diff --git a/configure.ac b/configure.ac index a599b3e91..5bca7c6c0 100644 --- a/configure.ac +++ b/configure.ac @@ -195,6 +195,9 @@ AM_CONDITIONAL(KRB4, false) AM_CONDITIONAL(KRB5, true) AM_CONDITIONAL(do_roken_rename, true) +AC_DEFINE(SUPPORT_INETD, 1, [Enable use of inetd style startup.])dnl + + AC_DEFINE(KRB5, 1, [Enable Kerberos 5 support in applications.])dnl AC_SUBST(LIB_kdb)dnl diff --git a/include/config.h.w32 b/include/config.h.w32 index 8b480884f..5f12064b3 100644 --- a/include/config.h.w32 +++ b/include/config.h.w32 @@ -1362,9 +1362,6 @@ static const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define if the Unix rand method is not defined */ #define NO_RAND_UNIX_METHOD 1 -/* Define if fd_sets aren't limited to FD_SETSIZE sockets */ -#define NO_LIMIT_FD_SETSIZE 1 - /* Define if PID files should not be used. */ #define NO_PIDFILES 1 diff --git a/kadmin/kadm_conn.c b/kadmin/kadm_conn.c index 393a6c1eb..9cc2293f5 100644 --- a/kadmin/kadm_conn.c +++ b/kadmin/kadm_conn.c @@ -175,8 +175,10 @@ wait_for_connection(krb5_context context, FD_ZERO(&orig_read_set); for(i = 0; i < num_socks; i++) { +#ifdef FD_SETSIZE if (socks[i] >= FD_SETSIZE) errx (1, "fd too large"); +#endif FD_SET(socks[i], &orig_read_set); max_fd = max(max_fd, socks[i]); } diff --git a/kdc/connect.c b/kdc/connect.c index c9b0ec538..318179b38 100644 --- a/kdc/connect.c +++ b/kdc/connect.c @@ -217,7 +217,7 @@ parse_ports(krb5_context context, */ struct descr { - int s; + krb5_socket_t s; int type; int port; unsigned char *buf; @@ -235,7 +235,7 @@ init_descr(struct descr *d) { memset(d, 0, sizeof(*d)); d->sa = (struct sockaddr *)&d->__ss; - d->s = -1; + d->s = rk_INVALID_SOCKET; } /* @@ -270,8 +270,8 @@ init_socket(krb5_context context, ret = krb5_addr2sockaddr (context, a, sa, &sa_size, port); if (ret) { krb5_warn(context, ret, "krb5_addr2sockaddr"); - close(d->s); - d->s = -1; + rk_closesocket(d->s); + d->s = rk_INVALID_SOCKET; return; } @@ -279,9 +279,9 @@ init_socket(krb5_context context, return; d->s = socket(family, type, 0); - if(d->s < 0){ + if(rk_IS_BAD_SOCKET(d->s)){ krb5_warn(context, errno, "socket(%d, %d, 0)", family, type); - d->s = -1; + d->s = rk_INVALID_SOCKET; return; } #if defined(HAVE_SETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_REUSEADDR) @@ -293,24 +293,24 @@ init_socket(krb5_context context, d->type = type; d->port = port; - if(bind(d->s, sa, sa_size) < 0){ + if(rk_IS_SOCKET_ERROR(bind(d->s, sa, sa_size))){ char a_str[256]; size_t len; krb5_print_address (a, a_str, sizeof(a_str), &len); krb5_warn(context, errno, "bind %s/%d", a_str, ntohs(port)); - close(d->s); - d->s = -1; + rk_closesocket(d->s); + d->s = rk_INVALID_SOCKET; return; } - if(type == SOCK_STREAM && listen(d->s, SOMAXCONN) < 0){ + if(type == SOCK_STREAM && rk_IS_SOCKET_ERROR(listen(d->s, SOMAXCONN))){ char a_str[256]; size_t len; krb5_print_address (a, a_str, sizeof(a_str), &len); krb5_warn(context, errno, "listen %s/%d", a_str, ntohs(port)); - close(d->s); - d->s = -1; + rk_closesocket(d->s); + d->s = rk_INVALID_SOCKET; return; } } @@ -348,7 +348,7 @@ init_sockets(krb5_context context, for (j = 0; j < addresses.len; ++j) { init_socket(context, config, &d[num], &addresses.val[j], ports[i].family, ports[i].type, ports[i].port); - if(d[num].s != -1){ + if(d[num].s != rk_INVALID_SOCKET){ char a_str[80]; size_t len; @@ -423,15 +423,16 @@ send_reply(krb5_context context, l[1] = (reply->length >> 16) & 0xff; l[2] = (reply->length >> 8) & 0xff; l[3] = reply->length & 0xff; - if(sendto(d->s, l, sizeof(l), 0, d->sa, d->sock_len) < 0) { + if(rk_IS_SOCKET_ERROR(sendto(d->s, l, sizeof(l), 0, d->sa, d->sock_len))) { kdc_log (context, config, - 0, "sendto(%s): %s", d->addr_string, strerror(errno)); + 0, "sendto(%s): %s", d->addr_string, + strerror(rk_SOCK_ERRNO)); return; } } - if(sendto(d->s, reply->data, reply->length, 0, d->sa, d->sock_len) < 0) { - kdc_log (context, config, - 0, "sendto(%s): %s", d->addr_string, strerror(errno)); + if(rk_IS_SOCKET_ERROR(sendto(d->s, reply->data, reply->length, 0, d->sa, d->sock_len))) { + kdc_log (context, config, 0, "sendto(%s): %s", d->addr_string, + strerror(rk_SOCK_ERRNO)); return; } } @@ -489,9 +490,9 @@ handle_udp(krb5_context context, d->sock_len = sizeof(d->__ss); n = recvfrom(d->s, buf, max_request_udp, 0, d->sa, &d->sock_len); - if(n < 0) { - krb5_warn(context, errno, "recvfrom"); - } else { + if(rk_IS_SOCKET_ERROR(n)) + krb5_warn(context, rk_SOCK_ERRNO, "recvfrom"); + else { addr_to_string (context, d->sa, d->sock_len, d->addr_string, sizeof(d->addr_string)); if (n == max_request_udp) { @@ -523,9 +524,9 @@ clear_descr(struct descr *d) if(d->buf) memset(d->buf, 0, d->size); d->len = 0; - if(d->s != -1) - close(d->s); - d->s = -1; + if(d->s != rk_INVALID_SOCKET) + rk_closesocket(d->s); + d->s = rk_INVALID_SOCKET; } @@ -559,23 +560,25 @@ add_new_tcp (krb5_context context, krb5_kdc_configuration *config, struct descr *d, int parent, int child) { - int s; + krb5_socket_t s; if (child == -1) return; d[child].sock_len = sizeof(d[child].__ss); s = accept(d[parent].s, d[child].sa, &d[child].sock_len); - if(s < 0) { - krb5_warn(context, errno, "accept"); + if(rk_IS_BAD_SOCKET(s)) { + krb5_warn(context, rk_SOCK_ERRNO, "accept"); return; } - + +#ifdef FD_SETSIZE if (s >= FD_SETSIZE) { krb5_warnx(context, "socket FD too large"); - close (s); + rk_closesocket (s); return; } +#endif d[child].s = s; d[child].timeout = time(NULL) + TCP_TIMEOUT; @@ -718,14 +721,14 @@ handle_http_tcp (krb5_context context, kdc_log(context, config, 0, "HTTP request from %s is non KDC request", d->addr_string); kdc_log(context, config, 5, "HTTP request: %s", t); free(data); - if (write(d->s, proto, strlen(proto)) < 0) { + if (rk_IS_SOCKET_ERROR(send(d->s, proto, strlen(proto), 0))) { kdc_log(context, config, 0, "HTTP write failed: %s: %s", - d->addr_string, strerror(errno)); + d->addr_string, strerror(rk_SOCK_ERRNO)); return -1; } - if (write(d->s, msg, strlen(msg)) < 0) { + if (rk_IS_SOCKET_ERROR(send(d->s, msg, strlen(msg), 