Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
View | Details | Raw Unified | Return to bug 238130
Collapse All | Expand All

(-)a/src/Makefile.am (+4 lines)
Lines 31-36 libpam_krb5_la_SOURCES = \ Link Here
31
	kuserok.c \
31
	kuserok.c \
32
	kuserok.h \
32
	kuserok.h \
33
	minikafs.h \
33
	minikafs.h \
34
	perms.c \
35
	perms.h \
34
	prompter.c \
36
	prompter.c \
35
	prompter.h \
37
	prompter.h \
36
	shmem.c \
38
	shmem.c \
Lines 106-111 harness_LDADD = \ Link Here
106
	map.lo \
108
	map.lo \
107
	initopts.lo \
109
	initopts.lo \
108
	options.lo \
110
	options.lo \
111
	perms.lo \
109
	userinfo.lo \
112
	userinfo.lo \
110
	sly.lo \
113
	sly.lo \
111
	v4.lo \
114
	v4.lo \
Lines 119-124 harness_newpag_LDADD = \ Link Here
119
	pam_newpag.lo \
122
	pam_newpag.lo \
120
	logstdio.lo \
123
	logstdio.lo \
121
	options.lo \
124
	options.lo \
125
	perms.lo \
122
	v4.lo \
126
	v4.lo \
123
	v5.lo
127
	v5.lo
124
harness_newpag_LDADD += libpam_krb5.la @PAM_LIBS@ @KRB5_LIBS@ @KRB4_LIBS@ @KEYUTILS_LIBS@
128
harness_newpag_LDADD += libpam_krb5.la @PAM_LIBS@ @KRB5_LIBS@ @KRB4_LIBS@ @KEYUTILS_LIBS@
(-)a/src/perms.c (+89 lines)
Line 0 Link Here
1
/*
2
 * Copyright 2008 Red Hat, Inc.
3
 *
4
 * Redistribution and use in source and binary forms, with or without
5
 * modification, are permitted provided that the following conditions
6
 * are met:
7
 * 1. Redistributions of source code must retain the above copyright
8
 *    notice, and the entire permission notice in its entirety,
9
 *    including the disclaimer of warranties.
10
 * 2. Redistributions in binary form must reproduce the above copyright
11
 *    notice, this list of conditions and the following disclaimer in the
12
 *    documentation and/or other materials provided with the distribution.
13
 * 3. The name of the author may not be used to endorse or promote
14
 *    products derived from this software without specific prior
15
 *    written permission.
16
 *
17
 * ALTERNATIVELY, this product may be distributed under the terms of the
18
 * GNU Lesser General Public License, in which case the provisions of the
19
 * LGPL are required INSTEAD OF the above restrictions.
20
 *
21
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
22
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
23
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
24
 * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
27
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
28
 * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31
 */
32
33
#include "../config.h"
34
35
#include <sys/types.h>
36
#include <stdlib.h>
37
#include <unistd.h>
38
#include "perms.h"
39
40
struct _pam_krb5_perms {
41
	uid_t ruid, euid;
42
	gid_t rgid, egid;
43
};
44
45
struct _pam_krb5_perms *
46
_pam_krb5_switch_perms(void)
47
{
48
	struct _pam_krb5_perms *ret;
49
	ret = malloc(sizeof(*ret));
50
	if (ret != NULL) {
51
		ret->ruid = getuid();
52
		ret->euid = geteuid();
53
		ret->rgid = getgid();
54
		ret->egid = getegid();
55
		if (ret->ruid == ret->euid) {
56
			ret->ruid = -1;
57
			ret->euid = -1;
58
		}
59
		if (ret->rgid == ret->egid) {
60
			ret->rgid = -1;
61
			ret->egid = -1;
62
		}
63
		if (setregid(ret->egid, ret->rgid) == -1) {
64
			free(ret);
65
			ret = NULL;
66
		} else {
67
			if (setreuid(ret->euid, ret->ruid) == -1) {
68
				setregid(ret->rgid, ret->egid);
69
				free(ret);
70
				ret = NULL;
71
			}
72
		}
73
	}
74
	return ret;
75
}
76
77
int
78
_pam_krb5_restore_perms(struct _pam_krb5_perms *saved)
79
{
80
	int ret = -1;
81
	if (saved != NULL) {
82
		if ((setreuid(saved->ruid, saved->euid) == 0) &&
83
		    (setregid(saved->rgid, saved->egid) == 0)) {
84
			ret = 0;
85
		}
86
		free(saved);
87
	}
88
	return ret;
89
}
(-)a/src/perms.h (+40 lines)
Line 0 Link Here
1
/*
2
 * Copyright 2008 Red Hat, Inc.
3
 *
4
 * Redistribution and use in source and binary forms, with or without
5
 * modification, are permitted provided that the following conditions
6
 * are met:
7
 * 1. Redistributions of source code must retain the above copyright
8
 *    notice, and the entire permission notice in its entirety,
9
 *    including the disclaimer of warranties.
