* forward.c (rd_and_store_for_creds): Don't do the chown. Avoids

	a security hole. [krb5-appl/494]

	* krshd.c (recvauth): chown the ccache explicitly, as
	rd_and_store_for_creds no longer does so. [krb5-appl/494]

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10277 dc483132-0cff-0310-8789-dd5450dbe970

3 files changed, 25 insertions, 20 deletions

diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog
index af90149bd..a0972b2eb 100644
--- a/src/appl/bsd/ChangeLog
+++ b/src/appl/bsd/ChangeLog
@@ -1,3 +1,11 @@
+Wed Nov 12 19:03:02 1997  Tom Yu  <tlyu@mit.edu>
+
+	* forward.c (rd_and_store_for_creds): Don't do the chown.  Avoids
+	a security hole. [krb5-appl/494]
+
+	* krshd.c (recvauth): chown the ccache explicitly, as
+	rd_and_store_for_creds no longer does so. [krb5-appl/494]
+
 Thu Nov  6 22:04:26 1997  Theodore Y. Ts'o  <tytso@mit.edu>
 
 	* v4rcp.c: Use error_message(errno) instead of using
diff --git a/src/appl/bsd/forward.c b/src/appl/bsd/forward.c
index 54594b9b9..e22fc1d98 100644
--- a/src/appl/bsd/forward.c
+++ b/src/appl/bsd/forward.c
@@ -21,7 +21,6 @@
 
 #if defined(KERBEROS) || defined(KRB5)
 #include <stdio.h>
-#include <pwd.h>
 #include <netdb.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -30,22 +29,18 @@
 
 /* Decode, decrypt and store the forwarded creds in the local ccache. */
 krb5_error_code
-rd_and_store_for_creds(context, auth_context, inbuf, ticket, lusername, ccache)
+rd_and_store_for_creds(context, auth_context, inbuf, ticket, ccache)
     krb5_context context;
     krb5_auth_context auth_context;
     krb5_data *inbuf;
     krb5_ticket *ticket;
-    char *lusername;
     krb5_ccache *ccache;
 {
     krb5_creds ** creds;
     krb5_error_code retval;
     char ccname[35];
-    struct passwd *pwd;
 
     *ccache  = NULL;
-    if (!(pwd = (struct passwd *) getpwnam(lusername)))
-	return ENOENT;
 
     if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)) 
 	return(retval);
@@ -67,19 +62,6 @@ rd_and_store_for_creds(context, auth_context, inbuf, ticket, lusername, ccache)
     if (retval = krb5_cc_store_cred(context, *ccache, *creds)) 
 	goto cleanup;
 
-    if (retval = chown(ccname+5, pwd->pw_uid, -1)) {
-	/* 
-	 * If the file owner is the same as the user id then return ok.
-	 * This is for testing only --proven
-	 */
-	struct stat statbuf;
-
-	if (stat(ccname + 5, & statbuf) == 0) {
-	    if (statbuf.st_uid == pwd->pw_uid)
-		retval = 0;
-	}
-    }
-    
 cleanup:
     krb5_free_creds(context, *creds);
     return retval;
diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c
index e999a2806..ef8766d0b 100644
--- a/src/appl/bsd/krshd.c
+++ b/src/appl/bsd/krshd.c
@@ -1720,6 +1720,9 @@ recvauth(netf, peersin, valid_checksum)
     krb5_authenticator *authenticator;
     krb5_ticket        *ticket;
     krb5_rcache		rcache;
+    struct passwd *pwd;
+    uid_t uid;
+    gid_t gid;
 
     *valid_checksum = 0;
     len = sizeof(laddr);
@@ -1875,12 +1878,24 @@ recvauth(netf, peersin, valid_checksum)
     }
 
     if (inbuf.length) { /* Forwarding being done, read creds */
+	pwd = getpwnam(locuser);
+	if (!pwd) {
+	    error("Login incorrect.\n");
+	    exit(1);
+	}
+	uid = pwd->pw_uid;
+	gid = pwd->pw_gid;
 	if ((status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf,
-					     ticket, locuser, &ccache))) {
+					     ticket, &ccache))) {
 	    error("Can't get forwarded credentials: %s\n",
 		  error_message(status));
 	    exit(1);
 	}
+	if (chown(krb5_cc_get_name(bsd_context, ccache), uid, gid) == -1) {
+	    error("Can't chown forwarded credentials: %s\n",
+		  error_message(errno));
+	    exit(1);
+	}
     }
     krb5_free_ticket(bsd_context, ticket);
     return 0;