Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 114844 Details for
Bug 171889
app-crypt/mit-krb5 Multiple issues CVE-2007-{095{6|7}|1216}
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
The second patch to fix syslogging
mit-krb5-SA-2007-002-syslog.patch (text/plain), 30.39 KB, created by
Seemant Kulleen (RETIRED)
on 2007-03-29 01:54:30 UTC
(
hide
)
Description:
The second patch to fix syslogging
Filename:
MIME Type:
Creator:
Seemant Kulleen (RETIRED)
Created:
2007-03-29 01:54:30 UTC
Size:
30.39 KB
patch
obsolete
>diff -urN krb5-1.5.2.orig/src/kadmin/server/kadm_rpc_svc.c krb5-1.5.2/src/kadmin/server/kadm_rpc_svc.c >--- krb5-1.5.2.orig/src/kadmin/server/kadm_rpc_svc.c 2006-03-31 22:08:17.000000000 -0500 >+++ krb5-1.5.2/src/kadmin/server/kadm_rpc_svc.c 2007-03-28 18:17:57.000000000 -0400 >@@ -250,6 +250,8 @@ > krb5_data *c1, *c2, *realm; > gss_buffer_desc gss_str; > kadm5_server_handle_t handle; >+ size_t slen; >+ char *sdots; > > success = 0; > handle = (kadm5_server_handle_t)global_server_handle; >@@ -274,6 +276,9 @@ > if (ret == 0) > goto fail_name; > >+ slen = gss_str.length; >+ trunc_name(&slen, &sdots); >+ > /* > * Since we accept with GSS_C_NO_NAME, the client can authenticate > * against the entire kdb. Therefore, ensure that the service >@@ -296,8 +301,8 @@ > > fail_princ: > if (!success) { >- krb5_klog_syslog(LOG_ERR, "bad service principal %.*s", >- gss_str.length, gss_str.value); >+ krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s", >+ slen, gss_str.value, sdots); > } > gss_release_buffer(&min_stat, &gss_str); > krb5_free_principal(kctx, princ); >diff -urN krb5-1.5.2.orig/src/kadmin/server/misc.c krb5-1.5.2/src/kadmin/server/misc.c >--- krb5-1.5.2.orig/src/kadmin/server/misc.c 2006-03-11 17:23:28.000000000 -0500 >+++ krb5-1.5.2/src/kadmin/server/misc.c 2007-03-28 18:19:44.000000000 -0400 >@@ -171,3 +171,12 @@ > > return kadm5_free_principal_ent(handle->lhandle, &princ); > } >+ >+#define MAXPRINCLEN 125 >+ >+void >+trunc_name(size_t *len, char **dots) >+{ >+ *dots = *len > MAXPRINCLEN ? "..." : ""; >+ *len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len; >+} >diff -urN krb5-1.5.2.orig/src/kadmin/server/misc.h krb5-1.5.2/src/kadmin/server/misc.h >--- krb5-1.5.2.orig/src/kadmin/server/misc.h 2005-10-12 00:09:19.000000000 -0400 >+++ krb5-1.5.2/src/kadmin/server/misc.h 2007-03-28 18:20:15.000000000 -0400 >@@ -45,3 +45,5 @@ > #ifdef SVC_GETARGS > void kadm_1(struct svc_req *, SVCXPRT *); > #endif >+ >+void trunc_name(size_t *len, char **dots); >diff -urN krb5-1.5.2.orig/src/kadmin/server/ovsec_kadmd.c krb5-1.5.2/src/kadmin/server/ovsec_kadmd.c >--- krb5-1.5.2.orig/src/kadmin/server/ovsec_kadmd.c 2007-01-09 20:08:20.000000000 -0500 >+++ krb5-1.5.2/src/kadmin/server/ovsec_kadmd.c 2007-03-28 18:29:19.000000000 -0400 >@@ -989,6 +989,8 @@ > rpcproc_t proc; > int i; > const char *procname; >+ size_t clen, slen; >+ char *cdots, *sdots; > > client.length = 0; > client.value = NULL; >@@ -997,10 +999,20 @@ > > (void) gss_display_name(&minor, client_name, &client, &gss_type); > (void) gss_display_name(&minor, server_name, &server, &gss_type); >- if (client.value == NULL) >- client.value = "(null)"; >- if (server.value == NULL) >- server.value = "(null)"; >+ if (client.value == NULL) { >+ client.value = "(null)"; >+ clen = sizeof("(null)") - 1; >+ } else { >+ clen = client.length; >+ } >+ trunc_name(&clen, &cdots); >+ if (server.value == NULL) { >+ server.value = "(null)"; >+ slen = sizeof("(null)") - 1; >+ } else { >+ slen = server.length; >+ } >+ trunc_name(&slen, &sdots); > a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); > > proc = msg->rm_call.cb_proc; >@@ -1013,14 +1025,14 @@ > } > if (procname != NULL) > krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " >- "claimed client = %s, server = %s, addr = %s", >- procname, client.value, >- server.value, a); >+ "claimed client = %.*s%s, server = %.*s%s, addr = %s", >+ procname, clen, client.value, cdots, >+ slen, server.value, sdots, a); > else > krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " >- "claimed client = %s, server = %s, addr = %s", >- proc, client.value, >- server.value, a); >+ "claimed client = %.*s%s, server = %.