diff options
| author | Richard Basch <probe@mit.edu> | 1996-05-13 11:54:07 +0000 |
|---|---|---|
| committer | Richard Basch <probe@mit.edu> | 1996-05-13 11:54:07 +0000 |
| commit | d8b222ffbe25b1ccd77db6f8b9f4b73726231533 (patch) | |
| tree | 5277d2ba4ec67dc997c94403687c1b16a9bae006 /src/clients/ksu | |
| parent | a289c75bed54de526c176d3dad6a6356aa11ba07 (diff) | |
| download | krb5-d8b222ffbe25b1ccd77db6f8b9f4b73726231533.tar.gz krb5-d8b222ffbe25b1ccd77db6f8b9f4b73726231533.tar.xz krb5-d8b222ffbe25b1ccd77db6f8b9f4b73726231533.zip | |
configure.in heuristic.c:
Change the euid before opening the source ccache, so we don't use
someone else's ccache.
authorization.c:
users only in /.k5login were not permitted to use the '-e cmd' feature.
The man page does not indicate that this should not be permitted...
Also, lots of indentation cleanup was done... I couldn't read the code before.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@8013 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/clients/ksu')
| -rw-r--r-- | src/clients/ksu/ChangeLog | 13 | ||||
| -rw-r--r-- | src/clients/ksu/authorization.c | 798 | ||||
| -rw-r--r-- | src/clients/ksu/configure.in | 3 | ||||
| -rw-r--r-- | src/clients/ksu/heuristic.c | 905 |
4 files changed, 853 insertions, 866 deletions
diff --git a/src/clients/ksu/ChangeLog b/src/clients/ksu/ChangeLog index 84b76ddeee..e3b5d2dd33 100644 --- a/src/clients/ksu/ChangeLog +++ b/src/clients/ksu/ChangeLog @@ -1,3 +1,16 @@ +Mon May 13 06:50:12 1996 Richard Basch <basch@lehman.com> + + * authorization.c: users in the .k5login were not permitted to use + the '-e command' flag; the man page does not indicate this should fail. + All users in .k5login, and those in .k5users (for the specified cmd) + are now allowed to execute commands. + Also, a lot of indentation cleanup was done. + + * configure.in heuristic.c: + Before getting the best principal from the ccache, reset the euid; + we don't want to use someone else's ccache. + Also, a lot of indentation cleanup was done. + Wed Apr 10 20:24:49 1996 Richard Basch <basch@lehman.com> * main.c, krb_auth_su.c: Mostly cosmetic cleanup of output diff --git a/src/clients/ksu/authorization.c b/src/clients/ksu/authorization.c index ec2dce8cf6..39e745995c 100644 --- a/src/clients/ksu/authorization.c +++ b/src/clients/ksu/authorization.c @@ -1,4 +1,4 @@ -/* +/* * Copyright (c) 1994 by the University of Southern California * * EXPORT OF THIS SOFTWARE from the United States of America may @@ -10,7 +10,7 @@ * this software and its documentation in source and binary forms is * hereby granted, provided that any documentation or other materials * related to such distribution or use acknowledge that the software - * was developed by the University of Southern California. + * was developed by the University of Southern California. * * DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The * University of Southern California MAKES NO REPRESENTATIONS OR @@ -33,7 +33,7 @@ krb5_boolean fowner(fp, uid) FILE *fp; int uid; { -struct stat sbuf; + struct stat sbuf; /* * For security reasons, file must be owned either by @@ -49,7 +49,7 @@ struct stat sbuf; return(FALSE); } -return(TRUE); + return(TRUE); } /* @@ -73,107 +73,102 @@ krb5_error_code krb5_authorization(context, principal, luser, { struct passwd *pwd; char *princname; - int k5login_flag =0; - int k5users_flag =0; - krb5_boolean retbool =FALSE; - FILE * login_fp, * users_fp; - krb5_error_code retval = 0; + int k5login_flag =0; + int k5users_flag =0; + krb5_boolean retbool =FALSE; + FILE * login_fp, * users_fp; + krb5_error_code retval = 0; struct stat statbuf; struct stat st_temp; - *ok =FALSE; + *ok =FALSE; /* no account => no access */ - if ((pwd = getpwnam(luser)) == NULL) { + if ((pwd = getpwnam(luser)) == NULL) return 0; - } - - if (retval = krb5_unparse_name(context, principal, &princname)){ - return retval; - } + if (retval = krb5_unparse_name(context, principal, &princname)) + return retval; #ifdef DEBUG - printf("principal to be authorized %s\n", princname); - printf("login file: %s\n", k5login_path); - printf("users file: %s\n", k5users_path); + printf("principal to be authorized %s\n", princname); + printf("login file: %s\n", k5login_path); + printf("users file: %s\n", k5users_path); #endif - k5login_flag = stat(k5login_path, &st_temp); k5users_flag = stat(k5users_path, &st_temp); - /* k5login and k5users must be owned by target user or root */ - if (!k5login_flag){ - if ((login_fp = fopen(k5login_path, "r")) == NULL) { - return 0; - } - if ( fowner(login_fp, pwd->pw_uid) == FALSE){ - return 0; - } - } + /* k5login and k5users must be owned by target user or root */ + if (!k5login_flag){ + if ((login_fp = fopen(k5login_path, "r")) == NULL) + return 0; + if ( fowner(login_fp, pwd->pw_uid) == FALSE) + return 0; + } - if (!k5users_flag){ + if (!k5users_flag){ if ((users_fp = fopen(k5users_path, "r")) == NULL) { - return 0; + return 0; } - if ( fowner(users_fp, pwd->pw_uid) == FALSE){ - return 0; + if ( fowner(users_fp, pwd->pw_uid) == FALSE){ + return 0; } - } + } - if (auth_debug){ - fprintf(stderr, - "In krb5_authorization: if auth files exist -> can access\n"); - } + if (auth_debug){ + fprintf(stderr, + "In krb5_authorization: if auth files exist -> can access\n"); + } - if (cmd){ +#if 0 + if (cmd){ if(k5users_flag){ - return 0; /* if kusers does not exist -> done */ + return 0; /* if kusers does not exist -> done */ }else{ - if(retval = k5users_lookup(users_fp,princname, - cmd,&retbool,out_fcmd)){ - auth_cleanup(k5users_flag,users_fp, - k5login_flag,login_fp, princname); - return retval; - }else{ - *ok =retbool; - return retval; - } - } - } - - /* if either file exists, - first see if the principal is in the login in file, - if it's not there check the k5users file */ - - if (!k5login_flag){ - - - if (auth_debug){ - fprintf(stderr, - "In krb5_authorization: principal to be authorized %s\n", - princname); - } - if (retval = k5login_lookup( login_fp, princname, &retbool)){ + if(retval = k5users_lookup(users_fp,princname, + cmd,&retbool,out_fcmd)){ auth_cleanup(k5users_flag,users_fp, - k5login_flag,login_fp, princname); + k5login_flag,login_fp, princname); + return retval; + }else{ + *ok =retbool; return retval; + } } + } +#endif + /* if either file exists, + first see if the principal is in the login in file, + if it's not there check the k5users file */ + + if (!k5login_flag){ + if (auth_debug) + fprintf(stderr, + "In krb5_authorization: principal to be authorized %s\n", + princname); + if (retval = k5login_lookup( login_fp, princname, &retbool)){ + auth_cleanup(k5users_flag,users_fp, + k5login_flag,login_fp, princname); + return retval; + } + if (retbool) { + if (cmd) + *out_fcmd = strdup(cmd); + } + } - } - - if ((!k5users_flag) && (retbool == FALSE) ){ - if(retval = k5users_lookup (users_fp,princname, - cmd, &retbool,out_fcmd)){ - auth_cleanup(k5users_flag,users_fp, - k5login_flag,login_fp, princname); - return retval; + if ((!k5users_flag) && (retbool == FALSE) ){ + if(retval = k5users_lookup (users_fp, princname, + cmd, &retbool, out_fcmd)){ + auth_cleanup(k5users_flag,users_fp, + k5login_flag,login_fp, princname); + return retval; } - } + } - if ( k5login_flag && k5users_flag){ + if (k5login_flag && k5users_flag){ char * kuser = (char *) calloc (strlen(princname), sizeof(char)); if (!