diff options
| author | Simo Sorce <simo@redhat.com> | 2013-04-01 13:55:01 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2013-04-10 10:06:56 -0400 |
| commit | 2fa0fdc2c184d70bb45dad89f42e427d7813ca09 (patch) | |
| tree | 7e808dfcd64316d78b0009cfabd802d93c66ea1a | |
| parent | 219cd176565419338b9cbcd24f3b8e31961fbc16 (diff) | |
| download | gss-proxy-2fa0fdc2c184d70bb45dad89f42e427d7813ca09.tar.gz gss-proxy-2fa0fdc2c184d70bb45dad89f42e427d7813ca09.tar.xz gss-proxy-2fa0fdc2c184d70bb45dad89f42e427d7813ca09.zip | |
Add generic function to get creds defaults
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
| -rw-r--r-- | proxy/Makefile.am | 9 | ||||
| -rw-r--r-- | proxy/contrib/gssproxy.spec.in | 3 | ||||
| -rw-r--r-- | proxy/src/gp_creds.c | 79 |
3 files changed, 66 insertions, 25 deletions
diff --git a/proxy/Makefile.am b/proxy/Makefile.am index ea16bed..05f64af 100644 --- a/proxy/Makefile.am +++ b/proxy/Makefile.am @@ -20,15 +20,16 @@ gsspconfdir = $(sysconfdir)/gssproxy gssconfdir = $(sysconfdir)/gss localedir = @localedir@ -pidpath = @pidpath@ ccpath = @ccpath@ -pipepath = @pipepath@ initdir = @initdir@ systemdunitdir = @systemdunitdir@ logpath = @logpath@ pubconfpath = @pubconfpath@ pkgconfigdir = $(libdir)/pkgconfig +gpstatedir = $(localstatedir)/lib/gssproxy +gpclidir = $(gpstatedir)/clients + AM_CFLAGS = if WANT_AUX_INFO AM_CFLAGS += -aux-info $@.X @@ -232,9 +233,9 @@ installgsspdirs:: $(DESTDIR)$(mandir) \ $(DESTDIR)$(gsspconfdir) \ $(DESTDIR)$(gssconfdir) \ - $(DESTDIR)$(pidpath) \ - $(DESTDIR)$(pipepath) \ $(DESTDIR)$(logpath) \ + $(DESTDIR)$(gpstatedir) \ + $(DESTDIR)$(gpclidir) \ $(DESTDIR)$(pubconfpath) if HAVE_DOXYGEN diff --git a/proxy/contrib/gssproxy.spec.in b/proxy/contrib/gssproxy.spec.in index b5cba7c..7ba0f14 100644 --- a/proxy/contrib/gssproxy.spec.in +++ b/proxy/contrib/gssproxy.spec.in @@ -11,6 +11,7 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) %global servicename gssproxy %global pubconfpath %{_sysconfdir}/gssproxy +%global gpstatedir %{_localstatedir}/lib/gssproxy ### Patches ### @@ -79,6 +80,8 @@ rm -rf %{buildroot} %{_unitdir}/gssproxy.service %{_sbindir}/gssproxy %attr(755,root,root) %dir %{pubconfpath} +%attr(700,root,root) %dir %{gpstatedir} +%attr(700,root,root) %dir %{gpstatedir}/clients %attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/gssproxy.conf %{_libdir}/gssproxy/proxymech.so %{_mandir}/man5/gssproxy.conf.5* diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c index 7e0f492..43ab169 100644 --- a/proxy/src/gp_creds.c +++ b/proxy/src/gp_creds.c @@ -176,17 +176,24 @@ done: return str; } -static char *gp_get_ccache_name(struct gp_service *svc, - gssx_name *desired_name, - gss_name_t *requested_name) +#define DEFAULT_CCACHE ""CCACHE_PATH"/krb5cc_%u" +#define DEFAULT_CLIENT_KEYTAB ""VARDIR"lib/gssproxy/clients/%u.keytab" + +static