0))) { kdc_log(context, config, 0, "HTTP write failed: %s: %s", - d->addr_string, strerror(errno)); + d->addr_string, strerror(rk_SOCK_ERRNO)); return -1; } return -1; @@ -738,16 +741,16 @@ handle_http_tcp (krb5_context context, "Pragma: no-cache\r\n" "Content-type: application/octet-stream\r\n" "Content-transfer-encoding: binary\r\n\r\n"; - if (write(d->s, proto, strlen(proto)) < 0) { + if (rk_IS_SOCKET_ERROR(send(d->s, proto, strlen(proto), 0))) { free(data); kdc_log(context, config, 0, "HTTP write failed: %s: %s", - d->addr_string, strerror(errno)); + d->addr_string, strerror(rk_SOCK_ERRNO)); return -1; } - if (write(d->s, msg, strlen(msg)) < 0) { + if (rk_IS_SOCKET_ERROR(send(d->s, msg, strlen(msg), 0))) { free(data); kdc_log(context, config, 0, "HTTP write failed: %s: %s", - d->addr_string, strerror(errno)); + d->addr_string, strerror(rk_SOCK_ERRNO)); return -1; } } @@ -778,8 +781,8 @@ handle_tcp(krb5_context context, } n = recvfrom(d[idx].s, buf, sizeof(buf), 0, NULL, NULL); - if(n < 0){ - krb5_warn(context, errno, "recvfrom failed from %s to %s/%d", + if(rk_IS_SOCKET_ERROR(n)){ + krb5_warn(context, rk_SOCK_ERRNO, "recvfrom failed from %s to %s/%d", d[idx].addr_string, descr_type(d + idx), ntohs(d[idx].port)); return; @@ -865,7 +868,7 @@ loop(krb5_context context, FD_ZERO(&fds); for(i = 0; i < ndescr; i++) { - if(d[i].s >= 0){ + if(!rk_IS_BAD_SOCKET(d[i].s)){ if(d[i].type == SOCK_STREAM && d[i].timeout && d[i].timeout < time(NULL)) { kdc_log(context, config, 1, @@ -876,8 +879,10 @@ loop(krb5_context context, } if(max_fd < d[i].s) max_fd = d[i].s; +#ifdef FD_SETSIZE if (max_fd >= FD_SETSIZE) krb5_errx(context, 1, "fd too large"); +#endif FD_SET(d[i].s, &fds); } else if(min_free < 0 || i < min_free) min_free = i; @@ -905,11 +910,11 @@ loop(krb5_context context, break; case -1: if (errno != EINTR) - krb5_warn(context, errno, "select"); + krb5_warn(context, rk_SOCK_ERRNO, "select"); break; default: for(i = 0; i < ndescr; i++) - if(d[i].s >= 0 && FD_ISSET(d[i].s, &fds)) { + if(!rk_IS_BAD_SOCKET(d[i].s) && FD_ISSET(d[i].s, &fds)) { if(d[i].type == SOCK_DGRAM) handle_udp(context, config, &d[i]); else if(d[i].type == SOCK_STREAM) @@ -917,8 +922,11 @@ loop(krb5_context context, } } } - if(exit_flag == SIGXCPU) + if (0); +#ifdef SIGXCPU + else if(exit_flag == SIGXCPU) kdc_log(context, config, 0, "CPU time limit exceeded"); +#endif else if(exit_flag == SIGINT || exit_flag == SIGTERM) kdc_log(context, config, 0, "Terminated"); else diff --git a/kdc/hprop.c b/kdc/hprop.c index 432c7e28b..eb400e610 100644 --- a/kdc/hprop.c +++ b/kdc/hprop.c @@ -131,6 +131,7 @@ v5_prop(krb5_context context, HDB *db, hdb_entry_ex *entry, void *appdata) return ret; } +#ifdef KRB4 int v4_prop(void *arg, struct v4_principal *p) { @@ -255,6 +256,7 @@ v4_prop(void *arg, struct v4_principal *p) hdb_free_entry(pd->context, &ent); return ret; } +#endif #include "kadb.h" @@ -277,6 +279,8 @@ read_block(krb5_context context, int fd, int32_t pos, void *buf, size_t len) krb5_errx(context, 