From 8fe574521b7f8b14e17aea1d9afb471b80761b83 Mon Sep 17 00:00:00 2001
From: Ondrej Kos <okos@redhat.com>
Date: Tue, 2 Oct 2012 18:56:39 +0200
Subject: Log possibly non-randomizable ccache file template

fixes https://fedorahosted.org/sssd/ticket/1533

ccache file template is now checked for appended XXXXXX for use with
mkstemp. When those characters are not present, warning is written to log.
---
 src/providers/krb5/krb5_auth.c  |  7 +++++--
 src/providers/krb5/krb5_child.c |  2 +-
 src/providers/krb5/krb5_utils.c | 20 ++++++++++++++++++--
 src/providers/krb5/krb5_utils.h |  3 ++-
 4 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index a305bb69c..e244cea5a 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -88,6 +88,7 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr,
                  const char *realm, bool *active, bool *valid)
 {
     struct sss_krb5_cc_be *old_cc_ops;
+    const char *cc_template;
     errno_t ret;
 
     /* ccache file might be of a different type if the user changed
@@ -100,8 +101,10 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr,
         return EINVAL;
     }
 
-    ret = old_cc_ops->check_existing(old_ccache, kr->uid, realm,
-                                     kr->upn, active, valid);
+    cc_template = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_CCNAME_TMPL);
+
+    ret = old_cc_ops->check_existing(old_ccache, kr->uid, realm, kr->upn,
+                                     cc_template, active, valid);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE,
               ("Cannot check if saved ccache %s is active and valid\n",
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 6987d2b9e..b2d5bdaeb 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -337,7 +337,7 @@ static krb5_error_code create_ccache_file(krb5_context ctx,
 
 
     ccname_len = strlen(cc_file_name);
-    if (ccname_len >= 6 && strcmp(cc_file_name + (ccname_len-6), "XXXXXX")==0 ) {
+    if (ccname_len >= 6 && strcmp(cc_file_name + (ccname_len - 6), "XXXXXX") == 0) {
         fd = mkstemp(cc_file_name);
         if (fd == -1) {
             kerr = errno;
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
index 774f62dad..73a711d91 100644
--- a/src/providers/krb5/krb5_utils.c
+++ b/src/providers/krb5/krb5_utils.c
@@ -695,10 +695,24 @@ cc_residual_is_used(uid_t uid, const char *ccname,
     return EOK;
 }
 
+static void
+cc_check_template(const char *cc_template)
+{
+    size_t template_len;
+
+    template_len = strlen(cc_template);
+    if (template_len >= 6 &&
+        strcmp(cc_template + (template_len - 6), "XXXXXX") != 0) {
+        DEBUG(SSSDBG_CONF_SETTINGS, ("ccache file name template [%s] doesn't "
+                   "contain randomizing characters (XXXXXX), file might not "
+                   "be rewritable\n", cc_template));
+    }
+}
+
 errno_t
 cc_file_check_existing(const char *location, uid_t uid,
                        const char *realm, const char *princ,
-                       bool *_active, bool *_valid)
+                       const char *cc_template, bool *_active, bool *_valid)
 {
     errno_t ret;
     bool active;
@@ -723,6 +737,7 @@ cc_file_check_existing(const char *location, uid_t uid,
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, ("Could not check if ccache is active. "
                                   "Will create a new one.\n"));
+        cc_check_template(cc_template);
         active = false;
     }
 
@@ -846,7 +861,7 @@ get_ccache_for_princ(krb5_context context, const char *location,
 errno_t
 cc_dir_check_existing(const char *location, uid_t uid,
                       const char *realm, const char *princ,
-                      bool *_active, bool *_valid)
+                      const char *cc_template, bool *_active, bool *_valid)
 {
     bool active = false;
     bool valid = false;
@@ -893,6 +908,7 @@ cc_dir_check_existing(const char *location, uid_t uid,
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, ("Could not check if ccache is active. "
                                   "Will create a new one.\n"));
+        cc_check_template(cc_template);
         active = false;
     }
 
diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h
index d8d96d258..00dfc8515 100644
--- a/src/providers/krb5/krb5_utils.h
+++ b/src/providers/krb5/krb5_utils.h
@@ -37,7 +37,8 @@ typedef errno_t (*cc_be_create_fn)(const char *location, pcre *illegal_re,
                                    uid_t uid, gid_t gid, bool private_path);
 typedef errno_t (*cc_be_check_existing)(const char *location, uid_t uid,
                                         const char *realm, const char *princ,
-                                        bool *active, bool *valid);
+                                        const char *cc_template, bool *active,
+                                        bool *valid);
 typedef const char * (*cc_be_ccache_for_princ)(TALLOC_CTX *mem_ctx,
                                                const char *location,
                                                const char *princ);
-- 
cgit