/src/samba/third_party/heimdal/lib/krb5/kuserok.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan |
3 | | * (Royal Institute of Technology, Stockholm, Sweden). |
4 | | * All rights reserved. |
5 | | * |
6 | | * Redistribution and use in source and binary forms, with or without |
7 | | * modification, are permitted provided that the following conditions |
8 | | * are met: |
9 | | * |
10 | | * 1. Redistributions of source code must retain the above copyright |
11 | | * notice, this list of conditions and the following disclaimer. |
12 | | * |
13 | | * 2. Redistributions in binary form must reproduce the above copyright |
14 | | * notice, this list of conditions and the following disclaimer in the |
15 | | * documentation and/or other materials provided with the distribution. |
16 | | * |
17 | | * 3. Neither the name of the Institute nor the names of its contributors |
18 | | * may be used to endorse or promote products derived from this software |
19 | | * without specific prior written permission. |
20 | | * |
21 | | * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND |
22 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
23 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
24 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE |
25 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
26 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
27 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
28 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
29 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
30 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
31 | | * SUCH DAMAGE. |
32 | | */ |
33 | | |
34 | | #include "krb5_locl.h" |
35 | | #include "kuserok_plugin.h" |
36 | | #include <dirent.h> |
37 | | |
38 | | #ifndef SYSTEM_K5LOGIN_DIR |
39 | | /* |
40 | | * System k5login location. File namess in this directory are expected |
41 | | * to be usernames and to contain a list of principals allowed to login |
42 | | * as the user named the same as the file. |
43 | | */ |
44 | 0 | #define SYSTEM_K5LOGIN_DIR SYSCONFDIR "/k5login.d" |
45 | | #endif |
46 | | |
47 | | /* Plugin framework bits */ |
48 | | |
49 | | struct plctx { |
50 | | const char *rule; |
51 | | const char *k5login_dir; |
52 | | const char *luser; |
53 | | krb5_const_principal principal; |
54 | | unsigned int flags; |
55 | | krb5_boolean result; |
56 | | }; |
57 | | |
58 | | static krb5_error_code KRB5_LIB_CALL |
59 | | plcallback(krb5_context context, const void *plug, void *plugctx, void *userctx) |
60 | 0 | { |
61 | 0 | const krb5plugin_kuserok_ftable *locate = plug; |
62 | 0 | struct plctx *plctx = userctx; |
63 | |
|
64 | 0 | return locate->kuserok(plugctx, context, plctx->rule, plctx->flags, |
65 | 0 | plctx->k5login_dir, plctx->luser, plctx->principal, |
66 | 0 | &plctx->result); |
67 | 0 | } |
68 | | |
69 | | static krb5_error_code plugin_reg_ret; |
70 | | static const krb5plugin_kuserok_ftable kuserok_simple_plug; |
71 | | static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug; |
72 | | static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug; |
73 | | static const krb5plugin_kuserok_ftable kuserok_deny_plug; |
74 | | |
75 | | static void |
76 | | reg_def_plugins_once(void *ctx) |
77 | 0 | { |
78 | 0 | krb5_error_code ret; |
79 | 0 | krb5_context context = ctx; |
80 | |
|
81 | 0 | plugin_reg_ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA, |
