diff options
| author | Ken Raeburn <raeburn@mit.edu> | 2007-10-22 19:18:53 +0000 |
|---|---|---|
| committer | Ken Raeburn <raeburn@mit.edu> | 2007-10-22 19:18:53 +0000 |
| commit | 3d8fa6bb4012296a53fe04e486a9157a2963b644 (patch) | |
| tree | 7c0f5dcc658ebd75d758024a21097af95d616e05 /src/lib/krb4 | |
| parent | 70e8d7a6c50bbdb547150eba0abdef46d93d5b71 (diff) | |
| download | krb5-3d8fa6bb4012296a53fe04e486a9157a2963b644.tar.gz krb5-3d8fa6bb4012296a53fe04e486a9157a2963b644.tar.xz krb5-3d8fa6bb4012296a53fe04e486a9157a2963b644.zip | |
Set close-on-exec flag in most places where file descriptors are
opened in our libraries (in case another application thread spawns a
new process) and in the KDC programs (in case a plugin library spawns
a new process).
Checked calls to: open fopen THREEPARAMOPEN mkstemp socket accept dup
dup2 pipe. In: util lib plugins kdc kadmin/server krb524.
The various programs are less critical than the libraries, as any
well-written plugin that spawns a new process should close all file
descriptors it doesn't need to communicate with the new process.
This approach also isn't bulletproof, as the call to set the
close-on-exec flag is necessarily a separate call from creating the
file descriptor, and the fork call could happen in between them. So
plugins should be careful regardless of this patch; it will only
reduce the window of potential lossage should a plugin be poorly
written. (AFAIK there are currently no plugins that spawn processes
where this would be a problem.)
Update dependencies.
ticket: 5561
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20143 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb4')
| -rw-r--r-- | src/lib/krb4/Makefile.in | 13 | ||||
| -rw-r--r-- | src/lib/krb4/dest_tkt.c | 4 | ||||
| -rw-r--r-- | src/lib/krb4/g_cnffile.c | 9 | ||||
| -rw-r--r-- | src/lib/krb4/in_tkt.c | 7 | ||||
| -rw-r--r-- | src/lib/krb4/kadm_net.c | 3 | ||||
| -rw-r--r-- | src/lib/krb4/klog.c | 4 | ||||
| -rw-r--r-- | src/lib/krb4/kuserok.c | 4 | ||||
| -rw-r--r-- | src/lib/krb4/log.c | 5 | ||||
| -rw-r--r-- | src/lib/krb4/put_svc_key.c | 2 | ||||
| -rw-r--r-- | src/lib/krb4/rd_svc_key.c | 3 | ||||
| -rw-r--r-- | src/lib/krb4/tf_shm.c | 6 | ||||
| -rw-r--r-- | src/lib/krb4/tf_util.c | 8 | ||||
| -rw-r--r-- | src/lib/krb4/win_store.c | 4 |
13 files changed, 56 insertions, 16 deletions
diff --git a/src/lib/krb4/Makefile.in b/src/lib/krb4/Makefile.in index 8085a1db2b..5faefaef73 100644 --- a/src/lib/krb4/Makefile.in +++ b/src/lib/krb4/Makefile.in @@ -515,10 +515,12 @@ tf_util.so tf_util.po $(OUTPRE)tf_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h krb4int.h tf_util.c dest_tkt.so dest_tkt.po $(OUTPRE)dest_tkt.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/kerberosIV/des.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/kerberosIV/des.h \ $(SRCTOP)/include/kerberosIV/krb.h dest_tkt.c in_tkt.so in_tkt.po $(OUTPRE)in_tkt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/kerberosIV/des.h \ $(SRCTOP)/include/kerberosIV/krb.h in_tkt.c tkt_string.so tkt_string.po $(OUTPRE)tkt_string.$(OBJEXT): \ @@ -550,15 +552,18 @@ unix_glue.so unix_glue.po $(OUTPRE)unix_glue.$(OBJEXT): \ krb4int.h unix_glue.c klog.so klog.po $(OUTPRE)klog.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/klog.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ klog.c krb4int.h kuserok.so kuserok.po $(OUTPRE)kuserok.