diff options
| author | Simo Sorce <simo@redhat.com> | 2016-11-02 06:34:11 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2016-11-30 05:39:33 -0500 |
| commit | f8f308f00b7f2695ae811d64038febc59dc688d5 (patch) | |
| tree | 45637d245ab69574518a697759562161b9592479 /src/mod_auth_gssapi.c | |
| parent | 912738edbf248c9d9c2960cd4ff1daaa855e6c7e (diff) | |
| download | mod_auth_gssapi-f8f308f00b7f2695ae811d64038febc59dc688d5.tar.gz mod_auth_gssapi-f8f308f00b7f2695ae811d64038febc59dc688d5.tar.xz mod_auth_gssapi-f8f308f00b7f2695ae811d64038febc59dc688d5.zip | |
Add option to set custom permissions on ccache
This allows apache to set permission so that another user in the default
group can access the ccache. Useful when apache passes the request to a
process running under a different user or group id number.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Diffstat (limited to 'src/mod_auth_gssapi.c')
| -rw-r--r-- | src/mod_auth_gssapi.c | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 9f24401..c3f258b 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -1332,6 +1332,87 @@ static const char *mag_deleg_ccache_dir(cmd_parms *parms, void *mconfig, return NULL; } + +#define CCMODE "mode:" +#define CCUID "uid:" +#define CCGID "gid:" +#define NSS_BUF_LEN 2048 /* just use a uid/gid number if not big enough */ +static const char *mag_deleg_ccache_perms(cmd_parms *parms, void *mconfig, + const char *w) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + + if (strncmp(w, CCMODE, sizeof(CCMODE) - 1) == 0) { + const char *p = w + sizeof(CCMODE) -1; + errno = 0; + /* mode is traditionally represented in octal, but the actual + * permission bit are using the 3 least significant bit of each quartet + * so effectively if we read an octal number as hex we get the correct + * mode bits */ + cfg->deleg_ccache_mode = strtol(p, NULL, 16); + if (errno != 0) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Invalid GssapiDelegCcachePerms mode value [%s]", p); + /* reset to the default */ + cfg->deleg_ccache_mode = 0; + } + } else if (strncmp(w, CCUID, sizeof(CCUID) - 1) == 0) { + const char *p = w + sizeof(CCUID) - 1; + errno = 0; + if (isdigit(*p)) { + char *endptr; + cfg->deleg_ccache_uid = strtol(p, &endptr, 0); + if (errno != 0 || endptr != '\0') { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Invalid GssapiDelegCcachePerms uid value [%s]", + p); + /* reset to the default */ + cfg->deleg_ccache_uid = 0; + } + } else { + struct passwd pwd, *user; + char buf[NSS_BUF_LEN]; + int ret = getpwnam_r(p, &pwd, buf, NSS_BUF_LEN, &user); + if ((ret != 0) || user != &pwd) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Invalid GssapiDelegCcachePerms uid value [%s]", + p); + } else { + cfg->deleg_ccache_uid = user->pw_uid; + } + } + } else if (strncmp(w, CCGID, sizeof(CCGID) - 1) == 0) { + const char *p = w + sizeof(CCGID) - 1; + errno = 0; + if (isdigit(*p)) { + char *endptr; + cfg->deleg_ccache_gid = strtol(p, &endptr, 0); + if (errno != 0 || endptr != '\0') { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Invalid GssapiDelegCcachePerms gid value [%s]", + p); + /* reset to the default */ + cfg->deleg_ccache_gid = 0; + } + } else { + struct group grp, *group; + char buf[NSS_BUF_LEN]; + int ret = getgrnam_r(p, &grp, buf, NSS_BUF_LEN, &group); + if ((ret != 0) || group != &grp) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Invalid GssapiDelegCcachePerms gid value [%s]", + p); + } else { + cfg->deleg_ccache_gid = group->gr_gid; + } + } + } else { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Invalid GssapiDelegCcachePerms directive [%s]", w); + } + + return NULL; +} #endif #ifdef HAVE_GSS_ACQUIRE_CRED_WITH_PASSWORD @@ -1541,6 +1622,8 @@ static const command_rec mag_commands[] = { "Credential Store"), AP_INIT_RAW_ARGS("GssapiDelegCcacheDir", mag_deleg_ccache_dir, NULL, OR_AUTHCFG, "Directory to store delegated credentials"), + AP_INIT_ITERATE("GssapiDelegCcachePerms", mag_deleg_ccache_perms, NULL, + OR_AUTHCFG, "Permissions to assign to Ccache files"), AP_INIT_FLAG("GssapiDelegCcacheUnique", mag_deleg_ccache_unique, NULL, OR_AUTHCFG, "Use unique ccaches for delgation"), AP_INIT_FLAG("GssapiImpersonate", ap_set_flag_slot, |