new program

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@6486 ec53bebd-3082-4978-b11e-865c3cabbd6b

appl/kf/kfd.c

@@ -0,0 +1,333 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska H<>gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. All advertising materials mentioning features or use of this software 
+ *    must display the following acknowledgement: 
+ *      This product includes software developed by Kungliga Tekniska 
+ *      H<>gskolan and its contributors. 
+ *
+ * 4. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kf_locl.h"
+RCSID("$Id$");
+
+krb5_context context;
+
+static int help_flag;
+static int version_flag;
+static char *port_str;
+char *service = SERVICE;
+int do_inetd = 0;
+
+static struct getargs args[] = {
+    { "port", 'p', arg_string, &port_str, "port to listen to", "port" },
+    { "inetd",'i',arg_flag,&do_inetd,
+       "Not started from inetd", NULL },
+    { "help", 'h', arg_flag, &help_flag },
+    { "version", 0, arg_flag, &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code, struct getargs *args, int num_args)
+{
+    arg_printusage(args, num_args, NULL, "");
+    exit(code);
+}
+
+static int
+server_setup(krb5_context *context, int argc, char **argv)
+{
+    int port = 0;
+    int local_argc;
+
+    local_argc = krb5_program_setup(context, argc, argv, args, num_args, usage);
+
+    if(help_flag)
+	(*usage)(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    if(port_str){
+	struct servent *s = roken_getservbyname(port_str, "tcp");
+	if(s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+
+    if (port == 0)
+	port = krb5_getportbyname (*context, PORT, "tcp", PORT_NUM);
+
+    if(argv[local_argc] != NULL)
+        usage(1, args, num_args);
+    
+    return port;
+}
+
+static void
+syslog_and_die (const char *m, ...)
+{
+    va_list args;
+
+    va_start(args, m);
+    vsyslog (LOG_ERR, m, args);
+    va_end(args);
+    exit (1);
+}
+
+static void
+syslog_and_cont (const char *m, ...)
+{
+    va_list args;
+
+    va_start(args, m);
+    vsyslog (LOG_ERR, m, args);
+    va_end(args);
+    return; 
+}
+
+static int
+proto (int sock, const char *service)
+{
+    struct sockaddr_in remote, local;
+    int addrlen;
+    krb5_address remote_addr, local_addr;
+    krb5_auth_context auth_context;
+    krb5_error_code status;
+    krb5_principal server;
+    krb5_ticket *ticket;
+    char *name;
+    char ret_string[10];
+    char hostname[MAXHOSTNAMELEN];
+    krb5_data packet;
+    krb5_data data;
+    krb5_data remotename;
+    krb5_data tk_file;
+
+    u_int32_t len, net_len;
+    krb5_ccache ccache;
+    char ccname[MAXPATHLEN];
+    struct passwd *pwd;
+
+    addrlen = sizeof(local);
+    if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
+	|| addrlen != sizeof(local))
+	syslog_and_die("getsockname: %s",strerror(errno));
+
+    addrlen = sizeof(remote);
+    if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
+	|| addrlen != sizeof(remote))
+	syslog_and_die("getpeername: %s",strerror(errno));
+
+    status = krb5_auth_con_init (context, &auth_context);
+    if (status)
+	syslog_and_die("krb5_auth_con_init: %s",
+	      krb5_get_err_text(context, status));
+
+    local_addr.addr_type = AF_INET;
+    local_addr.address.length = sizeof(local.sin_addr);
+    local_addr.address.data   = &local.sin_addr;
+
+    remote_addr.addr_type = AF_INET;
+    remote_addr.address.length = sizeof(remote.sin_addr);
+    remote_addr.address.data   = &remote.sin_addr;
+
+    status = krb5_auth_con_setaddrs (context,
+				     auth_context,
+				     &local_addr,
+				     &remote_addr);
+    if (status)
+	syslog_and_die("krb5_auth_con_setaddr: %s",
+	      krb5_get_err_text(context, status));
+
+    if(gethostname (hostname, sizeof(hostname)) < 0)
+	syslog_and_die("gethostname: %s",strerror(errno));
+
+    status = krb5_sname_to_principal (context,
+				      hostname,
+				      service,
+				      KRB5_NT_SRV_HST,
+				      &server);
+    if (status)
