---|
[2066] | 138 | |
---|
[1] | 139 | + if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) { |
---|
[2066] | 140 | + result = ACCEPT; |
---|
| 141 | + } |
---|
[1] | 142 | + |
---|
[2066] | 143 | cleanup: |
---|
[1] | 144 | free(princname); |
---|
[2066] | 145 | - free(filename); |
---|
| 146 | - if (fp != NULL) |
---|
| 147 | - fclose(fp); |
---|
| 148 | /* If k5login files are non-authoritative, never reject. */ |
---|
| 149 | return (!authoritative && result == REJECT) ? PASS : result; |
---|
[1] | 150 | } |
---|