oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

The k5login_directory parameter and SYSTEM-K5LOGIN[:directory] are supposed to be directories, not path templates with %{luser} substitution

Browse Source 
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This commit is contained in:
Viktor Dukhovni
2012-05-14 23:47:35 +00:00
committed by Love Hornquist Astrand
parent 5903031630
commit a825143e73
4 changed files with 28 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lib/krb5/krb5.conf.5
View File

@@ -261,10 +261,8 @@ If set to "ignore", the framework will ignore any the server input to
this is very useful when the GSS-API server input the this is very useful when the GSS-API server input the
wrong server name into the gss_accept_sec_context call. wrong server name into the gss_accept_sec_context call.
.It Li k5login_directory = Va directory .It Li k5login_directory = Va directory
Alternative location for user .k5login files. Tokens in the form of Alternative location for user .k5login files. This option is provided
%{luser} are expanded to the name of the user whose .k5login file is for compatibility with MIT krb5 configuration files.
needed. This option is provided for compatibility with MIT krb5
configuration files.
.It Li k5login_authoritative = Va boolean .It Li k5login_authoritative = Va boolean
If true then if a principal is not found in k5login files then If true then if a principal is not found in k5login files then
.Xr krb5_userok 3 .Xr krb5_userok 3
@@ -297,12 +295,6 @@ argument to
.Xr krb5_userok 3 .Xr krb5_userok 3
in the given directory or in in the given directory or in
.Pa /etc/k5login.d/ . .Pa /etc/k5login.d/ .
If a directory is given
then tokens will be expanded; the %{luser} token will be replaced with
the
.Va luser
argument to
.Xr krb5_userok 3 .
K5login files are text files, with each line containing just a principal K5login files are text files, with each line containing just a principal
name; principals apearing in a user's k5login file are permitted access name; principals apearing in a user's k5login file are permitted access
to the user's account. Note: this rule performs no ownership nor to the user's account. Note: this rule performs no ownership nor

40
lib/krb5/kuserok.c
View File

@@ -325,6 +325,7 @@ check_directory(krb5_context context,
DIR *d; DIR *d;
struct dirent *dent; struct dirent *dent;
char filename[MAXPATHLEN]; char filename[MAXPATHLEN];
size_t len;
krb5_error_code ret = 0; krb5_error_code ret = 0;
struct stat st; struct stat st;
@@ -348,16 +349,25 @@ check_directory(krb5_context context,
goto out; goto out;
while ((dent = readdir(d)) != NULL) { while ((dent = readdir(d)) != NULL) {
/*
* XXX: Should we also skip files whose names start with "."?
* Vim ".filename.swp" files are also good candidates to skip.
* Once we ignore "#*" and "*~", it is not clear what other
* heuristics to apply.
*/
if (strcmp(dent->d_name, ".") == 0 || if (strcmp(dent->d_name, ".") == 0 ||
strcmp(dent->d_name, "..") == 0 || strcmp(dent->d_name, "..") == 0 ||
dent->d_name[0] == '#' || /* emacs autosave */ dent->d_name[0] == '#' || /* emacs autosave */
dent->d_name[strlen(dent->d_name) - 1] == '~') /* emacs backup */ dent->d_name[strlen(dent->d_name) - 1] == '~') /* emacs backup */
continue; continue;
snprintf(filename, sizeof(filename), "%s/%s", dirname, dent->d_name); len = snprintf(filename, sizeof(filename), "%s/%s", dirname, dent->d_name);
ret = check_one_file(context, filename, owner, is_system_location, /* Skip too-long filenames that got truncated by snprintf() */
principal, result); if (len < sizeof(filename)) {
if (ret == 0 && *result == TRUE) ret = check_one_file(context, filename, owner, is_system_location,
break; principal, result);
if (ret == 0 && *result == TRUE)
break;
}
ret = 0; /* don't propagate errors upstream */ ret = 0; /* don't propagate errors upstream */
} }
@@ -552,7 +562,8 @@ kuserok_sys_k5login_plug_f(void *plug_ctx, krb5_context context,
const char *k5login_dir, const char *luser, const char *k5login_dir, const char *luser,
krb5_const_principal principal, krb5_boolean *result) krb5_const_principal principal, krb5_boolean *result)
{ {
char *path = NULL; char filename[MAXPATHLEN];
size_t len;
const char *profile_dir = NULL; const char *profile_dir = NULL;
krb5_error_code ret; krb5_error_code ret;
@@ -568,17 +579,14 @@ kuserok_sys_k5login_plug_f(void *plug_ctx, krb5_context context,
else else
profile_dir++; profile_dir++;
ret = _krb5_expand_path_tokensv(context, profile_dir, &path, len = snprintf(filename, sizeof(filename), "%s/%s", profile_dir, luser);
"luser", luser, NULL); if (len < sizeof(filename)) {
if (ret) ret = check_one_file(context, filename, NULL, TRUE, principal, result);
return ret;
ret = check_one_file(context, path, NULL, TRUE, principal, result); if (ret == 0 &&
free(path); ((flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE) || *result == TRUE))
return 0;
if (ret == 0 && }
((flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE) || *result == TRUE))
return 0;
*result = FALSE; *result = FALSE;
return KRB5_PLUGIN_NO_HANDLE; return KRB5_PLUGIN_NO_HANDLE;

2
tests/kdc/krb5-authz.conf.in
View File

@@ -1,7 +1,7 @@
[libdefaults] [libdefaults]
default_realm = TEST.H5L.SE TEST2.H5L.SE TEST3.H5L.SE default_realm = TEST.H5L.SE TEST2.H5L.SE TEST3.H5L.SE
no-addresses = TRUE no-addresses = TRUE
kuserok = SYSTEM-K5LOGIN:@srcdir@/k5login/%{luser} kuserok = SYSTEM-K5LOGIN:@srcdir@/k5login
kuserok = USER-K5LOGIN kuserok = USER-K5LOGIN
kuserok = SIMPLE kuserok = SIMPLE

2
tests/kdc/krb5-authz2.conf.in
View File

@@ -2,7 +2,7 @@
default_realm = TEST.H5L.SE TEST2.H5L.SE TEST3.H5L.SE default_realm = TEST.H5L.SE TEST2.H5L.SE TEST3.H5L.SE
no-addresses = TRUE no-addresses = TRUE
k5login_authoritative = TRUE k5login_authoritative = TRUE
k5login_directory = @srcdir@/k5login/%{luser} k5login_directory = @srcdir@/k5login
kuserok = SYSTEM-K5LOGIN kuserok = SYSTEM-K5LOGIN
kuserok = SIMPLE kuserok = SIMPLE