+	syslog_and_die("krb5_sname_to_principal: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_recvauth (context,
+			    &auth_context,
+			    &sock,
+			    VERSION,
+			    server,
+			    0,
+			    NULL,
+			    &ticket);
+    if (status)
+	syslog_and_die("krb5_recvauth: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_unparse_name (context,
+				ticket->client,
+				&name);
+    if (status)
+	syslog_and_die("krb5_unparse_name: %s",
+	      krb5_get_err_text(context, status));
+
+    status=krb5_read_message (context, &sock, &remotename);
+    if (status)
+       {syslog_and_die("krb5_read_message: %s",
+              krb5_get_err_text(context, status));
+       }
+    status=krb5_read_message (context, &sock, &tk_file);
+    if (status)
+       {syslog_and_die("krb5_read_message: %s",
+              krb5_get_err_text(context, status));
+       }
+
+    krb5_data_zero (&data);
+    krb5_data_zero (&packet);
+
+    if (krb5_net_read (context, &sock, &net_len, 4) != 4)
+        syslog_and_die("krb5_net_read: %s",strerror(errno));
+
+    len = ntohl(net_len);
+    krb5_data_alloc (&packet, len);
+    if (krb5_net_read (context, &sock, packet.data, len) != len)
+         syslog_and_die("krb5_net_read: %s",strerror(errno)); 
+
+    status = krb5_rd_priv (context,
+                           auth_context,
+                           &packet,
+                           &data,
+                           NULL);
+    if (status)
+        {syslog_and_cont("krb5_rd_priv: %s",
+              krb5_get_err_text(context, status));
+         goto out;
+    }
+
+    pwd = getpwnam ((char *)(remotename.data));
+    if (pwd == NULL)
+	{status=1;
+         syslog_and_cont("getpwnam: %s failed",(char *)(remotename.data));
+         goto out;
+    }
+
+    if(!krb5_kuserok (context,
+                     ticket->client,
+                     (char *)(remotename.data)))
+        {status=1;
+         syslog_and_cont("krb5_kuserok: permission denied");
+         goto out;
+    }
+
+    setgid(pwd->pw_gid);
+    setuid(pwd->pw_uid);
+
+    if (tk_file.length != 1)
+      snprintf (ccname, sizeof(ccname), "%s", (char *)(tk_file.data));
+      else
+      snprintf (ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%u",pwd->pw_uid);
+
+    status = krb5_cc_resolve (context, ccname, &ccache);
+    if (status)
+	{syslog_and_cont("krb5_cc_resolve: %s",
+              krb5_get_err_text(context, status));
+        goto out;
+    }
+    status = krb5_cc_initialize (context, ccache, ticket->client);
+    if (status)
+        {syslog_and_cont("krb5_cc_initialize: %s",
+              krb5_get_err_text(context, status));
+        goto out;
+
+    }
+    status = krb5_rd_cred (context, auth_context, ccache, &data);
+    krb5_cc_close (context, ccache);
+    if (status)
+       {syslog_and_cont("krb5_cc_initialize: %s",
+              krb5_get_err_text(context, status));
+        goto out;
+
+    }
+    syslog_and_cont("%s forwarded ticket to %s,%s",
+                     name,
+                     (char *)(remotename.data),ccname);
+out:
+    if (status)
+      {strcpy(ret_string,"no");
+       syslog_and_cont("failed");
+      }
+      else strcpy(ret_string,"ok");
+
+    krb5_data_free (&tk_file);
+    krb5_data_free (&remotename);
+    krb5_data_free (&packet);
+    krb5_data_free (&data);
+    free(name);
+
+    len = strlen(ret_string) + 1;
+    net_len = htonl(len);
+    if (krb5_net_write (context, &sock, &net_len, 4) != 4)
+         return 1;
+    if (krb5_net_write (context, &sock, ret_string, len) != len)
+         return 1;
+    return 0 ;
+}
+
+static int
+doit (int port, const char *service)
+{
+    if (do_inetd) mini_inetd(port);
+    return proto (STDIN_FILENO, service);
+}
+
+int
+main(int argc, char **argv)
+{
+    int port;
+    int ret;
+
+    set_progname (argv[0]);
+    roken_openlog (argv[0], LOG_ODELAY | LOG_PID,LOG_AUTH);
+    port = server_setup(&context, argc, argv);
+    ret=doit (port, service);
+    closelog();
+    return ret;
+}