From be894d65471bb6de25623f01a02c606a20b76468 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 28 Aug 2013 23:18:37 -0400 Subject: krb5: Use krb5_cc_destroy to remove old ccaches This completely replaces the per-ccache-type custom code to remove old cacches and instead uses libkrb5 base doperations (krb5_cc_destroy) and operating as the user owner. Resolves: https://fedorahosted.org/sssd/ticket/2061 --- Makefile.am | 1 + src/providers/krb5/krb5_auth.c | 47 ++++++++++----------------- src/providers/krb5/krb5_utils.c | 71 ----------------------------------------- src/providers/krb5/krb5_utils.h | 2 -- src/tests/krb5_child-test.c | 2 +- 5 files changed, 18 insertions(+), 105 deletions(-) diff --git a/Makefile.am b/Makefile.am index 4981ed94d..cbd98db14 100644 --- a/Makefile.am +++ b/Makefile.am @@ -927,6 +927,7 @@ strtonum_tests_LDADD = \ krb5_utils_tests_SOURCES = \ src/tests/krb5_utils-tests.c \ src/providers/krb5/krb5_utils.c \ + src/providers/krb5/krb5_become_user.c \ src/providers/krb5/krb5_common.c \ src/util/sss_krb5.c \ src/util/find_uid.c \ diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index db0aa936f..cce2c9233 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -41,32 +41,14 @@ #include "providers/krb5/krb5_utils.h" static errno_t safe_remove_old_ccache_file(struct sss_krb5_cc_be *cc_be, - const char *princ, const char *old_ccache, - const char *new_ccache) + const char *new_ccache, + uid_t uid, gid_t gid) { int ret; enum sss_krb5_cc_type old_type; - struct sss_krb5_cc_be *old_cc_ops; - - if (old_ccache == NULL) { - DEBUG(SSSDBG_FUNC_DATA, ("No old ccache, nothing to do\n")); - return EOK; - } - - if (new_ccache == NULL) { - DEBUG(SSSDBG_OP_FAILURE, - ("Missing new ccache file, old ccache file is not deleted.\n")); - return EINVAL; - } old_type = sss_krb5_get_type(old_ccache); - old_cc_ops = get_cc_be_ops(old_type); - if (!old_cc_ops) { - DEBUG(SSSDBG_CRIT_FAILURE, ("Cannot get ccache operations\n")); - return EINVAL; - } - if (cc_be->type == old_type && strcmp(old_ccache, new_ccache) == 0) { DEBUG(SSSDBG_TRACE_FUNC, ("New and old ccache file are the same, " @@ -74,14 +56,13 @@ static errno_t safe_remove_old_ccache_file(struct sss_krb5_cc_be *cc_be, return EOK; } - ret = old_cc_ops->remove(old_ccache); + ret = sss_krb5_cc_destroy(old_ccache, uid, gid); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, ("Cannot remove ccache [%s]\n", old_ccache)); - return EIO; } - return EOK; + return ret; } static errno_t @@ -1037,8 +1018,9 @@ static void krb5_auth_done(struct tevent_req *subreq) * used. */ if (pd->cmd == SSS_PAM_AUTHENTICATE && !kr->active_ccache) { if (kr->old_ccname != NULL) { - ret = safe_remove_old_ccache_file(kr->cc_be, kr->upn, - kr->old_ccname, "dummy"); + ret = safe_remove_old_ccache_file(kr->cc_be, + kr->old_ccname, NULL, + kr->uid, kr->gid); if (ret != EOK) { DEBUG(1, ("Failed to remove old ccache file [%s], " "please remove it manually.\n", kr->old_ccname)); @@ -1114,12 +1096,15 @@ static void krb5_auth_done(struct tevent_req *subreq) goto done; } - ret = safe_remove_old_ccache_file(kr->cc_be, kr->upn, - kr->old_ccname, store_ccname); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Failed to remove old ccache file [%s], " - "please remove it manually.\n", kr->old_ccname)); + if (kr->old_ccname) { + ret = safe_remove_old_ccache_file(kr->cc_be, + kr->old_ccname, store_ccname, + kr->uid, kr->gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Failed to remove old ccache file [%s], " + "please remove it manually.