summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOndrej Kos <okos@redhat.com>2012-10-02 18:56:39 +0200
committerJakub Hrozek <jhrozek@redhat.com>2012-10-04 19:43:23 +0200
commit8fe574521b7f8b14e17aea1d9afb471b80761b83 (patch)
tree4ae0aa549e9e5c43e2c6862a0ec72a740d1aca87
parente7dd2a5102ba6cfd28be6eccdd62768e9758d9f4 (diff)
downloadsssd-8fe574521b7f8b14e17aea1d9afb471b80761b83.tar.gz
sssd-8fe574521b7f8b14e17aea1d9afb471b80761b83.tar.xz
sssd-8fe574521b7f8b14e17aea1d9afb471b80761b83.zip
Log possibly non-randomizable ccache file template
fixes https://fedorahosted.org/sssd/ticket/1533 ccache file template is now checked for appended XXXXXX for use with mkstemp. When those characters are not present, warning is written to log.
-rw-r--r--src/providers/krb5/krb5_auth.c7
-rw-r--r--src/providers/krb5/krb5_child.c2
-rw-r--r--src/providers/krb5/krb5_utils.c20
-rw-r--r--src/providers/krb5/krb5_utils.h3
4 files changed, 26 insertions, 6 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index a305bb69c..e244cea5a 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -88,6 +88,7 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr,
const char *realm, bool *active, bool *valid)
{
struct sss_krb5_cc_be *old_cc_ops;
+ const char *cc_template;
errno_t ret;
/* ccache file might be of a different type if the user changed
@@ -100,8 +101,10 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr,
return EINVAL;
}
- ret = old_cc_ops->check_existing(old_ccache, kr->uid, realm,
- kr->upn, active, valid);
+ cc_template = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_CCNAME_TMPL);
+
+ ret = old_cc_ops->check_existing(old_ccache, kr->uid, realm, kr->upn,
+ cc_template, active, valid);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
("Cannot check if saved ccache %s is active and valid\n",
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 6987d2b9e..b2d5bdaeb 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -337,7 +337,7 @@ static krb5_error_code create_ccache_file(krb5_context ctx,
ccname_len = strlen(cc_file_name);
- if (ccname_len >= 6 && strcmp(cc_file_name + (ccname_len-6), "XXXXXX")==0 ) {
+ if (ccname_len >= 6 && strcmp(cc_file_name + (ccname_len - 6), "XXXXXX") == 0) {
fd = mkstemp(cc_file_name);
if (fd == -1) {
kerr = errno;
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
index 774f62dad..73a711d91 100644
--- a/src/providers/krb5/krb5_utils.c
+++ b/src/providers/krb5/krb5_utils.c
@@ -695,10 +695,24 @@ cc_residual_is_used(uid_t uid, const char *ccname,
return EOK;
}
+static void
+cc_check_template(const char *cc_template)
+{
+ size_t template_len;
+
+ template_len = strlen(cc_template);
+ if (template_len >= 6 &&
+ strcmp(cc_template + (template_len - 6), "XXXXXX") != 0) {
+ DEBUG(SSSDBG_CONF_SETTINGS, ("ccache file name template [%s] doesn't "
+ "contain randomizing characters (XXXXXX), file might not "
+ "be rewritable\n", cc_template));
+ }
+}
+
errno_t
cc_file_check_existing(const char *location, uid_t uid,
const char *realm, const char *princ,
- bool *_active, bool *_valid)
+ const char *cc_template, bool *_active, bool *_valid)
{
errno_t ret;
bool active;
@@ -723,6 +737,7 @@ cc_file_check_existing(const char *location, uid_t uid,
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("Could not check if ccache is active. "
"Will create a new one.\n"));
+ cc_check_template(cc_template);
active = false;
}
@@ -846,7 +861,7 @@ get_ccache_for_princ(krb5_context context, const char *location,
errno_t
cc_dir_check_existing(const char *location, uid_t uid,
const char *realm, const char *princ,
- bool *_active, bool *_valid)
+ const char *cc_template, bool *_active, bool *_valid)
{
bool active = false;
bool valid = false;
@@ -893,6 +908,7 @@ cc_dir_check_existing(const char *location, uid_t uid,
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("Could not check if ccache is active. "
"Will create a new one.\n"));
+ cc_check_template(cc_template);
active = false;
}
diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h
index d8d96d258..00dfc8515 100644
--- a/src/providers/krb5/krb5_utils.h
+++ b/src/providers/krb5/krb5_utils.h
@@ -37,7 +37,8 @@ typedef errno_t (*cc_be_create_fn)(const char *location, pcre *illegal_re,
uid_t uid, gid_t gid, bool private_path);
typedef errno_t (*cc_be_check_existing)(const char *location, uid_t uid,
const char *realm, const char *princ,
- bool *active, bool *valid);
+ const char *cc_template, bool *active,
+ bool *valid);
typedef const char * (*cc_be_ccache_for_princ)(TALLOC_CTX *mem_ctx,
const char *location,
const char *princ);