source:
trunk/server/common/patches/krb5-kuserok-scripts.patch
@
2458
Last change on this file since 2458 was 2066, checked in by achernya, 13 years ago | |
---|---|
File size: 5.0 KB |
-
krb5-1.9/src/lib/krb5/os/kuserok.c
# scripts.mit.edu krb5 kuserok patch # Copyright (C) 2006 Tim Abbott <tabbott@mit.edu> # 2011 Alexander Chernyakhovsky <achernya@mit.edu> # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA # # See /COPYRIGHT in this repository for more information. #
old new 32 32 #if !defined(_WIN32) /* Not yet for Windows */ 33 33 #include <stdio.h> 34 34 #include <pwd.h> 35 #include <sys/wait.h> 35 36 36 37 #if defined(_AIX) && defined(_IBMR2) 37 38 #include <sys/access.h> … … 51 52 enum result { ACCEPT, REJECT, PASS }; 52 53 53 54 /* 54 * Find the k5login filename for luser, either in the user's homedir or in a55 * configured directory under the username.56 */57 static krb5_error_code58 get_k5login_filename(krb5_context context, const char *luser,59 const char *homedir, char **filename_out)60 {61 krb5_error_code ret;62 char *dir, *filename;63 64 *filename_out = NULL;65 ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,66 KRB5_CONF_K5LOGIN_DIRECTORY, NULL, NULL, &dir);67 if (ret != 0)68 return ret;69 70 if (dir == NULL) {71 /* Look in the user's homedir. */72 if (asprintf(&filename, "%s/.k5login", homedir) < 0)73 return ENOMEM;74 } else {75 /* Look in the configured directory. */76 if (asprintf(&filename, "%s/%s", dir, luser) < 0)77 ret = ENOMEM;78 profile_release_string(dir);79 if (ret)80 return ret;81 }82 *filename_out = filename;83 return 0;84 }85 86 /*87 55 * Determine whether principal is authorized to log in as luser according to 88 56 * the user's k5login file. Return ACCEPT if the k5login file authorizes the 89 57 * principal, PASS if the k5login file does not exist, or REJECT if the k5login … … 93 61 static enum result 94 62 k5login_ok(krb5_context context, krb5_principal principal, const char *luser) 95 63 { 96 int authoritative = TRUE , gobble;64 int authoritative = TRUE; 97 65 enum result result = REJECT; 98 char *filename = NULL, *princname = NULL; 99 char *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ]; 100 struct stat sbuf; 66 char *princname = NULL; 67 char pwbuf[BUFSIZ]; 101 68 struct passwd pwx, *pwd; 102 FILE *fp = NULL;69 int pid, status; 103 70 104 71 if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS, 105 72 KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE, … … 110 77 if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0) 111 78 goto cleanup; 112 79 113 if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0)114 goto cleanup;115 116 if (access(filename, F_OK) != 0) {117 result = PASS;118 goto cleanup;119 }120 121 80 if (krb5_unparse_name(context, principal, &princname) != 0) 122 81 goto cleanup; 123 82 124 fp = fopen(filename, "r"); 125 if (fp == NULL) 83 if ((pid = fork()) == -1) 126 84 goto cleanup; 127 set_cloexec_file(fp); 128 129 /* For security reasons, the .k5login file must be owned either by 130 * the user or by root. */ 131 if (fstat(fileno(fp), &sbuf)) 132 goto cleanup; 133 if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) 134 goto cleanup; 135 136 /* Check each line. */ 137 while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) { 138 newline = strrchr(linebuf, '\n'); 139 if (newline != NULL) 140 *newline = '\0'; 141 if (strcmp(linebuf, princname) == 0) 142 result = ACCEPT; 143 /* Clean up the rest of the line if necessary. */ 144 if (newline == NULL) 145 while (((gobble = getc(fp)) != EOF) && gobble != '\n'); 85 86 if (pid == 0) { 87 char *args[4]; 88 #define ADMOF_PATH "/usr/local/sbin/ssh-admof" 89 args[0] = ADMOF_PATH; 90 args[1] = (char *) luser; 91 args[2] = princname; 92 args[3] = NULL; 93 execv(ADMOF_PATH, args); 94 exit(1); 146 95 } 147 96 97 if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) { 98 result = ACCEPT; 99 } 100 148 101 cleanup: 149 102 free(princname); 150 free(filename);151 if (fp != NULL)152 fclose(fp);153 103 /* If k5login files are non-authoritative, never reject. */ 154 104 return (!authoritative && result == REJECT) ? PASS : result; 155 105 }
Note: See TracBrowser
for help on using the repository browser.