82 | 0 | KRB5_PLUGIN_KUSEROK, |
83 | 0 | &kuserok_simple_plug); |
84 | 0 | ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA, |
85 | 0 | KRB5_PLUGIN_KUSEROK, &kuserok_sys_k5login_plug); |
86 | 0 | if (!plugin_reg_ret) |
87 | 0 | plugin_reg_ret = ret; |
88 | 0 | ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA, |
89 | 0 | KRB5_PLUGIN_KUSEROK, &kuserok_user_k5login_plug); |
90 | 0 | if (!plugin_reg_ret) |
91 | 0 | plugin_reg_ret = ret; |
92 | 0 | ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA, |
93 | 0 | KRB5_PLUGIN_KUSEROK, &kuserok_deny_plug); |
94 | 0 | if (!plugin_reg_ret) |
95 | 0 | plugin_reg_ret = ret; |
96 | 0 | } |
97 | | |
98 | | /** |
99 | | * This function is designed to be portable for Win32 and POSIX. The |
100 | | * design does lead to multiple getpwnam_r() calls, but this is probably |
101 | | * not a big deal. |
102 | | * |
103 | | * Inputs: |
104 | | * |
105 | | * @param context A krb5_context |
106 | | * @param filename Name of item to introspection |
107 | | * @param is_system_location TRUE if the dir/file are system locations or |
108 | | * FALSE if they are user home directory locations |
109 | | * @param dir Directory (optional) |
110 | | * @param dirlstat A pointer to struct stat for the directory (optional) |
111 | | * @param file File (optional) |
112 | | * @param owner Name of user that is expected to own the file |
113 | | */ |
114 | | |
115 | | static krb5_error_code |
116 | | check_owner_dir(krb5_context context, |
117 | | const char *filename, |
118 | | krb5_boolean is_system_location, |
119 | | DIR *dir, |
120 | | struct stat *dirlstat, |
121 | | const char *owner) |
122 | 0 | { |
123 | | #ifdef _WIN32 |
124 | | /* |
125 | | * XXX Implement this! |
126 | | * |
127 | | * The thing to do is to call _get_osfhandle() on fileno(file) and |
128 | | * dirfd(dir) to get HANDLEs to the same, then call |
129 | | * GetSecurityInfo() on those HANDLEs to get the security descriptor |
130 | | * (SD), then check the owner and DACL. Checking the DACL sounds |
131 | | * like a lot of work (what, derive a mode from the ACL the way |
132 | | * NFSv4 servers do?). Checking the owner means doing an LSARPC |
133 | | * lookup at least (to get the user's SID). |
134 | | */ |
135 | | if (is_system_location || owner == NULL) |
136 | | return 0; |
137 | | krb5_set_error_message(context, EACCES, |
138 | | "User k5login files not supported on Windows"); |
139 | | return EACCES; |
140 | | #else |
141 | 0 | struct passwd pw, *pwd = NULL; |
142 | 0 | char pwbuf[2048]; |
143 | 0 | struct stat st; |
144 | |
|
145 | 0 | heim_assert(owner != NULL, "no directory owner ?"); |
146 | | |
147 | 0 | if (getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) { |
148 | 0 | krb5_set_error_message(context, errno, |
149 | 0 | "User unknown %s (getpwnam_r())", owner); |
150 | 0 | return EACCES; |
151 | 0 | } |
152 | 0 | if (pwd == NULL) { |
153 | 0 | krb5_set_error_message(context, EACCES, "no user %s", owner); |
154 | 0 | return EACCES; |
155 | 0 | } |
156 | | |
157 | 0 | if (fstat(dirfd(dir), &st) == -1) { |
158 | 0 | krb5_set_error_message(context, EACCES, |
159 | 0 | "fstat(%s) of k5login.d failed", |
160 | 0 | filename); |
161 | 0 | return EACCES; |
162 | 0 | } |
163 | 0 | if (!S_ISDIR(st.st_mode)) { |
164 | 0 | krb5_set_error_message(context, ENOTDIR, "%s not a directory", |
165 | 0 | filename); |
166 | 0 | return ENOTDIR; |
167 | 0 | } |
