Chown ticket file when doing reauth.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4359 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
@@ -107,7 +107,7 @@ posix_getpwuid_r(uid_t uid, struct passwd *pwd,
|
|||||||
#ifndef DEBUG
|
#ifndef DEBUG
|
||||||
#define SIA_DEBUG(X)
|
#define SIA_DEBUG(X)
|
||||||
#else
|
#else
|
||||||
#define SIA_DEBUG(X) warnx X
|
#define SIA_DEBUG(X) SIALOG X
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
struct state{
|
struct state{
|
||||||
@@ -124,7 +124,7 @@ siad_init(void)
|
|||||||
int
|
int
|
||||||
siad_chk_invoker(void)
|
siad_chk_invoker(void)
|
||||||
{
|
{
|
||||||
SIA_DEBUG(("siad_chk_invoker"));
|
SIA_DEBUG(("DEBUG", "siad_chk_invoker"));
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -132,7 +132,7 @@ int
|
|||||||
siad_ses_init(SIAENTITY *entity, int pkgind)
|
siad_ses_init(SIAENTITY *entity, int pkgind)
|
||||||
{
|
{
|
||||||
struct state *s = malloc(sizeof(*s));
|
struct state *s = malloc(sizeof(*s));
|
||||||
SIA_DEBUG(("siad_ses_init"));
|
SIA_DEBUG(("DEBUG", "siad_ses_init"));
|
||||||
if(s == NULL)
|
if(s == NULL)
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
memset(s, 0, sizeof(*s));
|
memset(s, 0, sizeof(*s));
|
||||||
@@ -143,10 +143,10 @@ siad_ses_init(SIAENTITY *entity, int pkgind)
|
|||||||
static int
|
static int
|
||||||
setup_name(SIAENTITY *e, prompt_t *p)
|
setup_name(SIAENTITY *e, prompt_t *p)
|
||||||
{
|
{
|
||||||
SIA_DEBUG(("setup_name"));
|
SIA_DEBUG(("DEBUG", "setup_name"));
|
||||||
e->name = malloc(SIANAMEMIN+1);
|
e->name = malloc(SIANAMEMIN+1);
|
||||||
if(e->name == NULL){
|
if(e->name == NULL){
|
||||||
SIA_DEBUG(("failed to malloc %u bytes", SIANAMEMIN+1));
|
SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIANAMEMIN+1));
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
}
|
}
|
||||||
p->prompt = (unsigned char*)"login: ";
|
p->prompt = (unsigned char*)"login: ";
|
||||||
@@ -160,10 +160,10 @@ setup_name(SIAENTITY *e, prompt_t *p)
|
|||||||
static int
|
static int
|
||||||
setup_password(SIAENTITY *e, prompt_t *p)
|
setup_password(SIAENTITY *e, prompt_t *p)
|
||||||
{
|
{
|
||||||
SIA_DEBUG(("setup_password"));
|
SIA_DEBUG(("DEBUG", "setup_password"));
|
||||||
e->password = malloc(SIAMXPASSWORD+1);
|
e->password = malloc(SIAMXPASSWORD+1);
|
||||||
if(e->password == NULL){
|
if(e->password == NULL){
|
||||||
SIA_DEBUG(("failed to malloc %u bytes", SIAMXPASSWORD+1));
|
SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIAMXPASSWORD+1));
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
}
|
}
|
||||||
p->prompt = (unsigned char*)"Password: ";
|
p->prompt = (unsigned char*)"Password: ";
|
||||||
@@ -185,11 +185,11 @@ common_auth(sia_collect_func_t *collect,
|
|||||||
char *toname, *toinst;
|
char *toname, *toinst;
|
||||||
char *name;
|
char *name;
|
||||||
|
|
||||||
SIA_DEBUG(("common_auth"));
|
SIA_DEBUG(("DEBUG", "common_auth"));
|
||||||
if((siastat == SIADSUCCESS) && (geteuid() == 0))
|
if((siastat == SIADSUCCESS) && (geteuid() == 0))
|
||||||
return SIADSUCCESS;
|
return SIADSUCCESS;
|
||||||
if(entity == NULL) {
|
if(entity == NULL) {
|
||||||
SIA_DEBUG(("entity == NULL"));
|
SIA_DEBUG(("DEBUG", "entity == NULL"));
|
||||||
return SIADFAIL | SIADSTOP;
|
return SIADFAIL | SIADSTOP;
|
||||||
}
|
}
|
||||||
name = entity->name;
|
name = entity->name;
|
||||||
@@ -213,13 +213,13 @@ common_auth(sia_collect_func_t *collect,
|