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ kuserok.c log.so log.po $(OUTPRE)log.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/klog.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ krb4int.h log.c @@ -617,9 +622,9 @@ cr_death_pkt.so cr_death_pkt.po $(OUTPRE)cr_death_pkt.$(OBJEXT): \ $(SRCTOP)/include/kerberosIV/prot.h cr_death_pkt.c put_svc_key.so put_svc_key.po $(OUTPRE)put_svc_key.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - krb4int.h put_svc_key.c + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ + $(SRCTOP)/include/port-sockets.h krb4int.h put_svc_key.c sendauth.so sendauth.po $(OUTPRE)sendauth.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ diff --git a/src/lib/krb4/dest_tkt.c b/src/lib/krb4/dest_tkt.c index 4f7c1e377a..69198ba6cd 100644 --- a/src/lib/krb4/dest_tkt.c +++ b/src/lib/krb4/dest_tkt.c @@ -1,7 +1,7 @@ /* * lib/krb4/dest_tkt.c * - * Copyright 1985, 1986, 1987, 1988, 2000, 2001 by the Massachusetts + * Copyright 1985, 1986, 1987, 1988, 2000, 2001, 2007 by the Massachusetts * Institute of Technology. All Rights Reserved. * * Export of this software from the United States of America may @@ -32,6 +32,7 @@ #include "k5-util.h" #define do_seteuid krb5_seteuid +#include "k5-platform.h" #ifdef TKT_SHMEM #include <sys/param.h> @@ -102,6 +103,7 @@ dest_tkt() ret = (errno == ENOENT) ? RET_TKFIL : KFAILURE; goto out; } + set_cloexec_fd(fd); /* * Do some additional paranoid things. The worst-case situation * is that a user may be fooled into opening a non-regular file diff --git a/src/lib/krb4/g_cnffile.c b/src/lib/krb4/g_cnffile.c index dd5ed5c60d..8ef38feefb 100644 --- a/src/lib/krb4/g_cnffile.c +++ b/src/lib/krb4/g_cnffile.c @@ -41,6 +41,8 @@ krb__v5_get_file(s) &full_name); if (retval == 0 && full_name && full_name[0]) { cnffile = fopen(full_name[0],"r"); + if (cnffile) + set_cloexec_file(cnffile); for (cpp = full_name; *cpp; cpp++) krb5_xfree(*cpp); krb5_xfree(full_name); @@ -97,6 +99,8 @@ krb__get_cnffile() #ifdef ATHENA_CONF_FALLBACK if (!cnffile) cnffile = fopen(KRB_FB_CONF,"r"); #endif + if (cnffile) + set_cloexec_file(cnffile); return cnffile; } @@ -117,7 +121,8 @@ krb__get_realmsfile() if (!realmsfile) realmsfile = fopen(KRB_FB_RLM_TRANS, "r"); #endif + if (realmsfile) + set_cloexec_file(realmsfile); + return realmsfile; } - - diff --git a/src/lib/krb4/in_tkt.c b/src/lib/krb4/in_tkt.c index 26336e2269..e2d071aece 100644 --- a/src/lib/krb4/in_tkt.c +++ b/src/lib/krb4/in_tkt.c @@ -1,7 +1,7 @@ /* * lib/krb4/in_tkt.c * - * Copyright 1985, 1986, 1987, 1988, 2000, 2001 by the Massachusetts + * Copyright 1985, 1986, 1987, 1988, 2000, 2001, 2007 by the Massachusetts * Institute of Technology. All Rights Reserved. * * Export of this software from the United States of America may @@ -49,6 +49,7 @@ extern int krb_debug; #include "k5-util.h" #define do_seteuid krb5_seteuid +#include "k5-platform.h" #ifndef O_SYNC #define O_SYNC 0 @@ -94,6 +95,8 @@ in_tkt(pname,pinst) return KFAILURE; /* file already exists, and permissions appear ok, so nuke it */ fd = open(file, O_RDWR|O_SYNC, 0); + if (fd >= 0) + set_cloexec_fd(fd); (void)unlink(file); if (me != metoo && do_seteuid(metoo) < 0) return KFAILURE; @@ -153,6 +156,8 @@ in_tkt(pname,pinst) ticket file. */ mask = umask(077); tktfile = open(file, O_RDWR|O_SYNC|O_CREAT|O_EXCL, 0600); + if (tktfile >= 0) + set_cloexec_fd(tktfile); umask(mask); if (me != metoo) { if (do_seteuid(metoo) < 0) { diff --git