168 | 0 | if (st.st_dev != dirlstat->st_dev || st.st_ino != dirlstat->st_ino) { |
169 | 0 | krb5_set_error_message(context, EACCES, |
170 | 0 | "%s was renamed during kuserok " |
171 | 0 | "operation", filename); |
172 | 0 | return EACCES; |
173 | 0 | } |
174 | 0 | if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) { |
175 | 0 | krb5_set_error_message(context, EACCES, |
176 | 0 | "%s has world and/or group write " |
177 | 0 | "permissions", filename); |
178 | 0 | return EACCES; |
179 | 0 | } |
180 | 0 | if (pwd->pw_uid != st.st_uid && st.st_uid != 0) { |
181 | 0 | krb5_set_error_message(context, EACCES, |
182 | 0 | "%s not owned by the user (%s) or root", |
183 | 0 | filename, owner); |
184 | 0 | return EACCES; |
185 | 0 | } |
186 | | |
187 | 0 | return 0; |
188 | 0 | #endif |
189 | 0 | } |
190 | | |
191 | | static krb5_error_code |
192 | | check_owner_file(krb5_context context, |
193 | | const char *filename, |
194 | | FILE *file, const char *owner) |
195 | 0 | { |
196 | | #ifdef _WIN32 |
197 | | /* |
198 | | * XXX Implement this! |
199 | | * |
200 | | * The thing to do is to call _get_osfhandle() on fileno(file) and |
201 | | * dirfd(dir) to get HANDLEs to the same, then call |
202 | | * GetSecurityInfo() on those HANDLEs to get the security descriptor |
203 | | * (SD), then check the owner and DACL. Checking the DACL sounds |
204 | | * like a lot of work (what, derive a mode from the ACL the way |
205 | | * NFSv4 servers do?). Checking the owner means doing an LSARPC |
206 | | * lookup at least (to get the user's SID). |
207 | | */ |
208 | | if (owner == NULL) |
209 | | return 0; |
210 | | |
211 | | krb5_set_error_message(context, EACCES, |
212 | | "User k5login files not supported on Windows"); |
213 | | return EACCES; |
214 | | #else |
215 | 0 | struct passwd pw, *pwd = NULL; |
216 | 0 | char pwbuf[2048]; |
217 | 0 | struct stat st; |
218 | |
|
219 | 0 | if (owner == NULL) |
220 | 0 | return 0; |
221 | | |
222 | 0 | if (getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) { |
223 | 0 | krb5_set_error_message(context, errno, |
224 | 0 | "User unknown %s (getpwnam_r())", owner); |
225 | 0 | return EACCES; |
226 | 0 | } |
227 | 0 | if (pwd == NULL) { |
228 | 0 | krb5_set_error_message(context, EACCES, "no user %s", owner); |
229 | 0 | return EACCES; |
230 | 0 | } |
231 | | |
232 | 0 | if (fstat(fileno(file), &st) == -1) { |
233 | 0 | krb5_set_error_message(context, EACCES, "fstat(%s) of k5login failed", |
234 | 0 | filename); |
235 | 0 | return EACCES; |
236 | 0 | } |
237 | 0 | if (S_ISDIR(st.st_mode)) { |
238 | 0 | krb5_set_error_message(context, EISDIR, "k5login: %s is a directory", |
239 | 0 | filename); |
240 | 0 | return EISDIR; |
241 | 0 | } |
242 | 0 | if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) { |
243 | 0 | krb5_set_error_message(context, EISDIR, |
244 | 0 | "k5login %s has world and/or group write " |
245 | 0 | "permissions", filename); |
246 | 0 | return EACCES; |
247 | 0 | } |
248 | 0 | if (pwd->pw_uid != st.st_uid && st.st_uid != 0) { |
249 | 0 | krb5_set_error_message(context, EACCES, |
250 | 0 | "k5login %s not owned by the user or root", |
251 | 0 | filename); |
252 | 0 | return EACCES; |
253 | 0 | } |
254 | | |
255 | 0 | return 0; |
256 | 0 | #endif |
257 | 0 | } |
258 | | |
259 | | |
260 | | /* see if principal is mentioned in the filename access file, return |
261 | | TRUE (in result) if so, FALSE otherwise */ |
262 | | |
263 | | static krb5_error_code |
