diff options
| author | Simo Sorce <simo@redhat.com> | 2016-11-02 06:34:11 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2016-11-02 09:09:41 -0400 |
| commit | 4ed98d156122f748c6f0d4fed183944d52e245e7 (patch) | |
| tree | 45637d245ab69574518a697759562161b9592479 /src/environ.c | |
| parent | 912738edbf248c9d9c2960cd4ff1daaa855e6c7e (diff) | |
| download | mod_auth_gssapi-4ed98d156122f748c6f0d4fed183944d52e245e7.tar.gz mod_auth_gssapi-4ed98d156122f748c6f0d4fed183944d52e245e7.tar.xz mod_auth_gssapi-4ed98d156122f748c6f0d4fed183944d52e245e7.zip | |
Add option to set custom permissions on ccache
This allows apache to set permission so that another user in the default
group can access the ccache. Useful when apache passes the request to a
process running under a different user or group id number.
Signed-off-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'src/environ.c')
| -rw-r--r-- | src/environ.c | 40 |
1 files changed, 33 insertions, 7 deletions
diff --git a/src/environ.c b/src/environ.c index 8fefb8e..7b8a54b 100644 --- a/src/environ.c +++ b/src/environ.c @@ -243,18 +243,44 @@ static void mag_set_name_attributes(request_rec *req, struct mag_conn *mc) } } -static void mag_set_KRB5CCNAME(request_rec *req, const char *dir, +static void mag_set_KRB5CCNAME(request_rec *req, struct mag_config *cfg, const char *ccname) { apr_status_t status; - apr_finfo_t finfo; + apr_int32_t wanted = APR_FINFO_MIN | APR_FINFO_OWNER | APR_FINFO_PROT; + apr_finfo_t finfo = { 0 }; char *path; char *value; - path = apr_psprintf(req->pool, "%s/%s", dir, ccname); - - status = apr_stat(&finfo, path, APR_FINFO_MIN, req->pool); - if (status != APR_SUCCESS && status != APR_INCOMPLETE) { + path = apr_psprintf(req->pool, "%s/%s", cfg->deleg_ccache_dir, ccname); + + status = apr_stat(&finfo, path, wanted, req->pool); + if (status == APR_SUCCESS) { + if ((cfg->deleg_ccache_mode != 0) && + (finfo.protection != cfg->deleg_ccache_mode)) { + status = apr_file_perms_set(path, cfg->deleg_ccache_mode); + if (status != APR_SUCCESS) + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + "failed to set perms (%o) on file (%s)!", + cfg->deleg_ccache_mode, path); + } + if ((cfg->deleg_ccache_uid != 0) && + (finfo.user != cfg->deleg_ccache_uid)) { + status = lchown(path, cfg->deleg_ccache_uid, -1); + if (status != 0) + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + "failed to set user (%u) on file (%s)!", + cfg->deleg_ccache_uid, path); + } + if ((cfg->deleg_ccache_gid != 0) && + (finfo.group != cfg->deleg_ccache_gid)) { + status = lchown(path, -1, cfg->deleg_ccache_gid); + if (status != 0) + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + "failed to set group (%u) on file (%s)!", + cfg->deleg_ccache_gid, path); + } + } else { /* set the file cache anyway, but warn */ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "KRB5CCNAME file (%s) lookup failed!", path); @@ -282,7 +308,7 @@ void mag_set_req_data(request_rec *req, #ifdef HAVE_CRED_STORE if (cfg->deleg_ccache_dir && mc->delegated && mc->ccname) { - mag_set_KRB5CCNAME(req, cfg->deleg_ccache_dir, mc->ccname); + mag_set_KRB5CCNAME(req, cfg, mc->ccname); } #endif } |