/* GSS-PROXY Copyright (C) 2011 Red Hat, Inc. Copyright (C) 2011 Simo Sorce Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #include "config.h" #include #include #include #include #include #include #include #include #include #include #include "popt.h" #include "gp_common.h" #include "gp_secrets.h" #define _(STRING) gettext(STRING) char *fgets_password(void) { struct termios old_flags, flags; char buf[1024]; char *pwd; int ret; ret = tcgetattr(fileno(stdin), &old_flags); flags = old_flags; flags.c_lflag = (flags.c_lflag & ~ECHO) | ECHONL; ret = tcsetattr(fileno(stdin), TCSANOW, &flags); if (ret) return NULL; fprintf(stdout, "Password: "); pwd = fgets(buf, 1024, stdin); /* nothing we can do if this fails anyway */ (void)tcsetattr(fileno(stdin), TCSANOW, &old_flags); if (pwd) { buf[strlen(buf) - 1] = '\0'; pwd = strdup(buf); } gp_safe_zero(buf, 1024); return pwd; } int main(int argc, const char *argv[]) { int opt; poptContext pc; const char *pc_arg; const char *opt_type = "NTLMSSP"; uid_t realuid = getuid(); long opt_uid = realuid; int opt_version = 0; int opt_debug = 0; char *domain = NULL; char *username = NULL; char *password = NULL; const char *p; int ret; struct poptOption long_options[] = { POPT_AUTOHELP { "debug", 'd', POPT_ARG_NONE | POPT_ARGFLAG_SHOW_DEFAULT, &opt_debug, 0, _("Enable debugging"), NULL }, { "version", '\0', POPT_ARG_NONE, &opt_version, 0, _("Print version number and exit"), NULL }, { "type", 't', POPT_ARG_STRING | POPT_ARGFLAG_SHOW_DEFAULT, &opt_type, 0, _("Type of credentials"), NULL }, { "uid", 'u', POPT_ARG_LONG | POPT_ARGFLAG_SHOW_DEFAULT, &opt_uid, 0, _("UserID owning of the credentials"), NULL }, POPT_TABLEEND }; pc = poptGetContext(argv[0], argc, argv, long_options, 0); poptSetOtherOptionHelp(pc, "[[domain:]username]"); while((opt = poptGetNextOpt(pc)) != -1) { switch(opt) { default: fprintf(stderr, "\nInvalid option %s: %s\n\n", poptBadOption(pc, 0), poptStrerror(opt)); poptPrintUsage(pc, stderr, 0); ret = 1; goto done; } } pc_arg = poptGetArg(pc); if (opt_version != 0 && pc_arg != NULL) { fprintf(stderr, "\nThe version option does not take an argument\n"); poptPrintUsage(pc, stderr, 0); ret = 1; goto done; } if (opt_version) { puts(VERSION""DISTRO_VERSION""PRERELEASE_VERSION); ret = 0; goto done; } if (opt_debug) { gp_debug_enable(); } if (strcasecmp(opt_type, "NTLMSSP") != 0) { fprintf(stderr, "\nUnsupported type %s\n", opt_type); poptPrintUsage(pc, stderr, 0); ret = 1; goto done; } /* FIXME: if gssproxy is configure with run_as_user, we'll not use the * right keyring here. We need to drop privileges like gssproxy does, which * means reading the gssproxy.conf file. */ if (geteuid() != 0) { if (opt_debug && opt_uid == 0) { fprintf(stderr, "###### This is a test mode ######\n"); fprintf(stderr, "Please do not use real credentials\n"); realuid = 0; } else { fprintf(stderr, "This program requires root privileges\n"); return -EPERM; } } /* only root can specify an arbitrary uid */ if (realuid != 0) { opt_uid = realuid; } ret = gp_priv_init(); if (ret) { fprintf(stderr, "Failed to initialize security infrastructure\n"); fprintf(stderr, "Error: (%d) %s\n", ret, gp_strerror(ret)); return -1; } if (pc_arg == NULL && realuid != 0) { /* only root can read the credentials back */ fprintf(stderr, "\nPlease provide a [domain:]username option\n"); poptPrintUsage(pc, stderr, 0); ret = 1; goto done; } if (pc_arg == NULL) { ret = gp_get_uid_creds(opt_uid, &domain, &username, &password); if (ret) { fprintf(stderr, "\nCredentials not found: (%d) %s\n", ret, gp_strerror(ret)); ret = ENOENT; goto done; } fprintf(stderr, "\nFound credentials for uid %ld\n", opt_uid); fprintf(stderr, "Username: %s\n", username); fprintf(stderr, "Domain: %s\n", domain); ret = 0; goto done; } p = strchr(pc_arg, ':'); if (p) { domain = strndup(pc_arg, p - pc_arg); if (!domain) { ret = -ENOMEM; goto done; } p += 1; } else { p = pc_arg; } username = strdup(p); if (!username) { ret = -ENOMEM; goto done; } password = fgets_password(); if (!password) { ret = -ENOMEM; goto done; } ret = gp_save_uid_creds(opt_uid, domain, username, password); if (ret) { fprintf(stderr, "\nFailed to save credentials for uid %ld\n", opt_uid); ret = 1; goto done; } ret = 0; done: poptFreeContext(pc); strzerofree(domain); strzerofree(username); strzerofree(password); return ret; }