|||||||
if(num == 1){
|
if(num == 1){
|
||||||
if((*collect)(240, SIAONELINER, (unsigned char*)"", num,
|
if((*collect)(240, SIAONELINER, (unsigned char*)"", num,
|
||||||
prompts) != SIACOLSUCCESS){
|
prompts) != SIACOLSUCCESS){
|
||||||
SIA_DEBUG(("collect failed"));
|
SIA_DEBUG(("DEBUG", "collect failed"));
|
||||||
return SIADFAIL | SIADSTOP;
|
return SIADFAIL | SIADSTOP;
|
||||||
}
|
}
|
||||||
} else if(num > 0){
|
} else if(num > 0){
|
||||||
if((*collect)(0, SIAFORM, (unsigned char*)"", num,
|
if((*collect)(0, SIAFORM, (unsigned char*)"", num,
|
||||||
prompts) != SIACOLSUCCESS){
|
prompts) != SIACOLSUCCESS){
|
||||||
SIA_DEBUG(("collect failed"));
|
SIA_DEBUG(("DEBUG", "collect failed"));
|
||||||
return SIADFAIL | SIADSTOP;
|
return SIADFAIL | SIADSTOP;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -227,12 +227,12 @@ common_auth(sia_collect_func_t *collect,
|
|||||||
if(name == NULL)
|
if(name == NULL)
|
||||||
name = entity->name;
|
name = entity->name;
|
||||||
if(name == NULL || name[0] == '\0'){
|
if(name == NULL || name[0] == '\0'){
|
||||||
SIA_DEBUG(("name is null"));
|
SIA_DEBUG(("DEBUG", "name is null"));
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(entity->password == NULL || strlen(entity->password) > SIAMXPASSWORD){
|
if(entity->password == NULL || strlen(entity->password) > SIAMXPASSWORD){
|
||||||
SIA_DEBUG(("entity->password is null"));
|
SIA_DEBUG(("DEBUG", "entity->password is null"));
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -244,7 +244,7 @@ common_auth(sia_collect_func_t *collect,
|
|||||||
struct state *s = (struct state*)entity->mech[pkgind];
|
struct state *s = (struct state*)entity->mech[pkgind];
|
||||||
|
|
||||||
if(getpwnam_r(name, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0){
|
if(getpwnam_r(name, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0){
|
||||||
SIA_DEBUG(("failed to getpwnam(%s)", name));
|
SIA_DEBUG(("DEBUG", "failed to getpwnam(%s)", name));
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -261,7 +261,7 @@ common_auth(sia_collect_func_t *collect,
|
|||||||
ouid = getuid();
|
ouid = getuid();
|
||||||
#endif
|
#endif
|
||||||
if(getpwuid_r(ouid, &fpw, fpwbuf, sizeof(fpwbuf), &fpwd) != 0){
|
if(getpwuid_r(ouid, &fpw, fpwbuf, sizeof(fpwbuf), &fpwd) != 0){
|
||||||
SIA_DEBUG(("failed to getpwuid(%u)", ouid));
|
SIA_DEBUG(("DEBUG", "failed to getpwuid(%u)", ouid));
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
}
|
}
|
||||||
snprintf(s->ticket, sizeof(s->ticket), TKT_ROOT "_%s_to_%s_%d",
|
snprintf(s->ticket, sizeof(s->ticket), TKT_ROOT "_%s_to_%s_%d",
|
||||||
@@ -278,14 +278,14 @@ common_auth(sia_collect_func_t *collect,
|
|||||||
|
|
||||||
setuid(0); /* XXX fix for fix in tf_util.c */
|
setuid(0); /* XXX fix for fix in tf_util.c */
|
||||||
if(krb_kuserok(toname, toinst, realm, name)){
|
if(krb_kuserok(toname, toinst, realm, name)){
|
||||||
SIA_DEBUG(("%s.%s@%s is not allowed to login as %s",
|
SIA_DEBUG(("DEBUG", "%s.%s@%s is not allowed to login as %s",
|
||||||
toname, toinst, realm, name));
|
toname, toinst, realm, name));
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
}
|
}
|
||||||
ret = krb_verify_user(toname, toinst, realm,
|
ret = krb_verify_user(toname, toinst, realm,
|
||||||
entity->password, getuid() == 0, NULL);
|
entity->password, getuid() == 0, NULL);
|
||||||
if(ret){
|
if(ret){
|
||||||
SIA_DEBUG(("krb_verify_user: %s", krb_get_err_text(ret)));