264 | | check_one_file(krb5_context context, |
265 | | const char *filename, |
266 | | const char *owner, |
267 | | krb5_boolean is_system_location, |
268 | | krb5_const_principal principal, |
269 | | krb5_boolean *result) |
270 | 0 | { |
271 | 0 | FILE *f; |
272 | 0 | char buf[BUFSIZ]; |
273 | 0 | krb5_error_code ret; |
274 | |
|
275 | 0 | *result = FALSE; |
276 | |
|
277 | 0 | f = fopen(filename, "r"); |
278 | 0 | if (f == NULL) |
279 | 0 | return errno; |
280 | 0 | rk_cloexec_file(f); |
281 | |
|
282 | 0 | ret = check_owner_file(context, filename, f, owner); |
283 | 0 | if (ret) |
284 | 0 | goto out; |
285 | | |
286 | 0 | while (fgets(buf, sizeof(buf), f) != NULL) { |
287 | 0 | krb5_principal tmp; |
288 | 0 | char *newline = buf + strcspn(buf, "\n"); |
289 | |
|
290 | 0 | if (*newline != '\n') { |
291 | 0 | int c; |
292 | 0 | c = fgetc(f); |
293 | 0 | if (c != EOF) { |
294 | 0 | while (c != EOF && c != '\n') |
295 | 0 | c = fgetc(f); |
296 | | /* line was too long, so ignore it */ |
297 | 0 | continue; |
298 | 0 | } |
299 | 0 | } |
300 | 0 | *newline = '\0'; |
301 | 0 | ret = krb5_parse_name(context, buf, &tmp); |
302 | 0 | if (ret) |
303 | 0 | continue; |
304 | 0 | *result = krb5_principal_compare(context, principal, tmp); |
305 | 0 | krb5_free_principal(context, tmp); |
306 | 0 | if (*result) { |
307 | 0 | fclose (f); |
308 | 0 | return 0; |
309 | 0 | } |
310 | 0 | } |
311 | | |
312 | 0 | out: |
313 | 0 | fclose(f); |
314 | 0 | return 0; |
315 | 0 | } |
316 | | |
317 | | static krb5_error_code |
318 | | check_directory(krb5_context context, |
319 | | const char *dirname, |
320 | | const char *owner, |
321 | | krb5_boolean is_system_location, |
322 | | krb5_const_principal principal, |
323 | | krb5_boolean *result) |
324 | 0 | { |
325 | 0 | DIR *d; |
326 | 0 | struct dirent *dent; |
327 | 0 | char filename[MAXPATHLEN]; |
328 | 0 | size_t len; |
329 | 0 | krb5_error_code ret = 0; |
330 | 0 | struct stat st; |
331 | |
|
332 | 0 | *result = FALSE; |
333 | |
|
334 | 0 | if (lstat(dirname, &st) < 0) |
335 | 0 | return errno; |
336 | | |
337 | 0 | if (!S_ISDIR(st.st_mode)) { |
338 | 0 | krb5_set_error_message(context, ENOTDIR, "k5login.d not a directory"); |
339 | 0 | return ENOTDIR; |
340 | 0 | } |
341 | | |
342 | 0 | if ((d = opendir(dirname)) == NULL) { |
343 | 0 | krb5_set_error_message(context, ENOTDIR, "Could not open k5login.d"); |
344 | 0 | return errno; |
345 | 0 | } |
346 | | |
347 | 0 | ret = check_owner_dir(context, dirname, is_system_location, d, &st, owner); |
348 | 0 | if (ret) |
349 | 0 | goto out; |
350 | | |
351 | 0 | while ((dent = readdir(d)) != NULL) { |
352 | | /* |
353 | | * XXX: Should we also skip files whose names start with "."? |
354 | | * Vim ".filename.swp" files are also good candidates to skip. |
355 | | * Once we ignore "#*" and "*~", it is not clear what other |
356 | | * heuristics to apply. |
357 | | */ |
358 | 0 | if (strcmp(dent->d_name, ".") == 0 || |
359 | 0 | strcmp(dent->d_name, "..") == 0 || |
360 | 0 | dent->d_name[0] == '#' || /* emacs autosave */ |
361 | 0 | dent->d_name[strlen(dent->d_name) - 1] == '~') /* emacs backup */ |
362 | 0 | continue; |
363 | 0 | len = snprintf(filename, sizeof(filename), "%s/%s", dirname, dent->d_name); |
364 | | /* Skip too-long filenames that got truncated by snprintf() */ |
365 | 0 | if (len < sizeof(filename)) { |
366 | 0 | ret = check_one_file(context, filename, owner, is_system_location, |