\n", kr->old_ccname)); + } } ret = krb5_save_ccname(state, state->sysdb, state->domain, diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c index 52eb075bc..a613695c1 100644 --- a/src/providers/krb5/krb5_utils.c +++ b/src/providers/krb5/krb5_utils.c @@ -1138,42 +1138,11 @@ cc_file_cache_for_princ(TALLOC_CTX *mem_ctx, const char *location, return talloc_strdup(mem_ctx, location); } -errno_t -cc_file_remove(const char *location) -{ - errno_t ret; - const char *filename; - - filename = sss_krb5_residual_check_type(location, SSS_KRB5_TYPE_FILE); - if (!filename) { - DEBUG(SSSDBG_CRIT_FAILURE, ("%s is not of type FILE:\n", location)); - return EINVAL; - } - - if (filename[0] != '/') { - DEBUG(SSSDBG_CRIT_FAILURE, - ("Ccache file name [%s] is not an absolute path.\n", filename)); - return EINVAL; - } - - errno = 0; - ret = unlink(filename); - if (ret == -1 && errno != ENOENT) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, - ("unlink [%s] failed [%d][%s].\n", filename, ret, - strerror(ret))); - return ret; - } - return EOK; -} - struct sss_krb5_cc_be file_cc = { .type = SSS_KRB5_TYPE_FILE, .create = cc_file_create, .check_existing = cc_file_check_existing, .ccache_for_princ = cc_file_cache_for_princ, - .remove = cc_file_remove, }; #ifdef HAVE_KRB5_CC_COLLECTION @@ -1351,32 +1320,11 @@ done: return name; } -errno_t -cc_dir_remove(const char *location) -{ - const char *subsidiary; - - if (sss_krb5_get_type(location) != SSS_KRB5_TYPE_DIR) { - DEBUG(SSSDBG_CRIT_FAILURE, ("%s is not of type DIR\n", location)); - return EINVAL; - } - - subsidiary = sss_krb5_cc_file_path(location); - if (!subsidiary) { - DEBUG(SSSDBG_CRIT_FAILURE, ("Cannot get subsidiary cache from %s\n", - location)); - return EINVAL; - } - - return cc_file_remove(subsidiary); -} - struct sss_krb5_cc_be dir_cc = { .type = SSS_KRB5_TYPE_DIR, .create = cc_dir_create, .check_existing = cc_dir_check_existing, .ccache_for_princ = cc_dir_cache_for_princ, - .remove = cc_dir_remove }; @@ -1503,30 +1451,11 @@ done: return name; } -errno_t -cc_keyring_remove(const char *location) -{ - const char *residual; - - residual = sss_krb5_residual_check_type(location, SSS_KRB5_TYPE_KEYRING); - if (!residual) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("%s is not of type KEYRING:\n", location)); - return EINVAL; - } - - /* No special steps are needed to create a kernel keyring. - * Everything is handled in libkrb5. - */ - return EOK; -} - struct sss_krb5_cc_be keyring_cc = { .type = SSS_KRB5_TYPE_KEYRING, .create = cc_keyring_create, .check_existing = cc_keyring_check_existing, .ccache_for_princ = cc_keyring_cache_for_princ, - .remove = cc_keyring_remove }; #endif /* HAVE_KRB5_CC_COLLECTION */ diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h index f7088481f..fe8ea1795 100644 --- a/src/providers/krb5/krb5_utils.h +++ b/src/providers/krb5/krb5_utils.h @@ -52,7 +52,6 @@ typedef errno_t (*cc_be_check_existing)(const char *location, uid_t uid, typedef const char * (*cc_be_ccache_for_princ)(TALLOC_CTX *mem_ctx, const char *location, const char *princ); -typedef errno_t (*cc_be_remove)(const char *location); /* A ccache back end */ struct sss_krb5_cc_be { @@ -61,7 +60,6 @@ struct sss_krb5_cc_be { cc_be_create_fn create; cc_be_check_existing check_existing; cc_be_ccache_for_princ ccache_for_princ; - cc_be_remove remove; }; extern struct sss_krb5_cc_be file_cc; diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c index 24d077289..dff62ab64 100644 --- a/src/tests/krb5_child-test.c +++ b/src/tests/krb5_child-test.c @@ -561,7 +561,7 @@ done: if (rm_ccache && ctx->res && ctx->res->ccname && ctx->kr) { - ctx->kr->krb5_ctx->cc_be->remove(ctx->res->ccname); + sss_krb5_cc_destroy(ctx->res->ccname, ctx->kr->uid, ctx->kr->gid); } free(password); talloc_free(ctx); -- cgit