int gp_get_cred_environment(struct gp_service *svc, + gssx_name *desired_name, + gss_name_t *requested_name, char **_ccache, + char **_client_keytab, char **_keytab) { gss_name_t name = GSS_C_NO_NAME; gss_OID_desc name_type; uint32_t ret_maj = 0; uint32_t ret_min = 0; uid_t target_uid; + const char *fmtstr; char *ccache = NULL; - int ret; + char *client_keytab = NULL; + char *keytab = NULL; + int ret = 0; target_uid = svc->euid; @@ -207,19 +214,45 @@ static char *gp_get_ccache_name(struct gp_service *svc, } if (svc->krb5.ccache == NULL) { - ret = asprintf(&ccache, "%s/krb5cc_%u", CCACHE_PATH, target_uid); - if (ret == -1) { - ccache = NULL; - } + fmtstr = DEFAULT_CCACHE; } else { - ccache = get_formatted_string(svc->krb5.ccache, target_uid); + fmtstr = svc->krb5.ccache; } - -done: + ccache = get_formatted_string(fmtstr, target_uid); if (!ccache) { GPDEBUG("Failed to construct ccache string.\n"); + ret = ENOMEM; + goto done; + } + + if (svc->krb5.client_keytab == NULL) { + fmtstr = DEFAULT_CLIENT_KEYTAB; + } else { + fmtstr = svc->krb5.client_keytab; + } + client_keytab = get_formatted_string(fmtstr, target_uid); + if (!client_keytab) { + GPDEBUG("Failed to construct client_keytab string.\n"); + ret = ENOMEM; + goto done; + } + + if (svc->krb5.keytab != NULL) { + fmtstr = svc->krb5.keytab; + keytab = get_formatted_string(svc->krb5.ccache, target_uid); + } + + *_ccache = ccache; + *_client_keytab = client_keytab; + *_keytab = keytab; + +done: + if (ret) { + free(ccache); + free(client_keytab); + free(keytab); } - return ccache; + return ret; } uint32_t gp_add_krb5_creds(uint32_t *min, @@ -234,7 +267,9 @@ uint32_t gp_add_krb5_creds(uint32_t *min, uint32_t *initiator_time_rec, uint32_t *acceptor_time_rec) { - char *ccache_name; + char *ccache_name = NULL; + char *client_keytab = NULL; + char *keytab_name = NULL; krb5_context kctx; krb5_principal principal = NULL; krb5_keytab keytab = NULL; @@ -274,13 +309,15 @@ uint32_t gp_add_krb5_creds(uint32_t *min, goto done; } - if (cred_usage == GSS_C_BOTH || cred_usage == GSS_C_INITIATE) { - ccache_name = gp_get_ccache_name(svc, desired_name, &req_name); - if (!ccache_name) { - ret_maj = GSS_S_CRED_UNAVAIL; - goto done; - } + ret_min = gp_get_cred_environment(svc, desired_name, &req_name, + &ccache_name, &client_keytab, + &keytab_name); + if (ret_min) { + ret_maj = GSS_S_CRED_UNAVAIL; + goto done; + } + if (cred_usage == GSS_C_BOTH || cred_usage == GSS_C_INITIATE) { kerr = krb5_cc_resolve(kctx, ccache_name, &ccache); if (kerr) { ret_maj = GSS_S_FAILURE; @@ -291,8 +328,8 @@ uint32_t gp_add_krb5_creds(uint32_t *min, /* FIXME: initiate ? */ } - if (svc->krb5.keytab) { - kerr = krb5_kt_resolve(kctx, svc->krb5.keytab, &keytab); + if (keytab_name) { + kerr = krb5_kt_resolve(kctx, keytab_name, &keytab); if (kerr != 0) { ret_maj = GSS_S_FAILURE; ret_min = kerr; |