367 | 0 | principal, result); |
368 | 0 | if (ret == 0 && *result == TRUE) |
369 | 0 | break; |
370 | 0 | } |
371 | 0 | ret = 0; /* don't propagate errors upstream */ |
372 | 0 | } |
373 | |
|
374 | 0 | out: |
375 | 0 | closedir(d); |
376 | 0 | return ret; |
377 | 0 | } |
378 | | |
379 | | static krb5_error_code |
380 | | check_an2ln(krb5_context context, |
381 | | krb5_const_principal principal, |
382 | | const char *luser, |
383 | | krb5_boolean *result) |
384 | 0 | { |
385 | 0 | krb5_error_code ret; |
386 | 0 | char *lname; |
387 | |
|
388 | | #if 0 |
389 | | /* XXX Should we make this an option? */ |
390 | | /* multi-component principals can never match */ |
391 | | if (krb5_principal_get_comp_string(context, principal, 1) != NULL) { |
392 | | *result = FALSE; |
393 | | return 0; |
394 | | } |
395 | | #endif |
396 | |
|
397 | 0 | lname = malloc(strlen(luser) + 1); |
398 | 0 | if (lname == NULL) |
399 | 0 | return krb5_enomem(context); |
400 | 0 | ret = krb5_aname_to_localname(context, principal, strlen(luser)+1, lname); |
401 | 0 | if (ret) |
402 | 0 | goto out; |
403 | 0 | if (strcmp(lname, luser) == 0) |
404 | 0 | *result = TRUE; |
405 | 0 | else |
406 | 0 | *result = FALSE; |
407 | |
|
408 | 0 | out: |
409 | 0 | free(lname); |
410 | 0 | return 0; |
411 | |
|
412 | 0 | } |
413 | | |
414 | | /** |
415 | | * This function takes the name of a local user and checks if |
416 | | * principal is allowed to log in as that user. |
417 | | * |
418 | | * The user may have a ~/.k5login file listing principals that are |
419 | | * allowed to login as that user. If that file does not exist, all |
420 | | * principals with a only one component that is identical to the |
421 | | * username, and a realm considered local, are allowed access. |
422 | | * |
423 | | * The .k5login file must contain one principal per line, be owned by |
424 | | * user and not be writable by group or other (but must be readable by |
425 | | * anyone). |
426 | | * |
427 | | * Note that if the file exists, no implicit access rights are given |
428 | | * to user@@LOCALREALM. |
429 | | * |
430 | | * Optionally, a set of files may be put in ~/.k5login.d (a |
431 | | * directory), in which case they will all be checked in the same |
432 | | * manner as .k5login. The files may be called anything, but files |
433 | | * starting with a hash (#) , or ending with a tilde (~) are |
434 | | * ignored. Subdirectories are not traversed. Note that this directory |
435 | | * may not be checked by other Kerberos implementations. |
436 | | * |
437 | | * If no configuration file exists, match user against local domains, |
438 | | * ie luser@@LOCAL-REALMS-IN-CONFIGURATION-FILES. |
439 | | * |
440 | | * @param context Kerberos 5 context. |
441 | | * @param principal principal to check if allowed to login |
442 | | * @param luser local user id |
443 | | * |
444 | | * @return returns TRUE if access should be granted, FALSE otherwise. |
445 | | * |
446 | | * @ingroup krb5_support |
447 | | */ |
448 | | |
449 | | KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL |
450 | | krb5_kuserok(krb5_context context, |
451 | | krb5_principal principal, |
452 | | const char *luser) |
453 | 0 | { |
454 | 0 | return _krb5_kuserok(context, principal, luser, TRUE); |
455 | 0 | } |
456 | | |
457 | | |
458 | | static const char *const kuserok_plugin_deps[] = { "krb5", NULL }; |
459 | | |
460 | | static const struct heim_plugin_data |
461 | | kuserok_plugin_data = { |
