source: trunk/server/common/patches/krb5-kuserok-scripts.patch @ 2220

Last change on this file since 2220 was 2066, checked in by achernya, 14 years ago
Merge branches/fc15-dev to trunk
File size: 5.0 KB
RevLine 
[1]1# scripts.mit.edu krb5 kuserok patch
2# Copyright (C) 2006  Tim Abbott <tabbott@mit.edu>
[2066]3#               2011  Alexander Chernyakhovsky <achernya@mit.edu>
[1]4#
5# This program is free software; you can redistribute it and/or
6# modify it under the terms of the GNU General Public License
7# as published by the Free Software Foundation; either version 2
8# of the License, or (at your option) any later version.
9#
10# This program is distributed in the hope that it will be useful,
11# but WITHOUT ANY WARRANTY; without even the implied warranty of
12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13# GNU General Public License for more details.
14#
15# You should have received a copy of the GNU General Public License
16# along with this program; if not, write to the Free Software
17# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
18#
19# See /COPYRIGHT in this repository for more information.
20#
[2066]21--- krb5-1.9/src/lib/krb5/os/kuserok.c.old      2011-04-16 19:09:58.000000000 -0400
22+++ krb5-1.9/src/lib/krb5/os/kuserok.c  2011-04-16 19:34:23.000000000 -0400
23@@ -32,6 +32,7 @@
24 #if !defined(_WIN32)            /* Not yet for Windows */
[1]25 #include <stdio.h>
26 #include <pwd.h>
27+#include <sys/wait.h>
28 
29 #if defined(_AIX) && defined(_IBMR2)
30 #include <sys/access.h>
[2066]31@@ -51,39 +52,6 @@
32 enum result { ACCEPT, REJECT, PASS };
33 
34 /*
35- * Find the k5login filename for luser, either in the user's homedir or in a
36- * configured directory under the username.
37- */
38-static krb5_error_code
39-get_k5login_filename(krb5_context context, const char *luser,
40-                     const char *homedir, char **filename_out)
41-{
42-    krb5_error_code ret;
43-    char *dir, *filename;
44-
45-    *filename_out = NULL;
46-    ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
47-                             KRB5_CONF_K5LOGIN_DIRECTORY, NULL, NULL, &dir);
48-    if (ret != 0)
49-        return ret;
50-
51-    if (dir == NULL) {
52-        /* Look in the user's homedir. */
53-        if (asprintf(&filename, "%s/.k5login", homedir) < 0)
54-            return ENOMEM;
55-    } else {
56-        /* Look in the configured directory. */
57-        if (asprintf(&filename, "%s/%s", dir, luser) < 0)
58-            ret = ENOMEM;
59-        profile_release_string(dir);
60-        if (ret)
61-            return ret;
62-    }
63-    *filename_out = filename;
64-    return 0;
65-}
66-
67-/*
68  * Determine whether principal is authorized to log in as luser according to
69  * the user's k5login file.  Return ACCEPT if the k5login file authorizes the
70  * principal, PASS if the k5login file does not exist, or REJECT if the k5login
71@@ -93,13 +61,12 @@
72 static enum result
73 k5login_ok(krb5_context context, krb5_principal principal, const char *luser)
[1]74 {
[2066]75-    int authoritative = TRUE, gobble;
76+    int authoritative = TRUE;
77     enum result result = REJECT;
78-    char *filename = NULL, *princname = NULL;
79-    char *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ];
80-    struct stat sbuf;
81+    char *princname = NULL;
82+    char pwbuf[BUFSIZ];
83     struct passwd pwx, *pwd;
84-    FILE *fp = NULL;
[1]85+    int pid, status;
86 
[2066]87     if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS,
88                             KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE,
89@@ -110,46 +77,29 @@
[1]90     if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
[2066]91         goto cleanup;
92 
93-    if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0)
94-        goto cleanup;
[1]95-
[2066]96-    if (access(filename, F_OK) != 0) {
97-        result = PASS;
98-        goto cleanup;
[1]99-    }
[2066]100-
101     if (krb5_unparse_name(context, principal, &princname) != 0)
102         goto cleanup;
[1]103 
[2066]104-    fp = fopen(filename, "r");
105-    if (fp == NULL)
106+    if ((pid = fork()) == -1)
107         goto cleanup;
[1693]108-    set_cloexec_file(fp);
[2066]109-
110-    /* For security reasons, the .k5login file must be owned either by
111-     * the user or by root. */
112-    if (fstat(fileno(fp), &sbuf))
113-        goto cleanup;
114-    if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid))
115-        goto cleanup;
116-
117-    /* Check each line. */
118-    while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) {
119-        newline = strrchr(linebuf, '\n');
120-        if (newline != NULL)
121-            *newline = '\0';
122-        if (strcmp(linebuf, princname) == 0)
123-            result = ACCEPT;
124-        /* Clean up the rest of the line if necessary. */
125-        if (newline == NULL)
126-            while (((gobble = getc(fp)) != EOF) && gobble != '\n');
127+   
[1069]128+    if (pid == 0) {
[2066]129+        char *args[4];
[1069]130+#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
[2066]131+        args[0] = ADMOF_PATH;
132+        args[1] = (char *) luser;
133+        args[2] = princname;
134+        args[3] = NULL;
135+        execv(ADMOF_PATH, args);
136+        exit(1);
[1069]137     }
[2066]138 
[1]139+    if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) {
[2066]140+        result = ACCEPT;
141+    }
[1]142+   
[2066]143 cleanup:
[1]144     free(princname);
[2066]145-    free(filename);
146-    if (fp != NULL)
147-        fclose(fp);
148     /* If k5login files are non-authoritative, never reject. */
149     return (!authoritative && result == REJECT) ? PASS : result;
[1]150 }
Note: See TracBrowser for help on using the repository browser.