(krb5_aname_to_localname(context, principal, @@ -183,18 +178,18 @@ krb5_error_code krb5_authorization(context, principal, luser, } free(kuser); - } - - *ok =retbool; - auth_cleanup(k5users_flag,users_fp, k5login_flag,login_fp, princname); - return 0; + } + + *ok =retbool; + auth_cleanup(k5users_flag,users_fp, k5login_flag,login_fp, princname); + return 0; } /*********************************************************** -k5login_lookup looks for princname in file fp. Spaces +k5login_lookup looks for princname in file fp. Spaces before the princaname (in the file ) are not ignored spaces after the princname are ignored. If there are -any tokens after the principal name FALSE is returned. +any tokens after the principal name FALSE is returned. ***********************************************************/ @@ -202,58 +197,58 @@ krb5_error_code k5login_lookup (fp, princname, found) FILE *fp; char *princname; krb5_boolean *found; -{ +{ -krb5_error_code retval; -char * line; -char * fprinc; -char * lp; -krb5_boolean loc_found = FALSE; + krb5_error_code retval; + char * line; + char * fprinc; + char * lp; + krb5_boolean loc_found = FALSE; - if (retval = get_line(fp, &line )){ - return retval; - } + if (retval = get_line(fp, &line )){ + return retval; + } - while (line){ - fprinc = get_first_token (line, &lp); - - if (fprinc && (!strcmp(princname, fprinc))){ - if( get_next_token (&lp) ){ - free (line); - break; /* nothing should follow princname*/ - } - else{ - loc_found = TRUE; - free (line); - break; - } - } + while (line){ + fprinc = get_first_token (line, &lp); + if (fprinc && (!strcmp(princname, fprinc))){ + if( get_next_token (&lp) ){ + free (line); + break; /* nothing should follow princname*/ + } + else{ + loc_found = TRUE; free (line); - if (retval = get_line(fp, &line )){ return retval;} + break; + } } + free (line); + if (retval = get_line(fp, &line )){ return retval;} + } + -*found = loc_found; -return 0; + *found = loc_found; + return 0; } /*********************************************************** -k5users_lookup looks for princname in file fp. Spaces +k5users_lookup looks for princname in file fp. Spaces before the princaname (in the file ) are not ignored -spaces after the princname are ignored. +spaces after the princname are ignored. -authorization alg: +authorization alg: -if princname is not found return false. +if princname is not found return false. -if princname is found{ - if cmd == NULL then the file entry after principal - name must be nothing or * - - if cmd !=NULL then entry must be matched (* is ok) +if princname is found{ + if cmd == NULL then the file entry after principal + name must be nothing or * + + if cmd !=NULL then entry must be matched (* is ok) } @@ -265,81 +260,79 @@ krb5_error_code k5users_lookup (fp, princname, cmd, found, out_fcmd) krb5_boolean *found; char **out_fcmd; { -krb5_error_code retval; -char * line; -char * fprinc, *fcmd; -char * lp; -char * loc_fcmd = NULL; -krb5_boolean loc_found = FALSE; - - if (retval = get_line(fp, &line )){ - return retval; - } - - while (line){ - fprinc = get_first_token (line, &lp); - - if (fprinc && (!strcmp(princname, fprinc))){ - fcmd = get_next_token (&lp); + krb5_error_code retval; + char * line; + char * fprinc, *fcmd; + char * lp; + char * loc_fcmd = NULL; + krb5_boolean loc_found = FALSE; + + if (retval = get_line(fp, &line )) + return retval; + + while (line){ + fprinc = get_first_token (line, &lp); + + if (fprinc && (!strcmp(princname, fprinc))){ + fcmd = get_next_token (&lp); + + if ((fcmd) && (!strcmp(fcmd, PERMIT_ALL_COMMANDS))){ + if (get_next_token(&lp) == NULL){ + loc_fcmd =cmd ? strdup(cmd): NULL; + loc_found = TRUE; + } + free (line); + break; + } - if ((fcmd) && (!strcmp(fcmd, PERMIT_ALL_COMMANDS))){ - if (get_next_token(&lp) == NULL){ - loc_fcmd =cmd ? strdup(cmd): NULL; - loc_found = TRUE; - } - free (line); - break; - } - - if (cmd == NULL){ - if (fcmd == NULL){ - loc_found = TRUE; - } - free (line); - break; - + if (cmd == NULL){ + if (fcmd == NULL) + loc_found = TRUE; + free (line); + break; + + }else{ + if (fcmd != NULL) { + char * temp_rfcmd, *err; + krb5_boolean match; + do { + if(match_commands(fcmd,cmd,&match, + &temp_rfcmd, &err)){ + if (auth_debug){ + fprintf(stderr,"%s",err); + } + loc_fcmd = err; + break; }else{ - if (fcmd != NULL) { - char * temp_rfcmd, *err; - krb5_boolean match; - do { - if(match_commands(fcmd,cmd,&match, - &temp_rfcmd, &err)){ - if (auth_debug){ - fprintf(stderr,"%s",err); - } - loc_fcmd = err; - break; - }else{ - if (match == TRUE){ - loc_fcmd = temp_rfcmd; - loc_found = TRUE; - break; - } - } - - }while (fcmd = get_next_token( &lp)); - } - free (line); + if (match == TRUE){ + loc_fcmd = temp_rfcmd; + loc_found = TRUE; break; + } } - } + }while (fcmd = get_next_token( &lp)); + } free (line); - if (retval = get_line(fp, &line )){ return retval;} + break; + } } -*out_fcmd = loc_fcmd; -*found = loc_found; -return 0; + free (line); + if (retval = get_line(fp, &line )){ return retval;} + } + + *out_fcmd = loc_fcmd; + *found = loc_found; + return 0; } /*********************************************** -fcmd_resolve - -takes a command specified .k5users file and -resolves it into a full path name. +fcmd_resolve - +takes a command specified .k5users file and +resolves it into a full path name. ************************************************/ @@ -348,79 +341,79 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err) char ***out_fcmd; char **out_err; { -char * out_path; -char * err; -char ** tmp_fcmd; -char * path_ptr, *path; -char * lp, * tc; -int i=0; - - tmp_fcmd = (char **) calloc (MAX_CMD, sizeof(char *)); - - if (*fcmd == '/'){ /* must be full path */ - tmp_fcmd[0] = strdup(fcmd); - tmp_fcmd[1] = NULL; - *out_fcmd = tmp_fcmd; - return TRUE; - }else{ - /* must be either full path or just the cmd name */ - if (strchr(fcmd, '/')){ - err = (char *) calloc((strlen(fcmd) +200) ,sizeof(char)); - sprintf(err,"Error: bad entry - %s in %s file, must be either full path or just the cmd name\n", fcmd, KRB5_USERS_NAME); - *out_err = err; - return FALSE; - } - -#ifndef CMD_PATH - err = (char *) calloc(2*(strlen(fcmd) +200) ,sizeof(char)); - sprintf(err,"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH must be defined \n", fcmd, KRB5_USERS_NAME, fcmd); - *out_err = err; - return FALSE; + char * out_path; + char * err; + char ** tmp_fcmd; + char * path_ptr, *path; + char * lp, * tc; + int i=0; + + tmp_fcmd = (char **) calloc (MAX_CMD, sizeof(char *)); + + if (*fcmd == '/'){ /* must be full path */ + tmp_fcmd[0] = strdup(fcmd); + tmp_fcmd[1] = NULL; + *out_fcmd = tmp_fcmd; + return TRUE; + }else{ + /* must be either full path or just the cmd name */ + if (strchr(fcmd, '/')){ + err = (char *) calloc((strlen(fcmd) +200) ,sizeof(char)); + sprintf(err,"Error: bad entry - %s in %s file, must be either full path or just the cmd name\n", fcmd, KRB5_USERS_NAME); + *out_err = err; + return FALSE; + } + +#ifndef CMD_PATH + err = (char *) calloc(2*(strlen(fcmd) +200) ,sizeof(char)); + sprintf(err,"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH must be defined \n", fcmd, KRB5_USERS_NAME, fcmd); + *out_err = err; + return FALSE; #else - path = strdup (CMD_PATH); + path = strdup (CMD_PATH); path_ptr = path; - while ((*path_ptr == ' ') || (*path_ptr == '\t')) path_ptr ++; + while ((*path_ptr == ' ') || (*path_ptr == '\t')) path_ptr ++; tc = get_first_token (path_ptr, &lp); - - if (! tc){ - err = (char *) calloc((strlen(fcmd) +200) ,sizeof(char)); - sprintf(err,"Error: bad entry - %s in %s file, CMD_PATH contains no paths \n", fcmd, KRB5_USERS_NAME); - *out_err = err; - return FALSE; - } + + if (! tc){ + err = (char *) calloc((strlen(fcmd) +200) ,sizeof(char)); + sprintf(err,"Error: bad entry - %s in %s file, CMD_PATH contains no paths \n", fcmd, KRB5_USERS_NAME); + *out_err = err; + return FALSE; + } i=0; do{ - if (*tc != '/'){ /* must be full path */ - err = (char *) calloc((strlen(tc) +200) ,sizeof(char)); - sprintf(err,"Error: bad path %s in CMD_PATH for %s must start with '/' \n",tc, KRB5_USERS_NAME ); - *out_err = err; - return FALSE; - } + if (*tc != '/'){ /* must be full path */ + err = (char *) calloc((strlen(tc) +200) ,sizeof(char)); + sprintf(err,"Error: bad path %s in CMD_PATH for %s must start with '/' \n",tc, KRB5_USERS_NAME ); + *out_err = err; + return FALSE; + } - out_path = (char *) calloc( MAXPATHLEN, sizeof (char)); - sprintf(out_path,"%s/%s",tc, fcmd ); + out_path = (char *) calloc( MAXPATHLEN, sizeof (char)); + sprintf(out_path,"%s/%s",tc, fcmd ); - tmp_fcmd[i] = out_path; + tmp_fcmd[i] = out_path; - i++; + i++; } while(tc = get_next_token (&lp)); - tmp_fcmd[i] = NULL; + tmp_fcmd[i] = NULL; *out_fcmd = tmp_fcmd; return TRUE; #endif /* CMD_PATH */ - } + } } /******************************************** cmd_single - checks if cmd consists of a path - or a single token + or a single token ********************************************/ @@ -428,49 +421,49 @@ krb5_boolean cmd_single(cmd) char * cmd; { - if ( ( strrchr( cmd, '/')) == NULL){ - return TRUE; - }else{ - return FALSE; - } + if ( ( strrchr( cmd, '/')) == NULL){ + return TRUE; + }else{ + return FALSE; + } } /******************************************** -cmd_arr_cmp_postfix - compares a command with the postfix - of fcmd +cmd_arr_cmp_postfix - compares a command with the postfix + of fcmd ********************************************/ int cmd_arr_cmp_postfix(fcmd_arr, cmd) char **fcmd_arr; char *cmd; { -char * temp_fcmd; -char *ptr; -int result =1; -int i = 0; - - while(fcmd_arr[i]){ - if ( (ptr = strrchr( fcmd_arr[i], '/')) == NULL){ - temp_fcmd = fcmd_arr[i]; - }else { - temp_fcmd = ptr + 1; - } - - result = strcmp (temp_fcmd, cmd); - if (result == 0){ - break; - } - i++; + char * temp_fcmd; + char *ptr; + int result =1; + int i = 0; + + while(fcmd_arr[i]){ + if ( (ptr = strrchr( fcmd_arr[i], '/')) == NULL){ + temp_fcmd = fcmd_arr[i]; + }else { + temp_fcmd = ptr + 1; } -return result; + result = strcmp (temp_fcmd, cmd); + if (result == 0){ + break; + } + i++; + } + + return result; } /********************************************** -cmd_arr_cmp - checks if cmd matches any - of the fcmd entries. +cmd_arr_cmp - checks if cmd matches any + of the fcmd entries. **********************************************/ @@ -478,17 +471,17 @@ int cmd_arr_cmp (fcmd_arr, cmd) char **fcmd_arr; char *cmd; { -int result =1; -int i = 0; + int result =1; + int i = 0; - while(fcmd_arr[i]){ - result = strcmp (fcmd_arr[i], cmd); - if (result == 0){ - break; - } - i++; + while(fcmd_arr[i]){ + result = strcmp (fcmd_arr[i], cmd); + if (result == 0){ + break; } -return result; + i++; + } + return result; } @@ -497,37 +490,37 @@ krb5_boolean find_first_cmd_that_exists(fcmd_arr, cmd_out, err_out) char **cmd_out; char **err_out; { -struct stat st_temp; -int i = 0; -krb5_boolean retbool= FALSE; -int j =0; -char * err; -int max_ln=0; -int tln=0; - - while(fcmd_arr[i]){ - tln = strlen(fcmd_arr[i]); - if ( tln > max_ln) max_ln = tln; - if (!stat (fcmd_arr[i], &st_temp )){ - *cmd_out = strdup(fcmd_arr[i]); - retbool = TRUE; - break; - } - i++; + struct stat st_temp; + int i = 0; + krb5_boolean retbool= FALSE; + int j =0; + char * err; + int max_ln=0; + int tln=0; + + while(fcmd_arr[i]){ + tln = strlen(fcmd_arr[i]); + if ( tln > max_ln) max_ln = tln; + if (!stat (fcmd_arr[i], &st_temp )){ + *cmd_out = strdup(fcmd_arr[i]); + retbool = TRUE; + break; } + i++; + } -if (retbool == FALSE ){ + if (retbool == FALSE ){ err = (char *) calloc((80 +max_ln*i) ,sizeof(char)); sprintf(err,"Error: not found -> "); - for(j= 0; j < i; j ++){ - sprintf(err,"%s %s ", err, fcmd_arr[j]); - } + for(j= 0; j < i; j ++){ + sprintf(err,"%s %s ", err, fcmd_arr[j]); + } sprintf(err,"%s\n", err); - *err_out = err; -} + *err_out = err; + } + - -return retbool; + return retbool; } /*************************************************************** @@ -542,46 +535,46 @@ int match_commands (fcmd, cmd, match, cmd_out, err_out) char **cmd_out; char **err_out; { -char ** fcmd_arr; -char * err; -char * cmd_temp; + char ** fcmd_arr; + char * err; + char * cmd_temp; -if(fcmd_resolve(fcmd, &fcmd_arr, &err )== FALSE ){ - *err_out = err; - return 1; -} + if(fcmd_resolve(fcmd, &fcmd_arr, &err )== FALSE ){ + *err_out = err; + return 1; + } -if (cmd_single( cmd ) == TRUE){ + if (cmd_single( cmd ) == TRUE){ if (!cmd_arr_cmp_postfix(fcmd_arr, cmd)){ /* found */ - if(find_first_cmd_that_exists( fcmd_arr,&cmd_temp,&err)== TRUE){ - *match = TRUE; - *cmd_out = cmd_temp; - return 0; - }else{ - *err_out = err; - return 1; - } - }else{ - *match = FALSE; - return 0; - } -}else{ - if (!cmd_arr_cmp(fcmd_arr, cmd)){ /* found */ + if(find_first_cmd_that_exists( fcmd_arr,&cmd_temp,&err)== TRUE){ *match = TRUE; - *cmd_out = strdup(cmd); + *cmd_out = cmd_temp; return 0; + }else{ + *err_out = err; + return 1; + } + }else{ + *match = FALSE; + return 0; + } + }else{ + if (!cmd_arr_cmp(fcmd_arr, cmd)){ /* found */ + *match = TRUE; + *cmd_out = strdup(cmd); + return 0; } else{ - *match = FALSE; - return 0; + *match = FALSE; + return 0; } -} + } } /********************************************************* get_line - returns a line of any length. out_line - is set to null if eof. + is set to null if eof. *********************************************************/ krb5_error_code get_line (fp, out_line) @@ -590,109 +583,108 @@ krb5_error_code get_line (fp, out_line) /* OUT */ char **out_line; { -char * line, *r, *newline , *line_ptr; -int chunk_count = 1; - - line = (char *) calloc (BUFSIZ, sizeof (char )); - line_ptr = line; - line[0] = '\0'; - - while (( r = fgets(line_ptr, BUFSIZ , fp)) != NULL){ - if (newline = strchr(line_ptr, '\n')){ - *newline = '\0'; - break; - } - else { - chunk_count ++; - if(!