Changeset 1807 for branches/fc15-dev/server/common/patches
- Timestamp:
- Apr 16, 2011, 7:59:42 PM (14 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/fc15-dev/server/common/patches/krb5-kuserok-scripts.patch
r1693 r1807 1 1 # scripts.mit.edu krb5 kuserok patch 2 2 # Copyright (C) 2006 Tim Abbott <tabbott@mit.edu> 3 # 2011 Alexander Chernyakhovsky <achernya@mit.edu> 3 4 # 4 5 # This program is free software; you can redistribute it and/or … … 18 19 # See /COPYRIGHT in this repository for more information. 19 20 # 20 --- krb5-1. 6.3/src/lib/krb5/os/kuserok.c.old 2009-04-08 06:17:06.000000000 -040021 +++ krb5-1. 6.3/src/lib/krb5/os/kuserok.c 2009-04-08 06:17:18.000000000 -040022 @@ -3 1,6 +31,7 @@23 #if !defined(_WIN32) 21 --- krb5-1.9/src/lib/krb5/os/kuserok.c.old 2011-04-16 19:09:58.000000000 -0400 22 +++ krb5-1.9/src/lib/krb5/os/kuserok.c 2011-04-16 19:34:23.000000000 -0400 23 @@ -32,6 +32,7 @@ 24 #if !defined(_WIN32) /* Not yet for Windows */ 24 25 #include <stdio.h> 25 26 #include <pwd.h> … … 28 29 #if defined(_AIX) && defined(_IBMR2) 29 30 #include <sys/access.h> 30 @@ -71,7 +72,6 @@ 31 { 31 @@ -100,6 +101,7 @@ 32 32 struct stat sbuf; 33 struct passwd *pwd; 34 - char pbuf[MAXPATHLEN]; 35 krb5_boolean isok = FALSE; 36 FILE *fp; 37 char kuser[MAX_USERNAME]; 38 @@ -79,71 +79,35 @@ 39 char linebuf[BUFSIZ]; 40 char *newline; 41 int gobble; 33 struct passwd pwx, *pwd; 34 FILE *fp = NULL; 42 35 + int pid, status; 43 36 44 /* no account => no access */45 char pwbuf[BUFSIZ];46 struct passwd pwx; 37 if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS, 38 KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE, 39 @@ -110,41 +112,27 @@ 47 40 if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0) 48 return(FALSE);49 - (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); 50 - pbuf[sizeof(pbuf) - 1] = '\0';51 - (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));41 goto cleanup; 42 43 - if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0) 44 - goto cleanup; 52 45 - 53 - if (access(pbuf, F_OK)) { /* not accessible */ 54 - /* 55 - * if he's trying to log in as himself, and there is no .k5login file, 56 - * let him. To find out, call 57 - * krb5_aname_to_localname to convert the principal to a name 58 - * which we can string compare. 59 - */ 60 - if (!(krb5_aname_to_localname(context, principal, 61 - sizeof(kuser), kuser)) 62 - && (strcmp(kuser, luser) == 0)) { 63 - return(TRUE); 64 - } 46 - if (access(filename, F_OK) != 0) { 47 - result = PASS; 48 - goto cleanup; 65 49 - } 66 if (krb5_unparse_name(context, principal, &princname)) 67 return(FALSE); /* no hope of matching */ 50 - 51 if (krb5_unparse_name(context, principal, &princname) != 0) 52 goto cleanup; 68 53 69 - /* open ~/.k5login */ 70 - if ((fp = fopen(pbuf, "r")) == NULL) { 71 - free(princname); 72 - return(FALSE); 73 - } 54 - fp = fopen(filename, "r"); 55 - if (fp == NULL) 56 + if ((pid = fork()) == -1) 57 goto cleanup; 74 58 - set_cloexec_file(fp); 75 - /* 76 - * For security reasons, the .k5login file must be owned either by 77 - * the user himself, or by root. Otherwise, don't grant access. 78 - */ 79 - if (fstat(fileno(fp), &sbuf)) { 80 - fclose(fp); 81 - free(princname); 82 - return(FALSE); 83 + if ((pid = fork()) == -1) { 84 + free(princname); 85 + return(FALSE); 59 - 60 - /* For security reasons, the .k5login file must be owned either by 61 - * the user or by root. */ 62 - if (fstat(fileno(fp), &sbuf)) 63 - goto cleanup; 64 - if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) 65 - goto cleanup; 66 - 67 - /* Check each line. */ 68 - while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) { 69 - newline = strrchr(linebuf, '\n'); 70 - if (newline != NULL) 71 - *newline = '\0'; 72 - if (strcmp(linebuf, princname) == 0) 73 - result = ACCEPT; 74 - /* Clean up the rest of the line if necessary. */ 75 - if (newline == NULL) 76 - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); 77 + 78 + if (pid == 0) { 79 + char *args[4]; 80 +#define ADMOF_PATH "/usr/local/sbin/ssh-admof" 81 + args[0] = ADMOF_PATH; 82 + args[1] = (char *) luser; 83 + args[2] = princname; 84 + args[3] = NULL; 85 + execv(ADMOF_PATH, args); 86 + exit(1); 86 87 } 87 - if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) { 88 - fclose(fp); 89 - free(princname); 90 - return(FALSE); 91 + if (pid == 0) { 92 + char *args[4]; 93 +#define ADMOF_PATH "/usr/local/sbin/ssh-admof" 94 + args[0] = ADMOF_PATH; 95 + args[1] = (char *) luser; 96 + args[2] = princname; 97 + args[3] = NULL; 98 + execv(ADMOF_PATH, args); 99 + exit(1); 100 } 101 - 102 - /* check each line */ 103 - while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) { 104 - /* null-terminate the input string */ 105 - linebuf[BUFSIZ-1] = '\0'; 106 - newline = NULL; 107 - /* nuke the newline if it exists */ 108 - if ((newline = strchr(linebuf, '\n'))) 109 - *newline = '\0'; 110 - if (!strcmp(linebuf, princname)) { 111 - isok = TRUE; 112 - continue; 113 - } 114 - /* clean up the rest of the line if necessary */ 115 - if (!newline) 116 - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); 88 117 89 + if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) { 118 + isok=TRUE;119 90 + result = ACCEPT; 91 + } 120 92 + 93 cleanup: 121 94 free(princname); 122 - fclose(fp); 123 return(isok); 124 } 125 95 free(filename);
Note: See TracChangeset
for help on using the changeset viewer.