10
 * 2. Redistributions in binary form must reproduce the above copyright
11
 *    notice, this list of conditions and the following disclaimer in the
12
 *    documentation and/or other materials provided with the distribution.
13
 * 3. The name of the author may not be used to endorse or promote
14
 *    products derived from this software without specific prior
15
 *    written permission.
16
 *
17
 * ALTERNATIVELY, this product may be distributed under the terms of the
18
 * GNU Lesser General Public License, in which case the provisions of the
19
 * LGPL are required INSTEAD OF the above restrictions.
20
 *
21
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
22
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
23
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
24
 * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
27
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
28
 * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31
 */
32
33
#ifndef pam_krb5_perms_h
34
#define pam_krb5_perms_h
35
36
struct _pam_krb5_perms;
37
struct _pam_krb5_perms *_pam_krb5_switch_perms(void);
38
int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved);
39
40
#endif
(-)a/src/v5.c (-1 / +29 lines)
Lines 66-71 Link Here
66
66
67
#include "conv.h"
67
#include "conv.h"
68
#include "log.h"
68
#include "log.h"
69
#include "perms.h"
69
#include "prompter.h"
70
#include "prompter.h"
70
#include "stash.h"
71
#include "stash.h"
71
#include "userinfo.h"
72
#include "userinfo.h"
Lines 833-838 v5_get_creds(krb5_context ctx, Link Here
833
	const char *realm;
834
	const char *realm;
834
	struct pam_message message;
835
	struct pam_message message;
835
	struct _pam_krb5_prompter_data prompter_data;
836
	struct _pam_krb5_prompter_data prompter_data;
837
	struct _pam_krb5_perms *saved_perms;
836
	krb5_principal service_principal;
838
	krb5_principal service_principal;
837
	krb5_creds tmpcreds;
839
	krb5_creds tmpcreds;
838
	krb5_ccache ccache;
840
	krb5_ccache ccache;
Lines 884-903 v5_get_creds(krb5_context ctx, Link Here
884
				      "from %s", krb5_cc_default_name(ctx));
886
				      "from %s", krb5_cc_default_name(ctx));
885
			}
887
			}
886
			memset(&ccache, 0, sizeof(ccache));
888
			memset(&ccache, 0, sizeof(ccache));
887
			if (krb5_cc_default(ctx, &ccache) == 0) {
889
			/* In case we're setuid/setgid, switch to the caller's
890
			 * permissions. */
891
			saved_perms = _pam_krb5_switch_perms();
892
			if ((saved_perms != NULL) &&
893
			    (krb5_cc_default(ctx, &ccache) == 0)) {
888
				tmpcreds.client = userinfo->principal_name;
894
				tmpcreds.client = userinfo->principal_name;
889
				tmpcreds.server = service_principal;
895
				tmpcreds.server = service_principal;
890
				i = krb5_cc_retrieve_cred(ctx, ccache, 0,
896
				i = krb5_cc_retrieve_cred(ctx, ccache, 0,
891
							  &tmpcreds, creds);
897
							  &tmpcreds, creds);
892
				/* FIXME: check if the creds are expired?
898
				/* FIXME: check if the creds are expired?
893
				 * What's the right error code if we check, and
899
				 * What's the right error code if we check, and
894
				 * they are? */
900
				 * they are? */
895
				memset(&tmpcreds, 0, sizeof(tmpcreds));
901
				memset(&tmpcreds, 0, sizeof(tmpcreds));
896
				krb5_cc_close(ctx, ccache);
902
				krb5_cc_close(ctx, ccache);
903
				/* In case we're setuid/setgid, restore the
904
				 * previous permissions. */
905
				if (saved_perms != NULL) {
906
					if (_pam_krb5_restore_perms(saved_perms) != 0) {
907
						krb5_free_cred_contents(ctx, creds);
908
						memset(creds, 0, sizeof(*creds));
909
						krb5_free_principal(ctx, service_principal);
910
						return PAM_SYSTEM_ERR;
911
					}
912
					saved_perms = NULL;
913
				}
897
			} else {
914
			} else {
898
				warn("error opening default ccache");
915
				warn("error opening default ccache");
899
				i = KRB5_CC_NOTFOUND;
916
				i = KRB5_CC_NOTFOUND;
900
			}
917
			}
918
			/* In case we're setuid/setgid, switch back to the
919
			 * previous permissions if we didn't already. */
920
			if (saved_perms != NULL) {
921
				if (_pam_krb5_restore_perms(saved_perms) != 0) {
922
					krb5_free_cred_contents(ctx, creds);
923
					memset(creds, 0, sizeof(*creds));
924
					krb5_free_principal(ctx, service_principal);
925
					return PAM_SYSTEM_ERR;
926
				}
927
				saved_perms = NULL;
928
			}
901
			krb5_free_principal(ctx, service_principal);
929
			krb5_free_principal(ctx, service_principal);
902
		} else {
930
		} else {
903
			warn("error parsing TGT principal name (%s) "
931
			warn("error parsing TGT principal name (%s) "

Return to bug 238130