The k5login_directory parameter and SYSTEM-K5LOGIN[:directory] are supposed to be directories, not path templates with %{luser} substitution
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This commit is contained in:
Viktor Dukhovni
committed by
Love Hornquist Astrand
Love Hornquist Astrand
parent
5903031630
commit
a825143e73
@@ -261,10 +261,8 @@ If set to "ignore", the framework will ignore any the server input to
|
||||
this is very useful when the GSS-API server input the
|
||||
wrong server name into the gss_accept_sec_context call.
|
||||
.It Li k5login_directory = Va directory
|
||||
Alternative location for user .k5login files. Tokens in the form of
|
||||
%{luser} are expanded to the name of the user whose .k5login file is
|
||||
needed. This option is provided for compatibility with MIT krb5
|
||||
configuration files.
|
||||
Alternative location for user .k5login files. This option is provided
|
||||
for compatibility with MIT krb5 configuration files.
|
||||
.It Li k5login_authoritative = Va boolean
|
||||
If true then if a principal is not found in k5login files then
|
||||
.Xr krb5_userok 3
|
||||
@@ -297,12 +295,6 @@ argument to
|
||||
.Xr krb5_userok 3
|
||||
in the given directory or in
|
||||
.Pa /etc/k5login.d/ .
|
||||
If a directory is given
|
||||
then tokens will be expanded; the %{luser} token will be replaced with
|
||||
the
|
||||
.Va luser
|
||||
argument to
|
||||
.Xr krb5_userok 3 .
|
||||
K5login files are text files, with each line containing just a principal
|
||||
name; principals apearing in a user's k5login file are permitted access
|
||||
to the user's account. Note: this rule performs no ownership nor
|
||||
|
||||
@@ -325,6 +325,7 @@ check_directory(krb5_context context,
|
||||
DIR *d;
|
||||
struct dirent *dent;
|
||||
char filename[MAXPATHLEN];
|
||||
size_t len;
|
||||
krb5_error_code ret = 0;
|
||||
struct stat st;
|
||||
|
||||
@@ -348,16 +349,25 @@ check_directory(krb5_context context,
|
||||
goto out;
|
||||
|
||||
while ((dent = readdir(d)) != NULL) {
|
||||
/*
|
||||
* XXX: Should we also skip files whose names start with "."?
|
||||
* Vim ".filename.swp" files are also good candidates to skip.
|
||||
* Once we ignore "#*" and "*~", it is not clear what other
|
||||
* heuristics to apply.
|
||||
*/
|
||||
if (strcmp(dent->d_name, ".") == 0 ||
|
||||
strcmp(dent->d_name, "..") == 0 ||
|
||||
dent->d_name[0] == '#' || /* emacs autosave */
|
||||
dent->d_name[strlen(dent->d_name) - 1] == '~') /* emacs backup */
|
||||
continue;
|
||||
snprintf(filename, sizeof(filename), "%s/%s", dirname, dent->d_name);
|
||||
ret = check_one_file(context, filename, owner, is_system_location,
|
||||
principal, result);
|
||||
if (ret == 0 && *result == TRUE)
|
||||
break;
|
||||
len = snprintf(filename, sizeof(filename), "%s/%s", dirname, dent->d_name);
|
||||
/* Skip too-long filenames that got truncated by snprintf() */
|
||||
if (len < sizeof(filename)) {
|
||||
ret = check_one_file(context, filename, owner, is_system_location,
|
||||
principal, result);
|
||||
if (ret == 0 && *result == TRUE)
|
||||
break;
|
||||
}
|
||||
ret = 0; /* don't propagate errors upstream */
|
||||
}
|
||||
|
||||
@@ -552,7 +562,8 @@ kuserok_sys_k5login_plug_f(void *plug_ctx, krb5_context context,
|
||||
const char *k5login_dir, const char *luser,
|
||||
krb5_const_principal principal, krb5_boolean *result)
|
||||
{
|
||||
char *path = NULL;
|
||||
char filename[MAXPATHLEN];
|
||||
size_t len;
|
||||
const char *profile_dir = NULL;
|
||||
krb5_error_code ret;
|
||||
|
||||
@@ -568,17 +579,14 @@ kuserok_sys_k5login_plug_f(void *plug_ctx, krb5_context context,
|
||||
else
|
||||
profile_dir++;
|
||||
|
||||
ret = _krb5_expand_path_tokensv(context, profile_dir, &path,
|
||||
"luser", luser, NULL);
|
||||
if (ret)
|
||||
return ret;
|
||||
len = snprintf(filename, sizeof(filename), "%s/%s", profile_dir, luser);
|
||||
if (len < sizeof(filename)) {
|
||||
ret = check_one_file(context, filename, NULL, TRUE, principal, result);
|
||||
|
||||
ret = check_one_file(context, path, NULL, TRUE, principal, result);
|
||||
free(path);
|
||||
|
||||
if (ret == 0 &&
|
||||
((flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE) || *result == TRUE))
|
||||
return 0;
|
||||
if (ret == 0 &&
|
||||
((flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE) || *result == TRUE))
|
||||
return 0;
|
||||
}
|
||||
|
||||
*result = FALSE;
|
||||
return KRB5_PLUGIN_NO_HANDLE;
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[libdefaults]
|
||||
default_realm = TEST.H5L.SE TEST2.H5L.SE TEST3.H5L.SE
|
||||
no-addresses = TRUE
|
||||
kuserok = SYSTEM-K5LOGIN:@srcdir@/k5login/%{luser}
|
||||
kuserok = SYSTEM-K5LOGIN:@srcdir@/k5login
|
||||
kuserok = USER-K5LOGIN
|
||||
kuserok = SIMPLE
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
default_realm = TEST.H5L.SE TEST2.H5L.SE TEST3.H5L.SE
|
||||
no-addresses = TRUE
|
||||
k5login_authoritative = TRUE
|
||||
k5login_directory = @srcdir@/k5login/%{luser}
|
||||
k5login_directory = @srcdir@/k5login
|
||||
kuserok = SYSTEM-K5LOGIN
|
||||
kuserok = SIMPLE
|
||||
|
||||
|
||||
Reference in New Issue
Block a user