462 | | "krb5", |
463 | | KRB5_PLUGIN_KUSEROK, |
464 | | KRB5_PLUGIN_KUSEROK_VERSION_0, |
465 | | kuserok_plugin_deps, |
466 | | krb5_get_instance |
467 | | }; |
468 | | |
469 | | KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL |
470 | | _krb5_kuserok(krb5_context context, |
471 | | krb5_principal principal, |
472 | | const char *luser, |
473 | | krb5_boolean an2ln_ok) |
474 | 0 | { |
475 | 0 | static heim_base_once_t reg_def_plugins = HEIM_BASE_ONCE_INIT; |
476 | 0 | krb5_error_code ret; |
477 | 0 | struct plctx ctx; |
478 | 0 | char **rules; |
479 | | |
480 | | /* |
481 | | * XXX we should have a struct with a krb5_context field and a |
482 | | * krb5_error_code fied and pass the address of that as the ctx |
483 | | * argument of heim_base_once_f(). For now we use a static to |
484 | | * communicate failures. Actually, we ignore failures anyways, |
485 | | * since we can't return them. |
486 | | */ |
487 | 0 | heim_base_once_f(®_def_plugins, context, reg_def_plugins_once); |
488 | |
|
489 | 0 | ctx.flags = 0; |
490 | 0 | ctx.luser = luser; |
491 | 0 | ctx.principal = principal; |
492 | 0 | ctx.result = FALSE; |
493 | |
|
494 | 0 | ctx.k5login_dir = krb5_config_get_string(context, NULL, "libdefaults", |
495 | 0 | "k5login_directory", NULL); |
496 | |
|
497 | 0 | if (an2ln_ok) |
498 | 0 | ctx.flags |= KUSEROK_ANAME_TO_LNAME_OK; |
499 | |
|
500 | 0 | if (krb5_config_get_bool_default(context, NULL, FALSE, "libdefaults", |
501 | 0 | "k5login_authoritative", NULL)) |
502 | 0 | ctx.flags |= KUSEROK_K5LOGIN_IS_AUTHORITATIVE; |
503 | |
|
504 | 0 | if ((ctx.flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE) && plugin_reg_ret) |
505 | 0 | return plugin_reg_ret; /* fail safe */ |
506 | | |
507 | 0 | rules = krb5_config_get_strings(context, NULL, "libdefaults", |
508 | 0 | "kuserok", NULL); |
509 | 0 | if (rules == NULL) { |
510 | | /* Default: check ~/.k5login */ |
511 | 0 | ctx.rule = "USER-K5LOGIN"; |
512 | |
|
513 | 0 | ret = plcallback(context, &kuserok_user_k5login_plug, NULL, &ctx); |
514 | 0 | if (ret == 0) |
515 | 0 | goto out; |
516 | | |
517 | 0 | ctx.rule = "SIMPLE"; |
518 | 0 | ret = plcallback(context, &kuserok_simple_plug, NULL, &ctx); |
519 | 0 | if (ret == 0) |
520 | 0 | goto out; |
521 | | |
522 | 0 | ctx.result = FALSE; |
523 | 0 | } else { |
524 | 0 | size_t n; |
525 | |
|
526 | 0 | for (n = 0; rules[n]; n++) { |
527 | 0 | ctx.rule = rules[n]; |
528 | |
|
529 | 0 | ret = _krb5_plugin_run_f(context, &kuserok_plugin_data, |
530 | 0 | 0, &ctx, plcallback); |
531 | 0 | if (ret != KRB5_PLUGIN_NO_HANDLE) |
532 | 0 | goto out; |
533 | 0 | } |
534 | 0 | } |
535 | | |
536 | 0 | out: |
537 | 0 | krb5_config_free_strings(rules); |
538 | |
|
539 | 0 | return ctx.result; |
540 | 0 | } |
541 | | |
542 | | /* |
543 | | * Simple kuserok: check that the lname for the aname matches luser. |
544 | | */ |
545 | | |
546 | | static krb5_error_code KRB5_LIB_CALL |
547 | | kuserok_simple_plug_f(void *plug_ctx, krb5_context context, const char *rule, |
548 | | unsigned int flags, const char *k5login_dir, |
549 | | const char *luser, krb5_const_principal principal, |
550 | | krb5_boolean *result) |
551 | 0 | { |
552 | 0 | krb5_error_code ret; |
553 | |
|
554 | 0 | if (strcmp(rule, "SIMPLE") != 0 || (flags & KUSEROK_ANAME_TO_LNAME_OK) == 0) |
555 | 0 | return KRB5_PLUGIN_NO_HANDLE; |
556 | | |
557 | 0 | ret = check_an2ln(context, principal, luser, result); |
