source: trunk/server/common/patches/krb5-kuserok-scripts.patch @ 1759

Last change on this file since 1759 was 1693, checked in by ezyang, 14 years ago
Merge Fedora 13 development back to trunk.
File size: 3.8 KB
  • krb5-1.6.3/src/lib/krb5/os/kuserok.c

    # scripts.mit.edu krb5 kuserok patch
    # Copyright (C) 2006  Tim Abbott <tabbott@mit.edu>
    #
    # This program is free software; you can redistribute it and/or
    # modify it under the terms of the GNU General Public License
    # as published by the Free Software Foundation; either version 2
    # of the License, or (at your option) any later version.
    #
    # This program is distributed in the hope that it will be useful,
    # but WITHOUT ANY WARRANTY; without even the implied warranty of
    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    # GNU General Public License for more details.
    #
    # You should have received a copy of the GNU General Public License
    # along with this program; if not, write to the Free Software
    # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
    #
    # See /COPYRIGHT in this repository for more information.
    #
    old new  
    3131#if !defined(_WIN32)            /* Not yet for Windows */
    3232#include <stdio.h>
    3333#include <pwd.h>
     34#include <sys/wait.h>
    3435
    3536#if defined(_AIX) && defined(_IBMR2)
    3637#include <sys/access.h>
     
    7172{
    7273    struct stat sbuf;
    7374    struct passwd *pwd;
    74     char pbuf[MAXPATHLEN];
    7575    krb5_boolean isok = FALSE;
    7676    FILE *fp;
    7777    char kuser[MAX_USERNAME];
     
    7979    char linebuf[BUFSIZ];
    8080    char *newline;
    8181    int gobble;
     82    int pid, status;
    8283
    8384    /* no account => no access */
    8485    char pwbuf[BUFSIZ];
    8586    struct passwd pwx;
    8687    if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
    8788        return(FALSE);
    88     (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
    89     pbuf[sizeof(pbuf) - 1] = '\0';
    90     (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));
    91 
    92     if (access(pbuf, F_OK)) {    /* not accessible */
    93         /*
    94          * if he's trying to log in as himself, and there is no .k5login file,
    95          * let him.  To find out, call
    96          * krb5_aname_to_localname to convert the principal to a name
    97          * which we can string compare.
    98          */
    99         if (!(krb5_aname_to_localname(context, principal,
    100                                       sizeof(kuser), kuser))
    101             && (strcmp(kuser, luser) == 0)) {
    102             return(TRUE);
    103         }
    104     }
    10589    if (krb5_unparse_name(context, principal, &princname))
    10690        return(FALSE);                  /* no hope of matching */
    10791
    108     /* open ~/.k5login */
    109     if ((fp = fopen(pbuf, "r")) == NULL) {
    110         free(princname);
    111         return(FALSE);
    112     }
    113     set_cloexec_file(fp);
    114     /*
    115      * For security reasons, the .k5login file must be owned either by
    116      * the user himself, or by root.  Otherwise, don't grant access.
    117      */
    118     if (fstat(fileno(fp), &sbuf)) {
    119         fclose(fp);
    120         free(princname);
    121         return(FALSE);
     92    if ((pid = fork()) == -1) {
     93       free(princname);
     94       return(FALSE);
    12295    }
    123     if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) {
    124         fclose(fp);
    125         free(princname);
    126         return(FALSE);
     96    if (pid == 0) {
     97       char *args[4];
     98#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
     99       args[0] = ADMOF_PATH;
     100       args[1] = (char *) luser;
     101       args[2] = princname;
     102       args[3] = NULL;
     103       execv(ADMOF_PATH, args);
     104       exit(1);
    127105    }
    128 
    129     /* check each line */
    130     while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
    131         /* null-terminate the input string */
    132         linebuf[BUFSIZ-1] = '\0';
    133         newline = NULL;
    134         /* nuke the newline if it exists */
    135         if ((newline = strchr(linebuf, '\n')))
    136             *newline = '\0';
    137         if (!strcmp(linebuf, princname)) {
    138             isok = TRUE;
    139             continue;
    140         }
    141         /* clean up the rest of the line if necessary */
    142         if (!newline)
    143             while (((gobble = getc(fp)) != EOF) && gobble != '\n');
     106    if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) {
     107       isok=TRUE;
    144108    }
     109   
    145110    free(princname);
    146     fclose(fp);
    147111    return(isok);
    148112}
    149113
Note: See TracBrowser for help on using the repository browser.