a/src/lib/krb4/kadm_net.c b/src/lib/krb4/kadm_net.c index a94aab846c..89c87cc27e 100644 --- a/src/lib/krb4/kadm_net.c +++ b/src/lib/krb4/kadm_net.c @@ -1,7 +1,7 @@ /* * lib/krb4/kadm_net.c * - * Copyright 1988, 2002 by the Massachusetts Institute of Technology. + * Copyright 1988, 2002, 2007 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -267,6 +267,7 @@ int kadm_cli_conn(Kadm_Client *client_parm) if ((client_parm->admin_fd = socket(client_parm->admin_addr.sin_family, SOCK_STREAM,0)) < 0) return KADM_NO_SOCK; /* couldnt create the socket */ + set_cloexec_fd(client_parm->admin_fd); if (SOCKET_CONNECT(client_parm->admin_fd, (struct sockaddr *) & client_parm->admin_addr, sizeof(client_parm->admin_addr))) { diff --git a/src/lib/krb4/klog.c b/src/lib/krb4/klog.c index 4e9661a891..b1cfa93b40 100644 --- a/src/lib/krb4/klog.c +++ b/src/lib/krb4/klog.c @@ -1,7 +1,7 @@ /* * lib/krb4/klog.c * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute of + * Copyright 1985, 1986, 1987, 1988, 2007 by the Massachusetts Institute of * Technology. All Rights Reserved. * * Export of this software from the United States of America may @@ -36,6 +36,7 @@ #include "krb4int.h" #include <klog.h> +#include "k5-platform.h" static char *log_name = KRBLOG; static char logtxt[1000]; @@ -98,6 +99,7 @@ char * klog(type,format,a1,a2,a3,a4,a5,a6,a7,a8,a9,a0) if ((logfile = fopen(log_name,"a")) == NULL) return(logtxt); + set_cloexec_file(logfile); (void) time(&now); tm = localtime(&now); diff --git a/src/lib/krb4/kuserok.c b/src/lib/krb4/kuserok.c index 4078ec3c24..84a8ebde8f 100644 --- a/src/lib/krb4/kuserok.c +++ b/src/lib/krb4/kuserok.c @@ -1,7 +1,7 @@ /* * lib/krb4/kuserok.c * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. + * Copyright 1987, 1988, 2007 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -45,6 +45,7 @@ /* just for F_OK for sco */ #include <sys/unistd.h> #endif +#include "k5-platform.h" #ifndef HAVE_SETEUID #ifdef HAVE_SETRESUID @@ -135,6 +136,7 @@ kuserok(kdata, luser) return(NOTOK); } } + set_cloexec_file(fp); /* * security: if the user does not own his own .klogin file, * do not grant access diff --git a/src/lib/krb4/log.c b/src/lib/krb4/log.c index ada6fdfe0b..5be69eaf5a 100644 --- a/src/lib/krb4/log.c +++ b/src/lib/krb4/log.c @@ -1,7 +1,7 @@ /* * lib/krb4/log.c * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute of + * Copyright 1985, 1986, 1987, 1988, 2007 by the Massachusetts Institute of * Technology. All Rights Reserved. * * Export of this software from the United States of America may @@ -43,6 +43,7 @@ #include "krb4int.h" #include <klog.h> +#include "k5-platform.h" static char *log_name = KRBLOG; #if 0 @@ -80,6 +81,7 @@ void krb_log(const char *format,...) va_start(args, format); if ((logfile = fopen(log_name,"a")) != NULL) { + set_cloexec_file(logfile); (void) time(&now); tm = localtime(&now); @@ -128,6 +130,7 @@ krb_new_log(t,string) if (!is_open) { if ((logfile = fopen(log_name,"a")) == NULL) return(1); + set_cloexec_file(logfile); is_open = 1; } diff --git a/src/lib/krb4/put_svc_key.c b/src/lib/krb4/put_svc_key.c index dda60163db..53e53c71a3 100644 --- a/src/lib/krb4/put_svc_key.c +++ b/src/lib/krb4/put_svc_key.c @@ -32,6 +32,7 @@ #ifdef HAVE_UNISTD_H #include <unistd.h> #endif +#include "k5-platform.h" #define KEYSZ sizeof(C_Block) /* strict put_svc_key. @@ -58,6 +59,7 @@ put_svc_key(sfile,name,inst,realm,newvno,key) if ((fd = open(sfile, O_RDWR)) < 0) return