|
SIA_DEBUG(("DEBUG", "krb_verify_user: %s", krb_get_err_text(ret)));
|
||||||
if(ret != KDC_PR_UNKNOWN)
|
if(ret != KDC_PR_UNKNOWN)
|
||||||
/* since this is most likely a local user (such as
|
/* since this is most likely a local user (such as
|
||||||
root), just silently return failure when the
|
root), just silently return failure when the
|
||||||
@@ -308,7 +308,7 @@ siad_ses_authent(sia_collect_func_t *collect,
|
|||||||
int siastat,
|
int siastat,
|
||||||
int pkgind)
|
int pkgind)
|
||||||
{
|
{
|
||||||
SIA_DEBUG(("siad_ses_authent"));
|
SIA_DEBUG(("DEBUG", "siad_ses_authent"));
|
||||||
return common_auth(collect, entity, siastat, pkgind);
|
return common_auth(collect, entity, siastat, pkgind);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -316,7 +316,7 @@ int
|
|||||||
siad_ses_estab(sia_collect_func_t *collect,
|
siad_ses_estab(sia_collect_func_t *collect,
|
||||||
SIAENTITY *entity, int pkgind)
|
SIAENTITY *entity, int pkgind)
|
||||||
{
|
{
|
||||||
SIA_DEBUG(("siad_ses_estab"));
|
SIA_DEBUG(("DEBUG", "siad_ses_estab"));
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -327,7 +327,7 @@ siad_ses_launch(sia_collect_func_t *collect,
|
|||||||
{
|
{
|
||||||
static char env[MaxPathLen];
|
static char env[MaxPathLen];
|
||||||
struct state *s = (struct state*)entity->mech[pkgind];
|
struct state *s = (struct state*)entity->mech[pkgind];
|
||||||
SIA_DEBUG(("siad_ses_launch"));
|
SIA_DEBUG(("DEBUG", "siad_ses_launch"));
|
||||||
if(s->valid){
|
if(s->valid){
|
||||||
chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid);
|
chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid);
|
||||||
snprintf(env, sizeof(env), "KRBTKFILE=%s", s->ticket);
|
snprintf(env, sizeof(env), "KRBTKFILE=%s", s->ticket);
|
||||||
@@ -346,7 +346,7 @@ siad_ses_launch(sia_collect_func_t *collect,
|
|||||||
int
|
int
|
||||||
siad_ses_release(SIAENTITY *entity, int pkgind)
|
siad_ses_release(SIAENTITY *entity, int pkgind)
|
||||||
{
|
{
|
||||||
SIA_DEBUG(("siad_ses_release"));
|
SIA_DEBUG(("DEBUG", "siad_ses_release"));
|
||||||
if(entity->mech[pkgind])
|
if(entity->mech[pkgind])
|
||||||
free(entity->mech[pkgind]);
|
free(entity->mech[pkgind]);
|
||||||
return SIADSUCCESS;
|
return SIADSUCCESS;
|
||||||
@@ -358,7 +358,7 @@ siad_ses_suauthent(sia_collect_func_t *collect,
|
|||||||
int siastat,
|
int siastat,
|
||||||
int pkgind)
|
int pkgind)
|
||||||
{
|
{
|
||||||
SIA_DEBUG(("siad_ses_suauth"));
|
SIA_DEBUG(("DEBUG", "siad_ses_suauth"));
|
||||||
if(geteuid() != 0)
|
if(geteuid() != 0)
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
if(entity->name == NULL)
|
if(entity->name == NULL)
|
||||||
@@ -377,16 +377,22 @@ siad_ses_reauthent (sia_collect_func_t *collect,
|
|||||||
int pkgind)
|
int pkgind)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
SIA_DEBUG(("siad_ses_reauthent"));
|
SIA_DEBUG(("DEBUG", "siad_ses_reauthent"));
|
||||||
if(entity == NULL || entity->name == NULL)
|
if(entity == NULL || entity->name == NULL)
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
ret = common_auth(collect, entity, siastat, pkgind);
|
ret = common_auth(collect, entity, siastat, pkgind);
|
||||||
if((ret & SIADSUCCESS) && k_hasafs()) {
|
if((ret & SIADSUCCESS)){
|
||||||
char cell[64];
|
/* launch isn't (always?) called when doing reauth, so we must
|
||||||
k_setpag();
|
duplicate some code here... */
|
||||||