1, "read(%lu) = %u", (unsigned long)len, ret); } +#ifdef KRB4 + static int ka_convert(struct prop_data *pd, int fd, struct ka_entry *ent) { @@ -405,7 +409,7 @@ ka_dump(struct prop_data *pd, const char *file) } return 0; } - +#endif /* KRB4 */ struct getargs args[] = { @@ -414,13 +418,19 @@ struct getargs args[] = { { "source", 0, arg_string, &source_type, "type of database to read", "heimdal" "|mit-dump" +#ifdef KRB4 "|krb4-dump" "|kaserver" +#endif }, +#ifdef KRB4 { "v4-realm", 'r', arg_string, &v4_realm, "v4 realm to use" }, +#endif { "cell", 'c', arg_string, &afs_cell, "name of AFS cell" }, +#ifdef KRB4 { "kaspecials", 'S', arg_flag, &kaspecials_flag, "dump KASPECIAL keys"}, +#endif { "keytab", 'k', arg_string, &ktname, "keytab to use for authentication", "keytab" }, { "v5-realm", 'R', arg_string, &local_realm, "v5 realm to use" }, { "decrypt", 'D', arg_flag, &decrypt_flag, "decrypt keys" }, @@ -526,6 +536,7 @@ iterate (krb5_context context, int ret; switch(type) { +#ifdef KRB4 case HPROP_KRB4_DUMP: ret = v4_prop_dump(pd, database_name); if(ret) @@ -536,6 +547,7 @@ iterate (krb5_context context, if(ret) krb5_warn(context, ret, "ka_dump"); break; +#endif case HPROP_MIT_DUMP: ret = mit_prop_dump(pd, database_name); if (ret) diff --git a/kdc/hpropd.c b/kdc/hpropd.c index c34a2c85c..625fec5b9 100644 --- a/kdc/hpropd.c +++ b/kdc/hpropd.c @@ -48,8 +48,10 @@ struct getargs args[] = { { "database", 'd', arg_string, &database, "database", "file" }, { "stdin", 'n', arg_flag, &from_stdin, "read from stdin" }, { "print", 0, arg_flag, &print_dump, "print dump to stdout" }, +#ifdef SUPPORT_INETD { "inetd", 'i', arg_negative_flag, &inetd_flag, "Not started from inetd" }, +#endif { "keytab", 'k', arg_string, &ktname, "keytab to use for authentication", "keytab" }, { "realm", 'r', arg_string, &local_realm, "realm to use" }, { "version", 0, arg_flag, &version_flag, NULL, NULL }, @@ -74,7 +76,7 @@ main(int argc, char **argv) krb5_principal c1, c2; krb5_authenticator authent; krb5_keytab keytab; - int fd; + krb5_socket_t sock = rk_INVALID_SOCKET; HDB *db = NULL; int optidx = 0; char *tmp_db; @@ -114,9 +116,9 @@ main(int argc, char **argv) if (database == NULL) database = hdb_default_db(context); - if(from_stdin) - fd = STDIN_FILENO; - else { + if(from_stdin) { + sock = STDIN_FILENO; + } else { struct sockaddr_storage ss; struct sockaddr *sa = (struct sockaddr *)&ss; socklen_t sin_len = sizeof(ss); @@ -124,19 +126,24 @@ main(int argc, char **argv) krb5_ticket *ticket; char *server; - fd = STDIN_FILENO; + sock = STDIN_FILENO; +#ifdef SUPPORT_INETD if (inetd_flag == -1) { - if (getpeername (fd, sa, &sin_len) < 0) + if (getpeername (sock, sa, &sin_len) < 0) { inetd_flag = 0; - else + } else { inetd_flag = 1; + } } +#else + inetd_flag = 0; +#endif if (!inetd_flag) { mini_inetd (krb5_getportbyname (context, "hprop", "tcp", - HPROP_PORT), NULL); + HPROP_PORT), &sock); } sin_len = sizeof(ss); - if(getpeername(fd, sa, &sin_len) < 0) + if(getpeername(sock, sa, &sin_len) < 