source: branches/fc15-dev/server/common/patches/krb5-kuserok-scripts.patch @ 1819

# scripts.mit.edu krb5 kuserok patch
# Copyright (C) 2006  Tim Abbott <tabbott@mit.edu>
#               2011  Alexander Chernyakhovsky <achernya@mit.edu>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
#
# See /COPYRIGHT in this repository for more information.
#
--- krb5-1.9/src/lib/krb5/os/kuserok.c.old      2011-04-16 19:09:58.000000000 -0400
+++ krb5-1.9/src/lib/krb5/os/kuserok.c  2011-04-16 19:34:23.000000000 -0400
@@ -32,6 +32,7 @@
 #if !defined(_WIN32)            /* Not yet for Windows */
 #include <stdio.h>
 #include <pwd.h>
+#include <sys/wait.h>
 
 #if defined(_AIX) && defined(_IBMR2)
 #include <sys/access.h>
@@ -93,13 +94,12 @@
 static enum result
 k5login_ok(krb5_context context, krb5_principal principal, const char *luser)
 {
-    int authoritative = TRUE, gobble;
+    int authoritative = TRUE;
     enum result result = REJECT;
     char *filename = NULL, *princname = NULL;
-    char *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ];
-    struct stat sbuf;
+    char pwbuf[BUFSIZ];
     struct passwd pwx, *pwd;
-    FILE *fp = NULL;
+    int pid, status;
 
     if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS,
                             KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE,
@@ -110,46 +110,30 @@
     if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
         goto cleanup;
 
-    if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0)
-        goto cleanup;
-
-    if (access(filename, F_OK) != 0) {
-        result = PASS;
-        goto cleanup;
-    }
-
     if (krb5_unparse_name(context, principal, &princname) != 0)
         goto cleanup;
 
-    fp = fopen(filename, "r");
-    if (fp == NULL)
+    if ((pid = fork()) == -1)
         goto cleanup;
-    set_cloexec_file(fp);
-
-    /* For security reasons, the .k5login file must be owned either by
-     * the user or by root. */
-    if (fstat(fileno(fp), &sbuf))
-        goto cleanup;
-    if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid))
-        goto cleanup;
-
-    /* Check each line. */
-    while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) {
-        newline = strrchr(linebuf, '\n');
-        if (newline != NULL)
-            *newline = '\0';
-        if (strcmp(linebuf, princname) == 0)
-            result = ACCEPT;
-        /* Clean up the rest of the line if necessary. */
-        if (newline == NULL)
-            while (((gobble = getc(fp)) != EOF) && gobble != '\n');
+    
+    if (pid == 0) {
+        char *args[4];
+#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
+        args[0] = ADMOF_PATH;
+        args[1] = (char *) luser;
+        args[2] = princname;
+        args[3] = NULL;
+        execv(ADMOF_PATH, args);
+        exit(1);
     }
 
+    if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) {
+        result = ACCEPT;
+    }
+    
 cleanup:
     free(princname);
     free(filename);
-    if (fp != NULL)
-        fclose(fp);
     /* If k5login files are non-authoritative, never reject. */
     return (!authoritative && result == REJECT) ? PASS : result;
 }