if(k_afs_cell_of_file(entity->pwd->pw_dir, cell, sizeof(cell)) == 0)
|
struct state *s = (struct state*)entity->mech[pkgind];
|
||||||
krb_afslog(cell, 0);
|
chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid);
|
||||||
krb_afslog(0, 0);
|
if(k_hasafs()) {
|
||||||
|
char cell[64];
|
||||||
|
if(k_afs_cell_of_file(entity->pwd->pw_dir,
|
||||||
|
cell, sizeof(cell)) == 0)
|
||||||
|
krb_afslog(cell, 0);
|
||||||
|
krb_afslog(0, 0);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@@ -397,7 +403,7 @@ siad_chg_finger (sia_collect_func_t *collect,
|
|||||||
int argc,
|
int argc,
|
||||||
char *argv[])
|
char *argv[])
|
||||||
{
|
{
|
||||||
SIA_DEBUG(("siad_chg_finger"));
|
SIA_DEBUG(("DEBUG", "siad_chg_finger"));
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -419,7 +425,7 @@ init_change(sia_collect_func_t *collect, krb_principal *princ)
|
|||||||
char tktstring[128];
|
char tktstring[128];
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
SIA_DEBUG(("init_change"));
|
SIA_DEBUG(("DEBUG", "init_change"));
|
||||||
prompt.prompt = (unsigned char*)"Old password: ";
|
prompt.prompt = (unsigned char*)"Old password: ";
|
||||||
prompt.result = (unsigned char*)old_pw;
|
prompt.result = (unsigned char*)old_pw;
|
||||||
prompt.min_result_length = 0;
|
prompt.min_result_length = 0;
|
||||||
@@ -427,12 +433,12 @@ init_change(sia_collect_func_t *collect, krb_principal *princ)
|
|||||||
prompt.control_flags = SIARESINVIS;
|
prompt.control_flags = SIARESINVIS;
|
||||||
asprintf(&msg, "Changing password for %s", krb_unparse_name(princ));
|
asprintf(&msg, "Changing password for %s", krb_unparse_name(princ));
|
||||||
if(msg == NULL){
|
if(msg == NULL){
|
||||||
SIA_DEBUG(("out of memory"));
|
SIA_DEBUG(("DEBUG", "out of memory"));
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
}
|
}
|
||||||
ret = (*collect)(60, SIAONELINER, (unsigned char*)msg, 1, &prompt);
|
ret = (*collect)(60, SIAONELINER, (unsigned char*)msg, 1, &prompt);
|
||||||
free(msg);
|
free(msg);
|
||||||
SIA_DEBUG(("ret = %d", ret));
|
SIA_DEBUG(("DEBUG", "ret = %d", ret));
|
||||||
if(ret != SIACOLSUCCESS)
|
if(ret != SIACOLSUCCESS)
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
snprintf(tktstring, sizeof(tktstring),
|
snprintf(tktstring, sizeof(tktstring),
|
||||||
@@ -442,7 +448,7 @@ init_change(sia_collect_func_t *collect, krb_principal *princ)
|
|||||||
ret = krb_get_pw_in_tkt(princ->name, princ->instance, princ->realm,
|
ret = krb_get_pw_in_tkt(princ->name, princ->instance, princ->realm,
|
||||||
PWSERV_NAME, KADM_SINST, 1, old_pw);
|
PWSERV_NAME, KADM_SINST, 1, old_pw);
|
||||||
if (ret != KSUCCESS) {
|
if (ret != KSUCCESS) {
|
||||||
SIA_DEBUG(("krb_get_pw_in_tkt: %s", krb_get_err_text(ret)));
|
SIA_DEBUG(("DEBUG", "krb_get_pw_in_tkt: %s", krb_get_err_text(ret)));
|
||||||
if (ret == INTK_BADPW)
|
if (ret == INTK_BADPW)
|
||||||
sia_message(collect, SIAWARNING, "", "Incorrect old password.");
|
sia_message(collect, SIAWARNING, "", "Incorrect old password.");
|
||||||
else
|
else
|
||||||
@@ -473,7 +479,7 @@ siad_chg_password (sia_collect_func_t *collect,
|
|||||||
|
|
||||||
set_progname(argv[0]);
|
set_progname(argv[0]);
|
||||||
|
|
||||||
SIA_DEBUG(("siad_chg_password"));
|
SIA_DEBUG(("DEBUG", "siad_chg_password"));
|
||||||
if(collect == NULL)
|
if(collect == NULL)
|
||||||
return SIADFAIL;
|
return SIADFAIL;
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user