move ksetpag after initgroups to make it work on Linux when its without syscall hooks to change sys_setgroups preserve the pag. From abo
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21222 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
@@ -48,6 +48,7 @@ struct gss_data {
|
|||||||
gss_ctx_id_t context_hdl;
|
gss_ctx_id_t context_hdl;
|
||||||
char *client_name;
|
char *client_name;
|
||||||
gss_cred_id_t delegated_cred_handle;
|
gss_cred_id_t delegated_cred_handle;
|
||||||
|
void *mech_data;
|
||||||
};
|
};
|
||||||
|
|
||||||
static int
|
static int
|
||||||
@@ -277,6 +278,7 @@ gss_adat(void *app_data, void *buf, size_t len)
|
|||||||
}
|
}
|
||||||
|
|
||||||
int gss_userok(void*, char*);
|
int gss_userok(void*, char*);
|
||||||
|
int gss_session(void*, char*);
|
||||||
|
|
||||||
struct sec_server_mech gss_server_mech = {
|
struct sec_server_mech gss_server_mech = {
|
||||||
"GSSAPI",
|
"GSSAPI",
|
||||||
@@ -292,7 +294,8 @@ struct sec_server_mech gss_server_mech = {
|
|||||||
gss_adat,
|
gss_adat,
|
||||||
NULL, /* pbsz */
|
NULL, /* pbsz */
|
||||||
NULL, /* ccc */
|
NULL, /* ccc */
|
||||||
gss_userok
|
gss_userok,
|
||||||
|
gss_session
|
||||||
};
|
};
|
||||||
|
|
||||||
#else /* FTP_SERVER */
|
#else /* FTP_SERVER */
|
||||||
|
|||||||
@@ -583,6 +583,14 @@ sec_userok(char *userstr)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
sec_session(char *user)
|
||||||
|
{
|
||||||
|
if(sec_complete)
|
||||||
|
return (*mech->session)(app_data, user);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
char *ftp_command;
|
char *ftp_command;
|
||||||
|
|
||||||
void
|
void
|
||||||
|
|||||||
@@ -70,6 +70,7 @@ struct sec_server_mech {
|
|||||||
size_t (*pbsz)(void *, size_t);
|
size_t (*pbsz)(void *, size_t);
|
||||||
int (*ccc)(void*);
|
int (*ccc)(void*);
|
||||||
int (*userok)(void*, char*);
|
int (*userok)(void*, char*);
|
||||||
|
int (*session)(void*, char*);
|
||||||
};
|
};
|
||||||
|
|
||||||
#define AUTH_OK 0
|
#define AUTH_OK 0
|
||||||
|
|||||||
@@ -280,10 +280,6 @@ main(int argc, char **argv)
|
|||||||
krb_set_tkt_string(tkfile);
|
krb_set_tkt_string(tkfile);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
#if defined(KRB4) || defined(KRB5)
|
|
||||||
if(k_hasafs())
|
|
||||||
k_setpag();
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if(getarg(args, num_args, argc, argv, &optind))
|
if(getarg(args, num_args, argc, argv, &optind))
|
||||||
usage(1);
|
usage(1);
|
||||||
@@ -595,9 +591,10 @@ user(char *name)
|
|||||||
if (logging)
|
if (logging)
|
||||||
strlcpy(curname, name, sizeof(curname));
|
strlcpy(curname, name, sizeof(curname));
|
||||||
if(sec_complete) {
|
if(sec_complete) {
|
||||||
if(sec_userok(name) == 0)
|
if(sec_userok(name) == 0) {
|
||||||
do_login(232, name);
|
do_login(232, name);
|
||||||
else
|
sec_session(name);
|
||||||
|
} else
|
||||||
reply(530, "User %s access denied.", name);
|
reply(530, "User %s access denied.", name);
|
||||||
} else {
|
} else {
|
||||||
#ifdef OTP
|
#ifdef OTP
|
||||||
@@ -727,6 +724,10 @@ int do_login(int code, char *passwd)
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
initgroups(pw->pw_name, pw->pw_gid);
|
initgroups(pw->pw_name, pw->pw_gid);
|
||||||
|
#if defined(KRB4) || defined(KRB5)
|
||||||
|
if(k_hasafs())
|
||||||
|
k_setpag();
|
||||||
|
#endif
|
||||||
|
|
||||||
/* open wtmp before chroot */
|
/* open wtmp before chroot */
|
||||||
ftpd_logwtmp(ttyline, pw->pw_name, remotehost);
|
ftpd_logwtmp(ttyline, pw->pw_name, remotehost);
|
||||||
|
|||||||
@@ -41,41 +41,70 @@ RCSID("$Id$");
|
|||||||
What is the correct way to do this?
|
What is the correct way to do this?