( line = (char *) realloc( line, - chunk_count * sizeof(char) * BUFSIZ))){ - return ENOMEM; - } + char * line, *r, *newline , *line_ptr; + int chunk_count = 1; - line_ptr = line + (BUFSIZ -1) *( chunk_count -1) ; - } - } + line = (char *) calloc (BUFSIZ, sizeof (char )); + line_ptr = line; + line[0] = '\0'; - if ((r == NULL) && (strlen(line) == 0)) { - *out_line = NULL; - } - else{ - *out_line = line; + while (( r = fgets(line_ptr, BUFSIZ , fp)) != NULL){ + if (newline = strchr(line_ptr, '\n')){ + *newline = '\0'; + break; } + else { + chunk_count ++; + if(!( line = (char *) realloc( line, + chunk_count * sizeof(char) * BUFSIZ))){ + return ENOMEM; + } + + line_ptr = line + (BUFSIZ -1) *( chunk_count -1) ; + } + } + + if ((r == NULL) && (strlen(line) == 0)) { + *out_line = NULL; + } + else{ + *out_line = line; + } -return 0; + return 0; } -/******************************************************* -get_first_token - -Expects a '\0' terminated input line . -If there are any spaces before the first token, they -will be returned as part of the first token. +/******************************************************* +get_first_token - +Expects a '\0' terminated input line . +If there are any spaces before the first token, they +will be returned as part of the first token. -Note: this routine reuses the space pointed to by line +Note: this routine reuses the space pointed to by line ******************************************************/ char * get_first_token (line, lnext) char *line; char **lnext; { - -char * lptr, * out_ptr; - - out_ptr = line; - lptr = line; - - while (( *lptr == ' ') || (*lptr == '\t')) lptr ++; - - if (strlen(lptr) == 0) return NULL; - - while (( *lptr != ' ') && (*lptr != '\t') && (*lptr != '\0')) lptr ++; - - if (*lptr == '\0'){ - *lnext = lptr; - } else{ - *lptr = '\0'; - *lnext = lptr + 1; - } - -return out_ptr; + char * lptr, * out_ptr; + + + out_ptr = line; + lptr = line; + + while (( *lptr == ' ') || (*lptr == '\t')) lptr ++; + + if (strlen(lptr) == 0) return NULL; + + while (( *lptr != ' ') && (*lptr != '\t') && (*lptr != '\0')) lptr ++; + + if (*lptr == '\0'){ + *lnext = lptr; + } else{ + *lptr = '\0'; + *lnext = lptr + 1; + } + + return out_ptr; } /********************************************************** -get_next_token - -returns the next token pointed to by *lnext. -returns NULL if there is no more tokens. -Note: that this function modifies the stream +get_next_token - +returns the next token pointed to by *lnext. +returns NULL if there is no more tokens. +Note: that this function modifies the stream pointed to by *lnext and does not allocate space for the returned tocken. It also advances - lnext to the next tocken. + lnext to the next tocken. **********************************************************/ char * get_next_token (lnext) char **lnext; { - -char * lptr, * out_ptr; + char * lptr, * out_ptr; - - lptr = *lnext; - - while (( *lptr == ' ') || (*lptr == '\t')) lptr ++; - if (strlen(lptr) == 0) return NULL; + lptr = *lnext; - out_ptr = lptr; + while (( *lptr == ' ') || (*lptr == '\t')) lptr ++; - while (( *lptr != ' ') && (*lptr != '\t') && (*lptr != '\0')) lptr ++; + if (strlen(lptr) == 0) return NULL; - if (*lptr == '\0'){ - *lnext = lptr; - } else{ - *lptr = '\0'; - *lnext = lptr + 1; - } + out_ptr = lptr; + + while (( *lptr != ' ') && (*lptr != '\t') && (*lptr != '\0')) lptr ++; + + if (*lptr == '\0'){ + *lnext = lptr; + } else{ + *lptr = '\0'; + *lnext = lptr + 1; + } -return out_ptr; + return out_ptr; } static void auth_cleanup(k5users_flag, users_fp, k5login_flag, @@ -704,21 +696,19 @@ static void auth_cleanup(k5users_flag, users_fp, k5login_flag, char *princname; { - free (princname); - if (!k5users_flag) fclose(users_fp); - if (!k5login_flag) fclose(login_fp); - + free (princname); + if (!k5users_flag) fclose(users_fp); + if (!k5login_flag) fclose(login_fp); } void init_auth_names(pw_dir) char *pw_dir; { - - if ((strlen(pw_dir) == 1) && (*pw_dir == '/')){ - sprintf(k5login_path,"%s%s", pw_dir, KRB5_LOGIN_NAME); - sprintf(k5users_path,"%s%s", pw_dir, KRB5_USERS_NAME); - }else{ - sprintf(k5login_path,"%s/%s", pw_dir, KRB5_LOGIN_NAME); - sprintf(k5users_path,"%s/%s", pw_dir, KRB5_USERS_NAME); - } + if ((strlen(pw_dir) == 1) && (*pw_dir == '/')){ + sprintf(k5login_path,"%s%s", pw_dir, KRB5_LOGIN_NAME); + sprintf(k5users_path,"%s%s", pw_dir, KRB5_USERS_NAME); + }else{ + sprintf(k5login_path,"%s/%s", pw_dir, KRB5_LOGIN_NAME); + sprintf(k5users_path,"%s/%s", pw_dir, KRB5_USERS_NAME); + } } diff --git a/src/clients/ksu/configure.in b/src/clients/ksu/configure.in index 646a415515..c626f488f7 100644 --- a/src/clients/ksu/configure.in +++ b/src/clients/ksu/configure.in @@ -4,7 +4,8 @@ AC_PROG_INSTALL AC_CHECK_LIB(ndbm,main) AC_CHECK_LIB(dbm,main) AC_HEADER_STDARG -AC_CHECK_FUNCS(getusershell) +AC_CHECK_FUNCS(getusershell seteuid setreuid setresuid) +AC_CHECK_HEADERS(unistd.h) KRB5_LIBRARIES V5_USE_SHARED_LIB V5_AC_OUTPUT_MAKEFILE diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c index 47306ba864..d1a0b4473d 100644 --- a/src/clients/ksu/heuristic.c +++ b/src/clients/ksu/heuristic.c @@ -1,4 +1,4 @@ -/* +/* * Copyright (c) 1994 by the University of Southern California * * EXPORT OF THIS SOFTWARE from the United States of America may @@ -10,7 +10,7 @@ * this software and its documentation in source and binary forms is * hereby granted, provided that any documentation or other materials * related to such distribution or use acknowledge that the software - * was developed by the University of Southern California. + * was developed by the University of Southern California. * * DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The * University of Southern California MAKES NO REPRESENTATIONS OR @@ -25,11 +25,16 @@ * KSU was writen by: Ari Medvinsky, ari@isi.edu */ -#include "ksu.h" +#include "ksu.h" + +#ifdef HAVE_UNISTD_H +#include <unistd.h> +#endif + /******************************************************************* get_all_princ_from_file - retrieves all principal names - from file pointed to by fp. + from file pointed to by fp. *******************************************************************/ static void close_time PROTOTYPE((int, FILE *, int, FILE *)); @@ -40,52 +45,47 @@ krb5_error_code get_all_princ_from_file (fp, plist) char ***plist; { - krb5_error_code retval; - char * line, * fprinc, * lp, ** temp_list = NULL; - int count = 0, chunk_count = 1; - - if (!