*s%s, addr = %s", >+ proc, clen, client.value, cdots, >+ slen, server.value, sdots, a); > > (void) gss_release_buffer(&minor, &client); > (void) gss_release_buffer(&minor, &server); >diff -urN krb5-1.5.2.orig/src/kadmin/server/schpw.c krb5-1.5.2/src/kadmin/server/schpw.c >--- krb5-1.5.2.orig/src/kadmin/server/schpw.c 2006-04-13 14:58:56.000000000 -0400 >+++ krb5-1.5.2/src/kadmin/server/schpw.c 2007-03-28 18:29:11.000000000 -0400 >@@ -40,6 +40,8 @@ > int numresult; > char strresult[1024]; > char *clientstr; >+ size_t clen; >+ char *cdots; > > ret = 0; > rep->length = 0; >@@ -258,9 +260,12 @@ > free(ptr); > clear.length = 0; > >- krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s", >+ clen = strlen(clientstr); >+ trunc_name(&clen, &cdots); >+ krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s", > inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr), >- clientstr, ret ? krb5_get_error_message (context, ret) : "success"); >+ clen, clientstr, cdots, >+ ret ? krb5_get_error_message (context, ret) : "success"); > krb5_free_unparsed_name(context, clientstr); > > if (ret) { >diff -urN krb5-1.5.2.orig/src/kadmin/server/server_stubs.c krb5-1.5.2/src/kadmin/server/server_stubs.c >--- krb5-1.5.2.orig/src/kadmin/server/server_stubs.c 2006-04-13 14:58:56.000000000 -0400 >+++ krb5-1.5.2/src/kadmin/server/server_stubs.c 2007-03-28 21:03:41.000000000 -0400 >@@ -14,6 +14,7 @@ > #include <arpa/inet.h> /* inet_ntoa */ > #include <adm_proto.h> /* krb5_klog_syslog */ > #include "misc.h" >+#include <string.h> > > #define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s" > #define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s" >@@ -237,6 +238,50 @@ > return 0; > } > >+static int >+log_unauth(char *op, char *target, gss_buffer_t client, gss_buffer_t server, struct svc_req *rqstp) >+{ >+ size_t tlen, clen, slen; >+ char *tdots, *cdots, *sdots; >+ >+ tlen = strlen(target); >+ trunc_name(&tlen, &tdots); >+ clen = client->length; >+ trunc_name(&clen, &cdots); >+ slen = server->length; >+ trunc_name(&slen, &sdots); >+ >+ return krb5_klog_syslog(LOG_NOTICE, >+ "Unauthorized request: %s, %.*s%s, " >+ "client=%.*s%s, service=%.*s%s, addr=%s", >+ op, tlen, target, tdots, >+ clen, client->value, cdots, >+ slen, server->value, sdots, >+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+} >+ >+static int >+log_done(char *op, char *target, char *errmsg, gss_buffer_t client, gss_buffer_t server, struct svc_req *rqstp) >+{ >+ size_t tlen, clen, slen; >+ char *tdots, *cdots, *sdots; >+ >+ tlen = strlen(target); >+ trunc_name(&tlen, &tdots); >+ clen = client->length; >+ trunc_name(&clen, &cdots); >+ slen = server->length; >+ trunc_name(&slen, &sdots); >+ >+ return krb5_klog_syslog(LOG_NOTICE, >+ "Request: %s, %.*s%s, %s, " >+ "client=%.*s%s, service=%.*s%s, addr=%s", >+ op, tlen, target, tdots, errmsg, >+ clen, client->value, cdots, >+ slen, server->value, sdots, >+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+} >+ > generic_ret * > create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) > { >@@ -275,9 +320,8 @@ > || kadm5int_acl_impose_restrictions(handle->context, > &arg->rec, &arg->mask, rp)) { > ret.code = KADM5_AUTH_ADD; >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth("kadm5_create_principal", prime_arg, >+ &client_name, &service_name, rqstp); > } else { > ret.code = kadm5_create_principal((void *)handle, > &arg->rec, arg->mask, >@@ -287,10 +331,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", >- prime_arg, errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_create_principal", prime_arg, errmsg, >+ &client_name, &service_name, rqstp); > > /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ > } >@@ -341,9 +383,8 @@ > || kadm5int_acl_impose_restrictions(handle->context, > &arg->rec, &arg->mask, rp)) { > ret.code = KADM5_AUTH_ADD; >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth("kadm5_create_principal", prime_arg, >+ &client_name, &service_name, rqstp); > } else { > ret.code = kadm5_create_principal_3((void *)handle, > &arg->rec, arg->mask, >@@ -355,10 +396,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", >- prime_arg, errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_create_principal", prime_arg, errmsg, >+ &client_name, &service_name, rqstp); > > /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ > } >@@ -406,9 +445,8 @@ > || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, > arg->princ, NULL)) { > ret.code = KADM5_AUTH_DELETE; >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal", >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth("kadm5_delete_principal", prime_arg, >+ &client_name, &service_name, rqstp); > } else { > ret.code = kadm5_delete_principal((void *)handle, arg->princ); > if( ret.code == 0 ) >@@ -416,10 +454,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal", >- prime_arg, errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_delete_principal", prime_arg, errmsg, >+ &client_name, &service_name, rqstp); > > /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ > } >@@ -469,9 +505,8 @@ > || kadm5int_acl_impose_restrictions(handle->context, > &arg->rec, &arg->mask, rp)) { > ret.code = KADM5_AUTH_MODIFY; >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal", >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth("kadm5_modify_principal", prime_arg, >+ &client_name, &service_name, rqstp); > } else { > ret.code = kadm5_modify_principal((void *)handle, &arg->rec, > arg->mask); >@@ -480,10 +515,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal", >- prime_arg, errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_modify_principal", prime_arg, errmsg, >+ &client_name, &service_name, rqstp); > > /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ > } >@@ -546,9 +579,8 @@ > } else > ret.code = KADM5_AUTH_INSUFFICIENT; > if (ret.code != KADM5_OK) { >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal", >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth("kadm5_rename_principal", prime_arg, >+ &client_name, &service_name, rqstp); > } else { > ret.code = kadm5_rename_principal((void *)handle, arg->src, > arg->dest); >@@ -557,10 +589,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal", >- prime_arg, errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_rename_principal", prime_arg, errmsg, >+ &client_name, &service_name, rqstp); > } > free_server_handle(handle); > free(prime_arg1); >@@ -614,9 +644,8 @@ > arg->princ, > NULL))) { > ret.code = KADM5_AUTH_GET; >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth(funcname, prime_arg, >+ &client_name, &service_name, rqstp); > } else { > if (handle->api_version == KADM5_API_VERSION_1) { > ret.code = kadm5_get_principal_v1((void *)handle, >@@ -636,11 +665,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, >- prime_arg, >- errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done(funcname, prime_arg, errmsg, >+ &client_name, &service_name, rqstp); > > } > free_server_handle(handle); >@@ -688,9 +714,8 @@ > NULL, > NULL)) { > ret.code = KADM5_AUTH_LIST; >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals", >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth("kadm5_get_principals", prime_arg, >+ &client_name, &service_name, rqstp); > } else { > ret.code = kadm5_get_principals((void *)handle, > arg->exp, &ret.princs, >@@ -700,11 +725,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals", >- prime_arg, >- errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_get_principals", prime_arg, errmsg, >+ &client_name, &service_name, rqstp); > > } > free_server_handle(handle); >@@ -755,9 +777,8 @@ > ret.code = kadm5_chpass_principal((void *)handle, arg->princ, > arg->pass); > } else { >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth("kadm5_chpass_principal", prime_arg, >+ &client_name, &service_name, rqstp); > ret.code = KADM5_AUTH_CHANGEPW; > } > >@@ -767,10 +788,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", >- prime_arg, errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_chpass_principal", prime_arg, errmsg, >+ &client_name, &service_name, rqstp); > } > > free_server_handle(handle); >@@ -828,9 +847,8 @@ > arg->ks_tuple, > arg->pass); > } else { >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth("kadm5_chpass_principal", prime_arg, >+ &client_name, &service_name, rqstp); > ret.code = KADM5_AUTH_CHANGEPW; > } > >@@ -840,10 +858,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", >- prime_arg, errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_chpass_principal", prime_arg, errmsg, >+ &client_name, &service_name, rqstp); > } > > free_server_handle(handle); >@@ -892,9 +908,8 @@ > ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, > arg->keyblock); > } else { >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal", >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth("kadm5_setv4key_principal", prime_arg, >+ &client_name, &service_name, rqstp); > ret.code = KADM5_AUTH_SETKEY; > } > >@@ -904,10 +919,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal", >- prime_arg, errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_setv4key_principal", prime_arg, errmsg, >+ &client_name, &service_name, rqstp); > } > > free_server_handle(handle); >@@ -956,9 +969,8 @@ > ret.code = kadm5_setkey_principal((void *)handle, arg->princ, > arg->keyblocks, arg->n_keys); > } else { >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth("kadm5_setkey_principal", prime_arg, >+ &client_name, &service_name, rqstp); > ret.code = KADM5_AUTH_SETKEY; > } > >@@ -968,10 +980,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", >- prime_arg, errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_setkey_principal", prime_arg, errmsg, >+ &client_name, &service_name, rqstp); > } > > free_server_handle(handle); >@@ -1023,9 +1033,8 @@ > arg->ks_tuple, > arg->keyblocks, arg->n_keys); > } else { >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth("kadm5_setkey_principal", prime_arg, >+ &client_name, &service_name, rqstp); > ret.code = KADM5_AUTH_SETKEY; > } > >@@ -1035,10 +1044,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", >- prime_arg, errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_setkey_principal", prime_arg, errmsg, >+ &client_name, &service_name, rqstp); > } > > free_server_handle(handle); >@@ -1097,9 +1104,8 @@ > ret.code = kadm5_randkey_principal((void *)handle, arg->princ, > &k, &nkeys); > } else { >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth(funcname, prime_arg, >+ &client_name, &service_name, rqstp); > ret.code = KADM5_AUTH_CHANGEPW; > } > >@@ -1119,10 +1125,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, >- prime_arg, errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done(funcname, prime_arg, errmsg, >+ &client_name, &service_name, rqstp); > } > free_server_handle(handle); > free(prime_arg); >@@ -1185,9 +1189,8 @@ > arg->ks_tuple, > &k, &nkeys); > } else { >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth(funcname, prime_arg, >+ &client_name, &service_name, rqstp); > ret.code = KADM5_AUTH_CHANGEPW; > } > >@@ -1207,10 +1210,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, >- prime_arg, errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done(funcname, prime_arg, errmsg, >+ &client_name, &service_name, rqstp); > } > free_server_handle(handle); > free(prime_arg); >@@ -1253,9 +1254,8 @@ > rqst2name(rqstp), > ACL_ADD, NULL, NULL)) { > ret.code = KADM5_AUTH_ADD; >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy", >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth("kadm5_create_policy", prime_arg, >+ &client_name, &service_name, rqstp); > > } else { > ret.code = kadm5_create_policy((void *)handle, &arg->rec, >@@ -1265,11 +1265,9 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy", >- ((prime_arg == NULL) ? "(null)" : prime_arg), >- errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_create_policy", >+ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, >+ &client_name, &service_name, rqstp); > } > free_server_handle(handle); > gss_release_buffer(&minor_stat, &client_name); >@@ -1310,9 +1308,8 @@ > if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, > rqst2name(rqstp), > ACL_DELETE, NULL, NULL)) { >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy", >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth("kadm5_delete_policy", prime_arg, >+ &client_name, &service_name, rqstp); > ret.code = KADM5_AUTH_DELETE; > } else { > ret.code = kadm5_delete_policy((void *)handle, arg->name); >@@ -1321,11 +1318,9 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy", >- ((prime_arg == NULL) ? "(null)" : prime_arg), >- errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_delete_policy", >+ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, >+ &client_name, &service_name, rqstp); > } > free_server_handle(handle); > gss_release_buffer(&minor_stat, &client_name); >@@ -1366,9 +1361,8 @@ > if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, > rqst2name(rqstp), > ACL_MODIFY, NULL, NULL)) { >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy", >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth("kadm5_modify_policy", prime_arg, >+ &client_name, &service_name, rqstp); > ret.code = KADM5_AUTH_MODIFY; > } else { > ret.code = kadm5_modify_policy((void *)handle, &arg->rec, >@@ -1378,11 +1372,9 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy", >- ((prime_arg == NULL) ? "(null)" : prime_arg), >- errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_modify_policy", >+ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, >+ &client_name, &service_name, rqstp); > } > free_server_handle(handle); > gss_release_buffer(&minor_stat, &client_name); >@@ -1464,15 +1456,12 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, >- ((prime_arg == NULL) ? "(null)" : prime_arg), >- errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done(funcname, >+ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, >+ &client_name, &service_name, rqstp); > } else { >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth(funcname, prime_arg, >+ &client_name, &service_name, rqstp); > } > free_server_handle(handle); > gss_release_buffer(&minor_stat, &client_name); >@@ -1517,9 +1506,8 @@ > rqst2name(rqstp), > ACL_LIST, NULL, NULL)) { > ret.code = KADM5_AUTH_LIST; >- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies", >- prime_arg, client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_unauth("kadm5_get_policies", prime_arg, >+ &client_name, &service_name, rqstp); > } else { > ret.code = kadm5_get_policies((void *)handle, > arg->exp, &ret.pols, >@@ -1529,11 +1517,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies", >- prime_arg, >- errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_get_policies", prime_arg, errmsg, >+ &client_name, &service_name, rqstp); > } > free_server_handle(handle); > gss_release_buffer(&minor_stat, &client_name); >@@ -1573,11 +1558,8 @@ > else > errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); > >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs", >- client_name.value, >- errmsg, >- client_name.value, service_name.value, >- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); >+ log_done("kadm5_get_privs", client_name.value, errmsg, >+ &client_name, &service_name, rqstp); > > free_server_handle(handle); > gss_release_buffer(&minor_stat, &client_name); >@@ -1594,6 +1576,8 @@ > kadm5_server_handle_t handle; > OM_uint32 minor_stat; > char *errmsg = 0; >+ size_t clen, slen; >+ char *cdots, *sdots; > > xdr_free(xdr_generic_ret, &ret); > >@@ -1611,13 +1595,21 @@ > } > > if (ret.code != 0) >- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); >- krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d", >+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); >+ else >+ errmsg = "success"; >+ >+ clen = client_name.length; >+ trunc_name(&clen, &cdots); >+ slen = service_name.length; >+ trunc_name(&slen, &sdots); >+ krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, " >+ "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d", > (ret.api_version == KADM5_API_VERSION_1 ? > "kadm5_init (V1)" : "kadm5_init"), >- client_name.value, >- (ret.code == 0) ? "success" : errmsg, >- client_name.value, service_name.value, >+ clen, client_name.value, cdots, errmsg, >+ clen, client_name.value, cdots, >+ slen, service_name.value, sdots, > inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), > rqstp->rq_cred.oa_flavor); > gss_release_buffer(&minor_stat, &client_name); >diff -urN krb5-1.5.2.orig/src/kdc/do_tgs_req.c krb5-1.5.2/src/kdc/do_tgs_req.c >--- krb5-1.5.2.orig/src/kdc/do_tgs_req.c 2006-08-07 15:38:41.000000000 -0400 >+++ krb5-1.5.2/src/kdc/do_tgs_req.c 2007-03-28 21:08:52.000000000 -0400 >@@ -491,30 +491,40 @@ > newtransited = 1; > } > if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { >- errcode = krb5_check_transited_list (kdc_context, >+ unsigned int tlen; >+ char *tdots; >+ >+ errcode = krb5_check_transited_list (kdc_context, > &enc_tkt_reply.transited.tr_contents, > krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), > krb5_princ_realm (kdc_context, request->server)); >- if (errcode == 0) { >- setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); >- } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) >- krb5_klog_syslog (LOG_INFO, >- "bad realm transit path from '%s' to '%s' via '%.