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
struct gss_krb5_data {
|
||||||
|
krb5_context context;
|
||||||
|
};
|
||||||
|
|
||||||
/* XXX sync with gssapi.c */
|
/* XXX sync with gssapi.c */
|
||||||
struct gss_data {
|
struct gss_data {
|
||||||
gss_ctx_id_t context_hdl;
|
gss_ctx_id_t context_hdl;
|
||||||
char *client_name;
|
char *client_name;
|
||||||
gss_cred_id_t delegated_cred_handle;
|
gss_cred_id_t delegated_cred_handle;
|
||||||
|
void *mech_data;
|
||||||
};
|
};
|
||||||
|
|
||||||
int gss_userok(void*, char*); /* to keep gcc happy */
|
int gss_userok(void*, char*); /* to keep gcc happy */
|
||||||
|
int gss_session(void*, char*); /* to keep gcc happy */
|
||||||
|
|
||||||
int
|
int
|
||||||
gss_userok(void *app_data, char *username)
|
gss_userok(void *app_data, char *username)
|
||||||
{
|
{
|
||||||
struct gss_data *data = app_data;
|
struct gss_data *data = app_data;
|
||||||
krb5_context context;
|
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
krb5_principal client;
|
krb5_principal client;
|
||||||
OM_uint32 minor_status;
|
struct gss_krb5_data *kdata;
|
||||||
|
|
||||||
ret = krb5_init_context(&context);
|
kdata = calloc(1, sizeof(struct gss_krb5_data));
|
||||||
if (ret)
|
if (kdata == NULL)
|
||||||
return 1;
|
return 1;
|
||||||
|
data->mech_data = kdata;
|
||||||
|
|
||||||
ret = krb5_parse_name(context, data->client_name, &client);
|
ret = krb5_init_context(&(kdata->context));
|
||||||
if(ret) {
|
if (ret) {
|
||||||
krb5_free_context(context);
|
free(kdata);
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
ret = krb5_kuserok(context, client, username);
|
|
||||||
|
ret = krb5_parse_name(kdata->context, data->client_name, &client);
|
||||||
|
if(ret) {
|
||||||
|
krb5_free_context(kdata->context);
|
||||||
|
free(kdata);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
ret = krb5_kuserok(kdata->context, client, username);
|
||||||
if (!ret) {
|
if (!ret) {
|
||||||
krb5_free_principal(context, client);
|
krb5_free_principal(kdata->context, client);
|
||||||
krb5_free_context(context);
|
krb5_free_context(kdata->context);
|
||||||
|
free(kdata);
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = 0;
|
ret = 0;
|
||||||
|
krb5_free_principal(kdata->context, client);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
gss_session(void *app_data, char *username)
|
||||||
|
{
|
||||||
|
struct gss_data *data = app_data;
|
||||||
|
krb5_error_code ret;
|
||||||
|
OM_uint32 minor_status;
|
||||||
|
struct gss_krb5_data *kdata;
|
||||||
|
|
||||||
|
ret = 0;
|
||||||
|
|
||||||
|
kdata = (struct gss_krb5_data *)(data->mech_data);
|
||||||
|
|
||||||
/* more of krb-depend stuff :-( */
|
/* more of krb-depend stuff :-( */
|
||||||
/* gss_add_cred() ? */
|
/* gss_add_cred() ? */
|
||||||
@@ -84,11 +113,11 @@ gss_userok(void *app_data, char *username)
|
|||||||
const char* ticketfile;
|
const char* ticketfile;
|
||||||
struct passwd *kpw;
|
struct passwd *kpw;
|
||||||
|
|
||||||
ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &ccache);
|
ret = krb5_cc_gen_new(kdata->context, &krb5_fcc_ops, &ccache);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto fail;
|
goto fail;
|
||||||
|
|
||||||
ticketfile = krb5_cc_get_name(context, ccache);
|
ticketfile = krb5_cc_get_name(kdata->context, ccache);
|
||||||
|
|
||||||
ret = gss_krb5_copy_ccache(&minor_status,
|
ret = gss_krb5_copy_ccache(&minor_status,
|
||||||
data->delegated_cred_handle,
|
data->delegated_cred_handle,
|
||||||
@@ -116,11 +145,11 @@ gss_userok(void *app_data, char *username)
|
|||||||
afslog(NULL, 1);
|
afslog(NULL, 1);
|
||||||
fail:
|
fail:
|
||||||
if (ccache)
|
if (ccache)
|
||||||
krb5_cc_close(context, ccache);
|
krb5_cc_close(kdata->context, ccache);
|
||||||
}
|
}
|
||||||
|
|
||||||
gss_release_cred(&minor_status, &data->delegated_cred_handle);
|
gss_release_cred(&minor_status, &data->delegated_cred_handle);
|
||||||
krb5_free_principal(context, client);
|
krb5_free_context(kdata->context);
|
||||||
krb5_free_context(context);
|
free(kdata);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user