(temp_list = (char **) malloc( CHUNK * sizeof(char *)))){ - return errno; - } + krb5_error_code retval; + char * line, * fprinc, * lp, ** temp_list = NULL; + int count = 0, chunk_count = 1; - if (retval = get_line(fp, &line )){ - return retval; - } + if (!(temp_list = (char **) malloc( CHUNK * sizeof(char *)))) + return errno; + if (retval = get_line(fp, &line )) + return retval; - while (line){ - fprinc = get_first_token (line, &lp); - + while (line){ + fprinc = get_first_token (line, &lp); - if (fprinc ){ - temp_list[count] = strdup(fprinc); - count ++; - } - - if(count == (chunk_count * CHUNK -1)){ - chunk_count ++; - if (!(temp_list = (char **) realloc(temp_list, - chunk_count * CHUNK * sizeof(char *)))){ - return errno; - } - } - + if (fprinc ){ + temp_list[count] = strdup(fprinc); + count ++; + } - free (line); - if (retval = get_line(fp, &line )){ return retval;} + if(count == (chunk_count * CHUNK -1)){ + chunk_count ++; + if (!(temp_list = (char **) realloc(temp_list, + chunk_count * CHUNK * sizeof(char *)))){ + return errno; + } } - temp_list[count] = NULL; + free (line); + if (retval = get_line(fp, &line )){ return retval;} + } - *plist = temp_list; - return 0; + temp_list[count] = NULL; + + *plist = temp_list; + return 0; } /************************************************************* -list_union - combines list1 and list2 into combined_list. - the space for list1 and list2 is either freed - or used by combined_list. +list_union - combines list1 and list2 into combined_list. + the space for list1 and list2 is either freed + or used by combined_list. **************************************************************/ krb5_error_code list_union(list1, list2, combined_list) @@ -94,51 +94,49 @@ krb5_error_code list_union(list1, list2, combined_list) char ***combined_list; { -int c1 =0, c2 = 0, i=0, j=0; -char ** tlist; + int c1 =0, c2 = 0, i=0, j=0; + char ** tlist; - if (! list1){ - *combined_list = list2; - return 0; - } + if (! list1){ + *combined_list = list2; + return 0; + } - if (! list2){ - *combined_list = list1; - return 0; - } + if (! list2){ + *combined_list = list1; + return 0; + } - while (list1[c1]) c1++; - while (list2[c2]) c2++; + while (list1[c1]) c1++; + while (list2[c2]) c2++; - if (!(tlist = (char **) calloc( c1 + c2 + 1, sizeof ( char *)))){ - return errno; - } + if (!(tlist = (char **) calloc( c1 + c2 + 1, sizeof ( char *)))) + return errno; - i = 0; - while(list1[i]){ - tlist[i] = list1[i]; - i++; - } - j = 0; - while(list2[j]){ - if(find_str_in_list(list1, list2[j])==FALSE){ - tlist[i] = list2[j]; - i++; - } - j++; + i = 0; + while(list1[i]) { + tlist[i] = list1[i]; + i++; + } + j = 0; + while(list2[j]){ + if(find_str_in_list(list1, list2[j])==FALSE){ + tlist[i] = list2[j]; + i++; } + j++; + } - free (list1); - free (list2); + free (list1); + free (list2); - tlist[i]= NULL; - + tlist[i]= NULL; - *combined_list = tlist; - return 0; + *combined_list = tlist; + return 0; } -krb5_error_code +krb5_error_code filter(fp, cmd, k5users_list, k5users_filt_list) FILE *fp; char *cmd; @@ -146,53 +144,49 @@ filter(fp, cmd, k5users_list, k5users_filt_list) char ***k5users_filt_list; { -krb5_error_code retval =0; -krb5_boolean found = FALSE; -char * out_cmd = NULL; -int i=0, j=0, found_count = 0, k=0; -char ** temp_filt_list; + krb5_error_code retval =0; + krb5_boolean found = FALSE; + char * out_cmd = NULL; + int i=0, j=0, found_count = 0, k=0; + char ** temp_filt_list; - *k5users_filt_list = NULL; + *k5users_filt_list = NULL; - if (! k5users_list){ - return 0; - } + if (! k5users_list){ + return 0; + } - while(k5users_list[i]){ + while(k5users_list[i]){ - if (retval= k5users_lookup(fp, k5users_list[i], - cmd, &found, &out_cmd)){ - return retval; - } + if (retval= k5users_lookup(fp, k5users_list[i], cmd, &found, &out_cmd)) + return retval; - if (found == FALSE){ - free (k5users_list[i]); - k5users_list[i] = NULL; - if (out_cmd) gb_err = out_cmd; - }else{ - found_count ++; - } - i++; - } + if (found == FALSE){ + free (k5users_list[i]); + k5users_list[i] = NULL; + if (out_cmd) gb_err = out_cmd; + } else + found_count ++; - if (! (temp_filt_list = (char **) calloc ( found_count +1, - sizeof (char*)))){ - return errno; - } + i++; + } - for(j= 0, k=0; j < i; j ++ ){ - if (k5users_list[j]){ - temp_filt_list[k] = k5users_list[j]; - k++; - } + if (! (temp_filt_list = (char **) calloc(found_count +1, sizeof (char*)))) + return errno; + + for(j= 0, k=0; j < i; j++ ) { + if (k5users_list[j]){ + temp_filt_list[k] = k5users_list[j]; + k++; } + } - temp_filt_list[k] = NULL; + temp_filt_list[k] = NULL; - free (k5users_list); + free (k5users_list); - *k5users_filt_list = temp_filt_list; - return 0; + *k5users_filt_list = temp_filt_list; + return 0; } krb5_error_code @@ -207,7 +201,7 @@ get_authorized_princ_names(luser, cmd, princ_list) int k5users_flag =0; FILE * login_fp, * users_fp; char ** k5login_list = NULL, ** k5users_list = NULL; - char ** k5users_filt_list = NULL; + char ** k5users_filt_list = NULL; char ** combined_list = NULL; struct stat tb; krb5_error_code retval; @@ -216,66 +210,63 @@ get_authorized_princ_names(luser, cmd, princ_list) /* no account => no access */ - if ((pwd = getpwnam(luser)) == NULL) { + if ((pwd = getpwnam(luser)) == NULL) return 0; - } k5login_flag = stat(k5login_path, &tb); k5users_flag = stat(k5users_path, &tb); - if (!k5login_flag){ - if ((login_fp = fopen(k5login_path, "r")) == NULL) { - return 0; - } + if (!k5login_flag){ + if ((login_fp = fopen(k5login_path, "r")) == NULL) + return 0; if ( fowner(login_fp, pwd->pw_uid) == FALSE){ - close_time(k5users_flag,users_fp, k5login_flag,login_fp); - return 0; + close_time(k5users_flag,users_fp, k5login_flag,login_fp); + return 0; } } if (!k5users_flag){ - if ((users_fp = fopen(k5users_path, "r")) == NULL) { - return 0; - } + if ((users_fp = fopen(k5users_path, "r")) == NULL) + return 0; + if ( fowner(users_fp, pwd->pw_uid) == FALSE){ - close_time(k5users_flag,users_fp, k5login_flag,login_fp); - return 0; + close_time(k5users_flag,users_fp, k5login_flag,login_fp); + return 0; } - if(retval = get_all_princ_from_file (users_fp, &k5users_list)){ - close_time(k5users_flag,users_fp, k5login_flag,login_fp); - return retval; + if(retval = get_all_princ_from_file (users_fp, &k5users_list)){ + close_time(k5users_flag,users_fp, k5login_flag,login_fp); + return retval; } rewind(users_fp); if(retval = filter(users_fp,cmd, k5users_list, &k5users_filt_list)){ - close_time(k5users_flag,users_fp, k5login_flag, login_fp); - return retval; + close_time(k5users_flag,users_fp, k5login_flag, login_fp); + return retval; } - } - if (cmd){ - *princ_list = k5users_filt_list; - close_time(k5users_flag,users_fp, k5login_flag, login_fp); - return 0; - } - - if (!k5login_flag){ - if(retval = get_all_princ_from_file (login_fp, &k5login_list)){ - close_time(k5users_flag,users_fp, k5login_flag,login_fp); - return retval; + if (!k5login_flag){ + if(retval = get_all_princ_from_file (login_fp, &k5login_list)){ + close_time(k5users_flag,users_fp, k5login_flag,login_fp); + return retval; } } - - if(retval = list_union(k5login_list, k5users_filt_list, & combined_list)){ - close_time(k5users_flag,users_fp, k5login_flag,login_fp); - return retval; + + if(retval = list_union(k5login_list, k5users_filt_list, &combined_list)){ + close_time(k5users_flag,users_fp, k5login_flag,login_fp); + return retval; } - *princ_list = combined_list ; - close_time(k5users_flag,users_fp, k5login_flag,login_fp); - return 0; + close_time(k5users_flag,users_fp, k5login_flag, login_fp); + + if (cmd) { + *princ_list = combined_list; + return 0; + } else { + *princ_list = k5login_list; + return 0; + } } static void close_time(k5users_flag, users_fp, k5login_flag, login_fp) @@ -285,8 +276,8 @@ static void close_time(k5users_flag, users_fp, k5login_flag, login_fp) FILE *login_fp; { - if (!k5users_flag) fclose(users_fp); - if (!k5login_flag) fclose(login_fp); + if (!k5users_flag) fclose(users_fp); + if (!k5login_flag) fclose(login_fp); } @@ -295,28 +286,27 @@ static krb5_boolean find_str_in_list(list , elm) char *elm; { -int i=0; -krb5_boolean found = FALSE; + int i=0; + krb5_boolean found = FALSE; -if (!list) return found; + if (!list) return found; -while (list[i] ){ + while (list[i] ){ if (!strcmp(list[i], elm)){ - found = TRUE; - break; + found = TRUE; + break; } i++; -} - -return found; + } + return found; } /********************************************************************** -returns the principal that is closes to client (can be the the client +returns the principal that is closes to client (can be the the client himself). plist contains -a principal list obtained from .k5login and .k5users file. -A principal is picked that has the best chance of getting in. +a principal list obtained from .k5login and .k5users file. +A principal is picked that has the best chance of getting in. **********************************************************************/ @@ -327,77 +317,73 @@ krb5_error_code get_closest_principal(context, plist, client, found) krb5_principal *client; krb5_boolean *found; { -krb5_error_code retval =0; -krb5_principal temp_client, best_client = NULL; -int i = 0, j=0, cnelem, pnelem; -krb5_boolean got_one; + krb5_error_code retval =0; + krb5_principal temp_client, best_client = NULL; + int i = 0, j=0, cnelem, pnelem; + krb5_boolean got_one; - *found = FALSE; + *found = FALSE; - if (! plist ) return 0; + if (! plist ) return 0; - cnelem = krb5_princ_size(context, *client); + cnelem = krb5_princ_size(context, *client); + while(plist[i]){ - while(plist[i]){ + if (retval = krb5_parse_name(context, plist[i], &temp_client)) + return retval; - if (retval = krb5_parse_name(context, plist[i], &temp_client)){ - return retval; - } + pnelem = krb5_princ_size(context, temp_client); - pnelem = krb5_princ_size(context, temp_client); + if ( cnelem > pnelem){ + i++; + continue; + } - if ( cnelem > pnelem){ - i++; - continue; + if (krb5_princ_realm(context, *client)->length == + krb5_princ_realm(context, temp_client)->length + && (!memcmp (krb5_princ_realm(context, *client)->data, + krb5_princ_realm(context, temp_client)->data, + krb5_princ_realm(context, temp_client)->length))){ + + got_one = TRUE; + for(j =0; j < cnelem; j ++){ + krb5_data *p1 = + krb5_princ_component(context, *client, j); + krb5_data *p2 = + krb5_princ_component(context, temp_client, j); + + if ((p1->length != p2->length) || + memcmp(p1->data,p2->data,p1->length)){ + got_one = FALSE; + break; } + } + if (got_one == TRUE){ + if(best_client){ + if(krb5_princ_size(context, best_client) > + krb5_princ_size(context, temp_client)){ + best_client = temp_client; + } + }else + best_client = temp_client; + } + } + i++; + } - if (krb5_princ_realm(context, *client)->length == - krb5_princ_realm(context, temp_client)->length - && (!memcmp (krb5_princ_realm(context, *client)->data, - krb5_princ_realm(context, temp_client)->data, - krb5_princ_realm(context, temp_client)->length))){ - - got_one = TRUE; - for(j =0; j < cnelem; j ++){ - - krb5_data *p1 = - krb5_princ_component(context, *client, j); - krb5_data *p2 = - krb5_princ_component(context, temp_client, j); - - if ((p1->length != p2->length) || - memcmp(p1->data,p2->data,p1->length)){ - got_one = FALSE; - break; - } - } - if (got_one == TRUE){ - if(best_client){ - if(krb5_princ_size(context, best_client) > - krb5_princ_size(context, temp_client)){ - best_client = temp_client; - } - }else{ - best_client = temp_client; - } - } - } - i++; - } - - if (best_client) { - *found = TRUE; - *client = best_client; - } - - return 0; + if (best_client) { + *found = TRUE; + *client = best_client; + } + + return 0; } -/**************************************************************** +/**************************************************************** find_either_ticket checks to see whether there is a ticket for the end server or tgt, if neither is there the return FALSE, -*****************************************************************/ +*****************************************************************/ krb5_error_code find_either_ticket (context, cc, client, end_server, found) krb5_context context; @@ -407,43 +393,37 @@ krb5_error_code find_either_ticket (context, cc, client, end_server, found) krb5_boolean *found; { -krb5_principal kdc_server; -krb5_error_code retval; -krb5_boolean temp_found = FALSE; -char * cc_source_name; -struct stat st_temp; + krb5_principal kdc_server; + krb5_error_code retval; + krb5_boolean temp_found = FALSE; + char * cc_source_name; + struct stat st_temp; -cc_source_name = krb5_cc_get_name(context, cc); + cc_source_name = krb5_cc_get_name(context, cc); -if ( ! stat(cc_source_name, &st_temp)){ + if ( ! stat(cc_source_name, &st_temp)){ - if (retval = find_ticket (context, cc, client, end_server, &temp_found)) { - return retval; - } + if (retval = find_ticket(context, cc, client, end_server, &temp_found)) + return retval; if (temp_found == FALSE){ - - if (retval = krb5_tgtname(context, - krb5_princ_realm(context, client), - krb5_princ_realm(context, client), - &kdc_server)){ - return retval ; - } - - if(retval = find_ticket (context, cc,client, kdc_server, &temp_found)) { - return retval; - } - } - else { - if (auth_debug) - printf("find_either_ticket: found end server ticket\n"); + if (retval = krb5_tgtname(context, + krb5_princ_realm(context, client), + krb5_princ_realm(context, client), + &kdc_server)){ + return retval ; + } + + if(retval = find_ticket(context, cc,client, kdc_server, &temp_found)) + return retval; } + else if (auth_debug) + printf("find_either_ticket: found end server ticket\n"); + } -} - - *found = temp_found; + *found = temp_found; - return 0; + return 0; } @@ -455,41 +435,39 @@ krb5_error_code find_ticket (context, cc, client, server, found) krb5_boolean *found; { -krb5_creds tgt, tgtq; -krb5_error_code retval; + krb5_creds tgt, tgtq; + krb5_error_code retval; - *found = FALSE; + *found = FALSE; - memset((char *) &tgtq, 0, sizeof(tgtq)); - memset((char *) &tgt, 0, sizeof(tgt)); + memset((char *) &tgtq, 0, sizeof(tgtq)); + memset((char *) &tgt, 0, sizeof(tgt)); - if (retval= krb5_copy_principal(context, client, &tgtq.client)){ - return retval; - } + if (retval= krb5_copy_principal(context, client, &tgtq.client)) + return retval; - if (retval= krb5_copy_principal(context, server, &tgtq.server)){ - return retval ; - } + if (retval= krb5_copy_principal(context, server, &tgtq.server)) + return retval ; - retval = krb5_cc_retrieve_cred(context, cc, KRB5_TC_MATCH_SRV_NAMEONLY, - &tgtq, &tgt); + retval = krb5_cc_retrieve_cred(context, cc, KRB5_TC_MATCH_SRV_NAMEONLY, + &tgtq, &tgt); - if (! retval) retval = krb5_check_exp(context, tgt.times); + if (! retval) retval = krb5_check_exp(context, tgt.times); - if (retval){ - if ((retval != KRB5_CC_NOTFOUND) && - (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){ - return retval ; - } - } else{ - *found = TRUE; - return 0; - } + if (retval){ + if ((retval != KRB5_CC_NOTFOUND) && + (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){ + return retval ; + } + } else{ + *found = TRUE; + return 0; + } - free(tgtq.server); - free(tgtq.client); + free(tgtq.server); + free(tgtq.client); - return 0; + return 0; } @@ -501,40 +479,39 @@ krb5_error_code find_princ_in_list (context, princ, plist, found) krb5_boolean *found; { -int i=0; -char * princname; -krb5_error_code retval; + int i=0; + char * princname; + krb5_error_code retval; -*found = FALSE; + *found = FALSE; -if (!plist) return 0; + if (!plist) return 0; -if (retval = krb5_unparse_name(context, princ, &princname)){ + if (retval = krb5_unparse_name(context, princ, &princname)) return retval; -} -while (plist[i] ){ + while (plist[i] ){ if (!strcmp(plist[i], princname)){ - *found = TRUE; - break; + *found = TRUE; + break; } i++; -} - -return 0; + } + + return 0; } typedef struct princ_info { - krb5_principal p; - krb5_boolean found; + krb5_principal p; + krb5_boolean found; }princ_info; /********************************************************************** get_best_princ_for_target - -sets the client name, path_out gets set, if authorization is not possible -path_out gets set to ... +sets the client name, path_out gets set, if authorization is not possible +path_out gets set to ... ***********************************************************************/ @@ -555,239 +532,245 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, int *path_out; { -princ_info princ_trials[10]; -char * cc_source_name; -krb5_principal cc_def_princ = NULL; -krb5_principal temp_client; -krb5_principal target_client; -krb5_principal source_client; -krb5_principal end_server; -krb5_error_code retval; -char ** aplist =NULL; -krb5_boolean found = FALSE; -struct stat tb; -int count =0; -int i; -struct stat st_temp; - -*path_out = 0; - -/* -n option was specified client is set we are done */ -if (options->princ){ - return 0; -} - -cc_source_name = krb5_cc_get_name(context, cc_source); - -if ( ! stat(cc_source_name, &st_temp)){ - if (retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ)){ - return retval; - } -} + princ_info princ_trials[10]; + char * cc_source_name; + krb5_principal cc_def_princ = NULL; + krb5_principal temp_client; + krb5_principal target_client; + krb5_principal source_client; + krb5_principal end_server; + krb5_error_code retval; + char ** aplist =NULL; + krb5_boolean found = FALSE; + struct stat tb; + int count =0; + int i; + struct stat st_temp; -if (retval=krb5_parse_name(context, target_user, &target_client)){ - return retval; -} + *path_out = 0; -if (retval=krb5_parse_name(context, source_user, &source_client)){ - return retval; -} + /* -n option was specified client is set we are done */ + if (options->princ) + return 0; + cc_source_name = krb5_cc_get_name(context, cc_source); + /* Reset the euid while we open the source ccache */ +#if defined(_POSIX_SAVED_IDS) && defined(HAVE_SETEUID) + if (seteuid(source_uid)) { + com_err(prog_name, errno, "while setting the effective uid"); + exit(1); + } +#else +# if defined(HAVE_SETRESUID) + if (setresuid(-1, source_uid, -1)) { + com_err(prog_name, errno, "while setting the effective uid"); + exit(1); + } +# else +# if defined(HAVE_SETREUID) + if (setreuid(0, source_uid)) { + com_err(prog_name, errno, "while setting the real/effective uid"); + exit(1); + } +# endif /* HAVE_SETREUID */ +# endif /* HAVE_SETRESUID */ +#endif /* _POSIX_SAVED_IDS */ + + if (! stat(cc_source_name, &st_temp)) + if (retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ)) + return retval; + +#if defined(_POSIX_SAVED_IDS) && defined(HAVE_SETEUID) + if (seteuid(0)) { + com_err(prog_name, errno, "while setting the effective uid"); + exit(1); + } +#else +# if defined(HAVE_SETRESUID) + if (setresuid(-1, 0, -1)) { + com_err(prog_name, errno, "while setting the effective uid"); + exit(1); + } +# else +# if defined(HAVE_SETREUID) + if (setreuid(source_uid, 0)) { + com_err(prog_name, errno, "while setting the real/effective uid"); + exit(1); + } +# endif /* HAVE_SETREUID */ +# endif /* HAVE_SETRESUID */ +#endif /* _POSIX_SAVED_IDS */ + + if (retval=krb5_parse_name(context, target_user, &target_client)) + return retval; + if (retval=krb5_parse_name(context, source_user, &source_client)) + return retval; -if (source_uid == 0){ - if (target_uid != 0){ - *client = target_client; /* this will be used to restrict - the cache copty */ - }else{ - if(cc_def_princ){ - *client = cc_def_princ; - }else{ - *client = target_client; - } + if (source_uid == 0){ + if (target_uid != 0) + *client = target_client; /* this will be used to restrict + the cache copty */ + else { + if(cc_def_princ) + *client = cc_def_princ; + else + *client = target_client; } - if (auth_debug){ - printf(" GET_best_princ_for_target: via source_uid == 0\n"); - } + if (auth_debug) + printf(" GET_best_princ_for_target: via source_uid == 0\n"); return 0; -} + } -/* from here on, the code is for source_uid != 0 */ + /* from here on, the code is for source_uid != 0 */ -if (source_uid && (source_uid == target_uid)){ - if(cc_def_princ){ - *client = cc_def_princ; - }else{ - *client = target_client; - } - if (auth_debug){ + if (source_uid && (source_uid == target_uid)){ + if(cc_def_princ) + *client = cc_def_princ; + else + *client = target_client; + if (auth_debug) printf("GET_best_princ_for_target: via source_uid == target_uid\n"); - } - return 0; -} + } - /* if .k5users and .k5login do not exist */ -if ( stat(k5login_path, &tb) && stat(k5users_path, &tb) ){ + /* if .k5users and .k5login do not exist */ + if (stat(k5login_path, &tb) && stat(k5users_path, &tb) ){ *client = target_client; - if ( cmd){ - *path_out = NOT_AUTHORIZED; - } + if (cmd) + *path_out = NOT_AUTHORIZED; - if (auth_debug){ - printf(" GET_best_princ_for_target: via no auth files path\n"); - } + if (auth_debug) + printf(" GET_best_princ_for_target: via no auth files path\n"); return 0; -}else{ - if (retval = get_authorized_princ_names(target_user, cmd, & aplist)){ - return retval; + }else{ + if (retval = get_authorized_princ_names(target_user, cmd, &aplist)) + return retval; + + /* .k5users or .k5login exist, but no authorization */ + if ((!aplist) || (!aplist[0])) { + *path_out = NOT_AUTHORIZED; + if (auth_debug) + printf("GET_best_princ_for_target: via empty auth files path\n"); + return 0; } + } - /* .k5users or .k5login exist, but no authorization */ - if ((!aplist) || (!aplist[0])){ - *path_out = NOT_AUTHORIZED; - if (auth_debug){ - printf( - "GET_best_princ_for_target: via empty auth files path\n"); - } - return 0; - } -} - -if (retval = krb5_sname_to_principal(context, hostname, NULL, - KRB5_NT_SRV_HST, &end_server)){ + if (retval = krb5_sname_to_principal(context, hostname, NULL, + KRB5_NT_SRV_HST, &end_server)) return retval; -} -/* first see if default principal of the source cache - can get us in, then the target_user@realm, then the - source_user@realm. If all of them fail, try any - other ticket in the cache. -*/ + /* first see if default principal of the source cache + * can get us in, then the target_user@realm, then the + * source_user@realm. If all of them fail, try any + * other ticket in the cache. */ -if (cc_def_princ){ + if (cc_def_princ) princ_trials[count ++].p = cc_def_princ; -}else{ + else princ_trials[count ++].p = NULL; -} -princ_trials[count ++].p = target_client; -princ_trials[count ++].p = source_client; -for (i= 0; i < count; i ++){ - princ_trials[i].found = FALSE; -} + princ_trials[count ++].p = target_client; + princ_trials[count ++].p = source_client; + + for (i= 0; i < count; i ++) + princ_trials[i].found = FALSE; -for (i= 0; i < count; i ++){ - if(princ_trials[i].p){ - if (retval= find_princ_in_list(context, princ_trials[i].p, aplist, &found)){ + for (i= 0; i < count; i ++){ + if(princ_trials[i].p) { + if (retval= find_princ_in_list(context, princ_trials[i].p, aplist, &found)) return retval; - } - if ( found == TRUE){ - princ_trials[i].found = TRUE; + if (found == TRUE){ + princ_trials[i].found = TRUE; - if (retval = find_either_ticket (context, cc_source, princ_trials[i].p, - end_server, &found)){ - return retval; - } + if (retval = find_either_ticket (context, cc_source, + princ_trials[i].p, + end_server, &found)) + return retval; if (found == TRUE){ - *client = princ_trials[i].p; - if (auth_debug){ - printf("GET_best_princ_for_target: via ticket file, choice #%d\n", i); - } - return 0; + *client = princ_trials[i].p; + if (auth_debug) + printf("GET_best_princ_for_target: via ticket file, choice #%d\n", i); + return 0; } - } - } -} + } + } + } -/* out of preferred principals, see if there is any ticket that will - get us in */ + /* out of preferred principals, see if there is any ticket that will + get us in */ -i=0; -while (aplist[i]){ + i=0; + while (aplist[i]){ - if (retval = krb5_parse_name(context, aplist[i], &temp_client)){ - return retval; - } + if (retval = krb5_parse_name(context, aplist[i], &temp_client)) + return retval; if (retval = find_either_ticket (context, cc_source, temp_client, - end_server, &found)){ - return retval; - } + end_server, &found)) + return retval; + if (found == TRUE){ - if (auth_debug){ - printf("GET_best_princ_for_target: via ticket file, choice: any ok ticket \n" ); - } - *client = temp_client; - return 0; + if (auth_debug) + printf("GET_best_princ_for_target: via ticket file, choice: any ok ticket \n" ); + *client = temp_client; + return 0; } krb5_free_principal(context, temp_client); i++; -} + } -/* no tickets qualified, select a principal, that may be used - for password promting */ + /* no tickets qualified, select a principal, that may be used + for password promting */ -for (i=0; i < count; i ++){ - if (princ_trials[i].found == TRUE){ - *client = princ_trials[i].p; + for (i=0; i < count; i ++){ + if (princ_trials[i].found == TRUE){ + *client = princ_trials[i].p; - if (auth_debug){ - printf( - "GET_best_princ_for_target: via prompt passwd list choice #%d \n",i); - } - return 0; + if (auth_debug) + printf("GET_best_princ_for_target: via prompt passwd list choice #%d \n",i); + return 0; } -} + } #ifdef PRINC_LOOK_AHEAD - - -for (i=0; i < count; i ++){ + for (i=0; i < count; i ++){ if (princ_trials[i].p){ - if(retval=krb5_copy_principal(context, princ_trials[i].p, - &temp_client)){ - return retval; - } + if(retval=krb5_copy_principal(context, princ_trials[i].p, + &temp_client)) + return retval; - /* get the client name that is the closest - to the three princ in trials */ + /* get the client name that is the closest + to the three princ in trials */ - if(retval=get_closest_principal(context, aplist, &temp_client, & found)){ - return retval; - } + if(retval=get_closest_principal(context, aplist, &temp_client, & found)) + return retval; - if (found == TRUE){ - *client = temp_client; - if (auth_debug){ - printf( - "GET_best_princ_for_target: via prompt passwd list choice: approximation of princ in trials # %d \n",i); - } - return 0; - } - krb5_free_principal(context, temp_client); + if (found == TRUE){ + *client = temp_client; + if (auth_debug) + printf("GET_best_princ_for_target: via prompt passwd list choice: approximation of princ in trials # %d \n",i); + return 0; + } + krb5_free_principal(context, temp_client); } -} - - -#endif /* PRINC_LOOK_AHEAD */ + } +#endif /* PRINC_LOOK_AHEAD */ -if(auth_debug){ + if(auth_debug) printf( "GET_best_princ_for_target: out of luck, can't get appropriate default principal\n"); -} - -*path_out = NOT_AUTHORIZED; -return 0; + *path_out = NOT_AUTHORIZED; + return 0; } |