*s'", >+ tlen = enc_tkt_reply.transited.tr_contents.length; >+ tdots = tlen > 125 ? "..." : ""; >+ tlen = tlen > 125 ? 125 : tlen; >+ >+ if (errcode == 0) { >+ setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); >+ } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) >+ krb5_klog_syslog (LOG_INFO, >+ "bad realm transit path from '%s' to '%s' " >+ "via '%.*s%s'", > cname ? cname : "<unknown client>", > sname ? sname : "<unknown server>", >- enc_tkt_reply.transited.tr_contents.length, >- enc_tkt_reply.transited.tr_contents.data); >- else { >- char *emsg = krb5_get_error_message(kdc_context, errcode); >- krb5_klog_syslog (LOG_ERR, >- "unexpected error checking transit from '%s' to '%s' via '%.*s': %s", >+ tlen, >+ enc_tkt_reply.transited.tr_contents.data, >+ tdots); >+ else { >+ const char *emsg = krb5_get_error_message(kdc_context, errcode); >+ krb5_klog_syslog (LOG_ERR, >+ "unexpected error checking transit from " >+ "'%s' to '%s' via '%.*s%s': %s", > cname ? cname : "<unknown client>", > sname ? sname : "<unknown server>", >- enc_tkt_reply.transited.tr_contents.length, >+ tlen, > enc_tkt_reply.transited.tr_contents.data, >- emsg); >+ tdots, emsg); > krb5_free_error_message(kdc_context, emsg); >- } >+ } > } else > krb5_klog_syslog (LOG_INFO, "not checking transit path"); > if (reject_bad_transit >@@ -542,6 +552,9 @@ > if (!krb5_principal_compare(kdc_context, request->server, client2)) { > if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp))) > tmp = 0; >+ if (tmp != NULL) >+ limit_string(tmp); >+ > krb5_klog_syslog(LOG_INFO, > "TGS_REQ %s: 2ND_TKT_MISMATCH: " > "authtime %d, %s for %s, 2nd tkt client %s", >@@ -816,6 +829,7 @@ > krb5_klog_syslog(LOG_INFO, > "TGS_REQ: issuing alternate <un-unparseable> TGT"); > } else { >+ limit_string(sname); > krb5_klog_syslog(LOG_INFO, > "TGS_REQ: issuing TGT %s", sname); > free(sname); >diff -urN krb5-1.5.2.orig/src/kdc/kdc_util.c krb5-1.5.2/src/kdc/kdc_util.c >--- krb5-1.5.2.orig/src/kdc/kdc_util.c 2004-02-12 23:20:56.000000000 -0500 >+++ krb5-1.5.2/src/kdc/kdc_util.c 2007-03-28 19:16:51.000000000 -0400 >@@ -404,6 +404,7 @@ > > krb5_db_free_principal(kdc_context, &server, nprincs); > if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { >+ limit_string(sname); > krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", > sname); > free(sname); >diff -urN krb5-1.5.2.orig/src/lib/kadm5/logger.c krb5-1.5.2/src/lib/kadm5/logger.c >--- krb5-1.5.2.orig/src/lib/kadm5/logger.c 2006-05-31 23:18:19.000000000 -0400 >+++ krb5-1.5.2/src/lib/kadm5/logger.c 2007-03-28 19:20:15.000000000 -0400 >@@ -45,7 +45,7 @@ > #include <varargs.h> > #endif /* HAVE_STDARG_H */ > >-#define KRB5_KLOG_MAX_ERRMSG_SIZE 1024 >+#define KRB5_KLOG_MAX_ERRMSG_SIZE 2048 > #ifndef MAXHOSTNAMELEN > #define MAXHOSTNAMELEN 256 > #endif /* MAXHOSTNAMELEN */ >@@ -261,7 +261,9 @@ > #endif /* HAVE_SYSLOG */ > > /* Now format the actual message */ >-#if HAVE_VSPRINTF >+#if HAVE_VSNPRINTF >+ vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap); >+#elif HAVE_VSPRINTF > vsprintf(cp, actual_format, ap); > #else /* HAVE_VSPRINTF */ > sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1], >@@ -850,7 +852,9 @@ > syslogp = &outbuf[strlen(outbuf)]; > > /* Now format the actual message */ >-#ifdef HAVE_VSPRINTF >+#ifdef HAVE_VSNPRINTF >+ vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist); >+#elif HAVE_VSPRINTF > vsprintf(syslogp, format, arglist); > #else /* HAVE_VSPRINTF */ > sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1],
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=114844">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 171889
:
114842
|
114843
| 114844 |
114845