KFAILURE; + set_cloexec_fd(fd); while(getst(fd,fname,SNAME_SZ) > 0) { getst(fd,finst,INST_SZ); diff --git a/src/lib/krb4/rd_svc_key.c b/src/lib/krb4/rd_svc_key.c index 2728f4a1c6..8aeb0999b0 100644 --- a/src/lib/krb4/rd_svc_key.c +++ b/src/lib/krb4/rd_svc_key.c @@ -1,7 +1,7 @@ /* * rd_svc_key.c * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute + * Copyright 1985, 1986, 1987, 1988, 2007 by the Massachusetts Institute * of Technology. * * For copying and distribution information, please see the file @@ -283,6 +283,7 @@ get_service_key(service,instance,realm,kvno,file,key) if ((stab = open(file, 0, 0)) < 0) return(KFAILURE); + set_cloexec_fd(stab); wcard = (instance[0] == '*') && (instance[1] == '\0'); /* get current realm if not passed in */ diff --git a/src/lib/krb4/tf_shm.c b/src/lib/krb4/tf_shm.c index bd08f7f722..2b040713c1 100644 --- a/src/lib/krb4/tf_shm.c +++ b/src/lib/krb4/tf_shm.c @@ -1,7 +1,7 @@ /* * tf_shm.c * - * Copyright 1988 by the Massachusetts Institute of Technology. + * Copyright 1988, 2007 by the Massachusetts Institute of Technology. * * For copying and distribution information, please see the file * <mit-copyright.h>. @@ -86,7 +86,8 @@ char *file_name; perror("krb_shm_create file"); (void) shmctl(shmid, IPC_RMID, 0); return(KFAILURE); /* XXX */ - } + } + set_cloexec_file(sfile); if (fchmod(fileno(sfile),0600) < 0) { if (krb_debug) perror("krb_shm_create fchmod"); @@ -147,6 +148,7 @@ char *file; perror("cannot open shared memory file"); return(KFAILURE); /* XXX */ } + set_cloexec_file(sfile); if (fscanf(sfile,"%d",&shmid) == 1) { if (shmctl(shmid,IPC_RMID,0) != 0) { if (krb_debug) diff --git a/src/lib/krb4/tf_util.c b/src/lib/krb4/tf_util.c index b083c73b87..0bc05d75d8 100644 --- a/src/lib/krb4/tf_util.c +++ b/src/lib/krb4/tf_util.c @@ -1,7 +1,7 @@ /* * lib/krb4/tf_util.c * - * Copyright 1985, 1986, 1987, 1988, 2000, 2001 by the Massachusetts + * Copyright 1985, 1986, 1987, 1988, 2000, 2001, 2007 by the Massachusetts * Institute of Technology. All Rights Reserved. * * Export of this software from the United States of America may @@ -419,6 +419,8 @@ int KRB5_CALLCONV tf_init(tf_name, rw) return KFAILURE; sfp = fopen(shmidname, "r"); /* only need read/write on the actual tickets */ + if (sfp != 0) + set_cloexec_file(sfp); if (me != metoo && do_seteuid(metoo) < 0) return KFAILURE; if (sfp == 0) { @@ -512,6 +514,8 @@ int KRB5_CALLCONV tf_init(tf_name, rw) if (me != metoo && do_seteuid(me) < 0) return KFAILURE; fd = open(tf_name, O_RDWR, 0600); + if (fd >= 0) + set_cloexec_fd(fd); if (me != metoo && do_seteuid(metoo) < 0) return KFAILURE; if (fd < 0) { @@ -572,6 +576,8 @@ int KRB5_CALLCONV tf_init(tf_name, rw) if (me != metoo && do_seteuid(me) < 0) return KFAILURE; fd = open(tf_name, O_RDONLY, 0600); + if (fd >= 0) + set_cloexec_fd(fd); if (me != metoo && do_seteuid(metoo) < 0) return KFAILURE; if (fd < 0) { diff --git a/src/lib/krb4/win_store.c b/src/lib/krb4/win_store.c index 74c79ac5a3..9c2c37aa93 100644 --- a/src/lib/krb4/win_store.c +++ b/src/lib/krb4/win_store.c @@ -75,6 +75,8 @@ krb__get_cnffile() cnfname, sizeof(cnfname) - 1, KERBEROS_INI); cnffile = fopen(cnfname, "r"); + if (cnffile) + set_cloexec_file(cnffile); return cnffile; } @@ -109,6 +111,8 @@ krb__get_realmsfile() realmsname, sizeof(realmsname) - 1, KERBEROS_INI); realmsfile = fopen(realmsname, "r"); + if (realmsfile) + set_cloexec_file(realmsfile); return realmsfile; } |