558 | 0 | if (ret == 0 && *result == FALSE) |
559 | 0 | return KRB5_PLUGIN_NO_HANDLE; |
560 | | |
561 | 0 | return 0; |
562 | 0 | } |
563 | | |
564 | | /* |
565 | | * Check k5login files in a system location, rather than in home |
566 | | * directories. |
567 | | */ |
568 | | |
569 | | static krb5_error_code KRB5_LIB_CALL |
570 | | kuserok_sys_k5login_plug_f(void *plug_ctx, krb5_context context, |
571 | | const char *rule, unsigned int flags, |
572 | | const char *k5login_dir, const char *luser, |
573 | | krb5_const_principal principal, krb5_boolean *result) |
574 | 0 | { |
575 | 0 | char filename[MAXPATHLEN]; |
576 | 0 | size_t len; |
577 | 0 | const char *profile_dir = NULL; |
578 | 0 | krb5_error_code ret; |
579 | |
|
580 | 0 | *result = FALSE; |
581 | |
|
582 | 0 | if (strcmp(rule, "SYSTEM-K5LOGIN") != 0 && |
583 | 0 | strncmp(rule, "SYSTEM-K5LOGIN:", strlen("SYSTEM-K5LOGIN:")) != 0) |
584 | 0 | return KRB5_PLUGIN_NO_HANDLE; |
585 | | |
586 | 0 | profile_dir = strchr(rule, ':'); |
587 | 0 | if (profile_dir == NULL) |
588 | 0 | profile_dir = k5login_dir ? k5login_dir : SYSTEM_K5LOGIN_DIR; |
589 | 0 | else |
590 | 0 | profile_dir++; |
591 | |
|
592 | 0 | len = snprintf(filename, sizeof(filename), "%s/%s", profile_dir, luser); |
593 | 0 | if (len < sizeof(filename)) { |
594 | 0 | ret = check_one_file(context, filename, NULL, TRUE, principal, result); |
595 | |
|
596 | 0 | if (ret == 0 && |
597 | 0 | ((flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE) || *result == TRUE)) |
598 | 0 | return 0; |
599 | 0 | } |
600 | | |
601 | 0 | *result = FALSE; |
602 | 0 | return KRB5_PLUGIN_NO_HANDLE; |
603 | 0 | } |
604 | | |
605 | | /* |
606 | | * Check ~luser/.k5login and/or ~/luser/.k5login.d |
607 | | */ |
608 | | |
609 | | static krb5_error_code KRB5_LIB_CALL |
610 | | kuserok_user_k5login_plug_f(void *plug_ctx, krb5_context context, |
611 | | const char *rule, unsigned int flags, |
612 | | const char *k5login_dir, const char *luser, |
613 | | krb5_const_principal principal, |
614 | | krb5_boolean *result) |
615 | 0 | { |
616 | | #ifdef _WIN32 |
617 | | return KRB5_PLUGIN_NO_HANDLE; |
618 | | #else |
619 | 0 | char *path; |
620 | 0 | char *path_exp; |
621 | 0 | const char *profile_dir = NULL; |
622 | 0 | krb5_error_code ret; |
623 | 0 | krb5_boolean found_file = FALSE; |
624 | 0 | struct passwd pw, *pwd = NULL; |
625 | 0 | char pwbuf[2048]; |
626 | |
|
627 | 0 | if (strcmp(rule, "USER-K5LOGIN") != 0) |
628 | 0 | return KRB5_PLUGIN_NO_HANDLE; |
629 | | |
630 | 0 | profile_dir = k5login_dir; |
631 | 0 | if (profile_dir == NULL) { |
632 | | /* Don't deadlock with gssd or anything of the sort */ |
633 | 0 | if (!_krb5_homedir_access(context)) |
634 | 0 | return KRB5_PLUGIN_NO_HANDLE; |
635 | | |
636 | 0 | if (getpwnam_r(luser, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) { |
637 | 0 | krb5_set_error_message(context, errno, "User unknown (getpwnam_r())"); |
638 | 0 | return KRB5_PLUGIN_NO_HANDLE; |
639 | 0 | } |
640 | 0 | if (pwd == NULL) { |
641 | 0 | krb5_set_error_message(context, errno, "User unknown (getpwnam())"); |
642 | 0 | return KRB5_PLUGIN_NO_HANDLE; |
643 | 0 | } |
644 | 0 | profile_dir = pwd->pw_dir; |
645 | 0 | } |
646 | | |
647 | 0 | #define KLOGIN "/.k5login" |
648 | | |
649 | 0 | if (asprintf(&path, "%s/.k5login.d", profile_dir) == -1) |
650 | 0 | return krb5_enomem(context); |
651 | | |
652 | 0 | ret = _krb5_expand_path_tokensv(context, path, 1, &path_exp, |
