source:
trunk/server/common/patches/krb5-kuserok-scripts.patch
@
1824
Last change on this file since 1824 was 1693, checked in by ezyang, 14 years ago | |
---|---|
File size: 3.8 KB |
-
krb5-1.6.3/src/lib/krb5/os/kuserok.c
# scripts.mit.edu krb5 kuserok patch # Copyright (C) 2006 Tim Abbott <tabbott@mit.edu> # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA # # See /COPYRIGHT in this repository for more information. #
old new 31 31 #if !defined(_WIN32) /* Not yet for Windows */ 32 32 #include <stdio.h> 33 33 #include <pwd.h> 34 #include <sys/wait.h> 34 35 35 36 #if defined(_AIX) && defined(_IBMR2) 36 37 #include <sys/access.h> … … 71 72 { 72 73 struct stat sbuf; 73 74 struct passwd *pwd; 74 char pbuf[MAXPATHLEN];75 75 krb5_boolean isok = FALSE; 76 76 FILE *fp; 77 77 char kuser[MAX_USERNAME]; … … 79 79 char linebuf[BUFSIZ]; 80 80 char *newline; 81 81 int gobble; 82 int pid, status; 82 83 83 84 /* no account => no access */ 84 85 char pwbuf[BUFSIZ]; 85 86 struct passwd pwx; 86 87 if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0) 87 88 return(FALSE); 88 (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);89 pbuf[sizeof(pbuf) - 1] = '\0';90 (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));91 92 if (access(pbuf, F_OK)) { /* not accessible */93 /*94 * if he's trying to log in as himself, and there is no .k5login file,95 * let him. To find out, call96 * krb5_aname_to_localname to convert the principal to a name97 * which we can string compare.98 */99 if (!(krb5_aname_to_localname(context, principal,100 sizeof(kuser), kuser))101 && (strcmp(kuser, luser) == 0)) {102 return(TRUE);103 }104 }105 89 if (krb5_unparse_name(context, principal, &princname)) 106 90 return(FALSE); /* no hope of matching */ 107 91 108 /* open ~/.k5login */ 109 if ((fp = fopen(pbuf, "r")) == NULL) { 110 free(princname); 111 return(FALSE); 112 } 113 set_cloexec_file(fp); 114 /* 115 * For security reasons, the .k5login file must be owned either by 116 * the user himself, or by root. Otherwise, don't grant access. 117 */ 118 if (fstat(fileno(fp), &sbuf)) { 119 fclose(fp); 120 free(princname); 121 return(FALSE); 92 if ((pid = fork()) == -1) { 93 free(princname); 94 return(FALSE); 122 95 } 123 if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) { 124 fclose(fp); 125 free(princname); 126 return(FALSE); 96 if (pid == 0) { 97 char *args[4]; 98 #define ADMOF_PATH "/usr/local/sbin/ssh-admof" 99 args[0] = ADMOF_PATH; 100 args[1] = (char *) luser; 101 args[2] = princname; 102 args[3] = NULL; 103 execv(ADMOF_PATH, args); 104 exit(1); 127 105 } 128 129 /* check each line */ 130 while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) { 131 /* null-terminate the input string */ 132 linebuf[BUFSIZ-1] = '\0'; 133 newline = NULL; 134 /* nuke the newline if it exists */ 135 if ((newline = strchr(linebuf, '\n'))) 136 *newline = '\0'; 137 if (!strcmp(linebuf, princname)) { 138 isok = TRUE; 139 continue; 140 } 141 /* clean up the rest of the line if necessary */ 142 if (!newline) 143 while (((gobble = getc(fp)) != EOF) && gobble != '\n'); 106 if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) { 107 isok=TRUE; 144 108 } 109 145 110 free(princname); 146 fclose(fp);147 111 return(isok); 148 112 } 149 113
Note: See TracBrowser
for help on using the repository browser.