source: branches/fc15-dev/server/common/patches/krb5-kuserok-scripts.patch @ 1808

Last change on this file since 1808 was 1807, checked in by achernya, 15 years ago
Necessary changes to build the Scripts RPMs on Fedora 15: * Stop scriptsifying 389-ds-base, as it appears to have Mitch's patch * Update krb5.spec.patch for krb5-1.9 * Update the krb5-kuserok-scripts.patch to work with krb5-1.9 (code review requested) * Update httpd.spec.patch to apply properly to Fedora's newly cleaned-up httpd.spec * Bump zephyr to version 3.0.1
File size: 3.2 KB
  • krb5-1.9/src/lib/krb5/os/kuserok.c

    # scripts.mit.edu krb5 kuserok patch
    # Copyright (C) 2006  Tim Abbott <tabbott@mit.edu>
    #               2011  Alexander Chernyakhovsky <achernya@mit.edu>
    #
    # This program is free software; you can redistribute it and/or
    # modify it under the terms of the GNU General Public License
    # as published by the Free Software Foundation; either version 2
    # of the License, or (at your option) any later version.
    #
    # This program is distributed in the hope that it will be useful,
    # but WITHOUT ANY WARRANTY; without even the implied warranty of
    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    # GNU General Public License for more details.
    #
    # You should have received a copy of the GNU General Public License
    # along with this program; if not, write to the Free Software
    # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
    #
    # See /COPYRIGHT in this repository for more information.
    #
    old new  
    3232#if !defined(_WIN32)            /* Not yet for Windows */
    3333#include <stdio.h>
    3434#include <pwd.h>
     35#include <sys/wait.h>
    3536
    3637#if defined(_AIX) && defined(_IBMR2)
    3738#include <sys/access.h>
     
    100101    struct stat sbuf;
    101102    struct passwd pwx, *pwd;
    102103    FILE *fp = NULL;
     104    int pid, status;
    103105
    104106    if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS,
    105107                            KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE,
     
    110112    if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
    111113        goto cleanup;
    112114
    113     if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0)
    114         goto cleanup;
    115 
    116     if (access(filename, F_OK) != 0) {
    117         result = PASS;
    118         goto cleanup;
    119     }
    120 
    121115    if (krb5_unparse_name(context, principal, &princname) != 0)
    122116        goto cleanup;
    123117
    124     fp = fopen(filename, "r");
    125     if (fp == NULL)
     118    if ((pid = fork()) == -1)
    126119        goto cleanup;
    127     set_cloexec_file(fp);
    128 
    129     /* For security reasons, the .k5login file must be owned either by
    130      * the user or by root. */
    131     if (fstat(fileno(fp), &sbuf))
    132         goto cleanup;
    133     if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid))
    134         goto cleanup;
    135 
    136     /* Check each line. */
    137     while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) {
    138         newline = strrchr(linebuf, '\n');
    139         if (newline != NULL)
    140             *newline = '\0';
    141         if (strcmp(linebuf, princname) == 0)
    142             result = ACCEPT;
    143         /* Clean up the rest of the line if necessary. */
    144         if (newline == NULL)
    145             while (((gobble = getc(fp)) != EOF) && gobble != '\n');
     120   
     121    if (pid == 0) {
     122        char *args[4];
     123#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
     124        args[0] = ADMOF_PATH;
     125        args[1] = (char *) luser;
     126        args[2] = princname;
     127        args[3] = NULL;
     128        execv(ADMOF_PATH, args);
     129        exit(1);
    146130    }
    147131
     132    if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) {
     133        result = ACCEPT;
     134    }
     135   
    148136cleanup:
    149137    free(princname);
    150138    free(filename);
Note: See TracBrowser for help on using the repository browser.