653 | 0 | "luser", luser, NULL); |
654 | 0 | free(path); |
655 | 0 | if (ret) |
656 | 0 | return ret; |
657 | 0 | path = path_exp; |
658 | | |
659 | | /* check user's ~/.k5login */ |
660 | 0 | path[strlen(path) - strlen(".d")] = '\0'; |
661 | 0 | ret = check_one_file(context, path, luser, FALSE, principal, result); |
662 | | |
663 | | /* |
664 | | * A match in ~/.k5login is sufficient. A non-match, falls through to the |
665 | | * .k5login.d code below. |
666 | | */ |
667 | 0 | if (ret == 0 && *result == TRUE) { |
668 | 0 | free(path); |
669 | 0 | return 0; |
670 | 0 | } |
671 | 0 | if (ret != ENOENT) |
672 | 0 | found_file = TRUE; |
673 | | |
674 | | /* |
675 | | * A match in ~/.k5login.d/somefile is sufficient. A non-match, falls |
676 | | * through to the code below that handles negative results. |
677 | | * |
678 | | * XXX: put back the .d; clever|hackish? you decide |
679 | | */ |
680 | 0 | path[strlen(path)] = '.'; |
681 | 0 | ret = check_directory(context, path, luser, FALSE, principal, result); |
682 | 0 | free(path); |
683 | 0 | if (ret == 0 && *result == TRUE) |
684 | 0 | return 0; |
685 | 0 | if (ret != ENOENT && ret != ENOTDIR) |
686 | 0 | found_file = TRUE; |
687 | | |
688 | | /* |
689 | | * When either ~/.k5login or ~/.k5login.d/ exists, but neither matches |
690 | | * and we're authoritative, we're done. Otherwise, give other plugins |
691 | | * a chance. |
692 | | */ |
693 | 0 | *result = FALSE; |
694 | 0 | if (found_file && (flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE)) |
695 | 0 | return 0; |
696 | 0 | return KRB5_PLUGIN_NO_HANDLE; |
697 | 0 | #endif |
698 | 0 | } |
699 | | |
700 | | static krb5_error_code KRB5_LIB_CALL |
701 | | kuserok_deny_plug_f(void *plug_ctx, krb5_context context, const char *rule, |
702 | | unsigned int flags, const char *k5login_dir, |
703 | | const char *luser, krb5_const_principal principal, |
704 | | krb5_boolean *result) |
705 | 0 | { |
706 | 0 | if (strcmp(rule, "DENY") != 0) |
707 | 0 | return KRB5_PLUGIN_NO_HANDLE; |
708 | | |
709 | 0 | *result = FALSE; |
710 | 0 | return 0; |
711 | 0 | } |
712 | | |
713 | | static krb5_error_code KRB5_LIB_CALL |
714 | | kuser_ok_null_plugin_init(krb5_context context, void **ctx) |
715 | 0 | { |
716 | 0 | *ctx = NULL; |
717 | 0 | return 0; |
718 | 0 | } |
719 | | |
720 | | static void KRB5_LIB_CALL |
721 | | kuser_ok_null_plugin_fini(void *ctx) |
722 | 0 | { |
723 | 0 | return; |
724 | 0 | } |
725 | | |
726 | | static const krb5plugin_kuserok_ftable kuserok_simple_plug = { |
727 | | KRB5_PLUGIN_KUSEROK_VERSION_0, |
728 | | kuser_ok_null_plugin_init, |
729 | | kuser_ok_null_plugin_fini, |
730 | | kuserok_simple_plug_f, |
731 | | }; |
732 | | |
733 | | static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug = { |
734 | | KRB5_PLUGIN_KUSEROK_VERSION_0, |
735 | | kuser_ok_null_plugin_init, |
736 | | kuser_ok_null_plugin_fini, |
737 | | kuserok_sys_k5login_plug_f, |
738 | | }; |
739 | | |
740 | | static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug = { |
741 | | KRB5_PLUGIN_KUSEROK_VERSION_0, |
742 | | kuser_ok_null_plugin_init, |
743 | | kuser_ok_null_plugin_fini, |
744 | | kuserok_user_k5login_plug_f, |
745 | | }; |
746 | | |
747 | | static const krb5plugin_kuserok_ftable kuserok_deny_plug = { |
748 | | KRB5_PLUGIN_KUSEROK_VERSION_0, |
749 | | kuser_ok_null_plugin_init, |
750 | | kuser_ok_null_plugin_fini, |
751 | | kuserok_deny_plug_f, |
752 | | }; |
753 | | |