0) krb5_err(context, 1, errno, "getpeername"); if (inet_ntop(sa->sa_family, @@ -162,7 +169,7 @@ main(int argc, char **argv) krb5_err (context, 1, ret, "krb5_kt_default"); } - ret = krb5_recvauth(context, &ac, &fd, HPROP_VERSION, NULL, + ret = krb5_recvauth(context, &ac, &sock, HPROP_VERSION, NULL, 0, keytab, &ticket); if(ret) krb5_err(context, 1, ret, "krb5_recvauth"); @@ -179,7 +186,7 @@ main(int argc, char **argv) ret = krb5_auth_con_getauthenticator(context, ac, &authent); if(ret) krb5_err(context, 1, ret, "krb5_auth_con_getauthenticator"); - + ret = krb5_make_principal(context, &c1, NULL, "kadmin", "hprop", NULL); if(ret) krb5_err(context, 1, ret, "krb5_make_principal"); @@ -217,11 +224,11 @@ main(int argc, char **argv) hdb_entry_ex entry; if(from_stdin) { - ret = krb5_read_message(context, &fd, &data); + ret = krb5_read_message(context, &sock, &data); if(ret != 0 && ret != HEIM_ERR_EOF) krb5_err(context, 1, ret, "krb5_read_message"); } else { - ret = krb5_read_priv_message(context, ac, &fd, &data); + ret = krb5_read_priv_message(context, ac, &sock, &data); if(ret) krb5_err(context, 1, ret, "krb5_read_priv_message"); } @@ -230,7 +237,7 @@ main(int argc, char **argv) if(!from_stdin) { data.data = NULL; data.length = 0; - krb5_write_priv_message(context, ac, &fd, &data); + krb5_write_priv_message(context, ac, &sock, &data); } if(!print_dump) { ret = db->hdb_rename(context, db, database); @@ -267,5 +274,9 @@ main(int argc, char **argv) } if (!print_dump) krb5_log(context, fac, 0, "Received %d principals", nprincs); + + if (inetd_flag == 0) + rk_closesocket(sock); + exit(0); } diff --git a/kdc/kstash.c b/kdc/kstash.c index ad504b29c..784525d5e 100644 --- a/kdc/kstash.c +++ b/kdc/kstash.c @@ -144,13 +144,19 @@ main(int argc, char **argv) if(ret) unlink(new); else { +#ifndef NO_POSIX_LINKS unlink(old); if(link(keyfile, old) < 0 && errno != ENOENT) { ret = errno; unlink(new); - } else if(rename(new, keyfile) < 0) { - ret = errno; + } else { +#endif + if(rename(new, keyfile) < 0) { + ret = errno; + } +#ifndef NO_POSIX_LINKS } +#endif } out: free(old); diff --git a/kdc/libkdc-exports.def b/kdc/libkdc-exports.def new file mode 100644 index 000000000..b3ace1c1a --- /dev/null +++ b/kdc/libkdc-exports.def @@ -0,0 +1,12 @@ +EXPORTS + kdc_log + kdc_log_msg + kdc_log_msg_va + kdc_openlog + krb5_kdc_windc_init + krb5_kdc_get_config + krb5_kdc_set_dbinfo + krb5_kdc_process_krb5_request + krb5_kdc_process_request + krb5_kdc_save_request + krb5_kdc_update_time diff --git a/kdc/main.c b/kdc/main.c index b40bd11ef..d5a117064 100644 --- a/kdc/main.c +++ b/kdc/main.c @@ -64,6 +64,7 @@ sigterm(int sig) static void switch_environment(void) { +#ifdef HAVE_GETEUID if ((runas_string || chroot_string) && geteuid() != 0) errx(1, "no running as root, can't switch user/chroot"); @@ -86,6 +87,7 @@ switch_environment(void) if (setuid(pw->pw_uid) < 0) err(1, "setuid(%s)", runas_string); } +#endif } @@ -120,17 +122,25 @@ main(int argc, char **argv) sigaction(SIGINT, &sa, NULL); sigaction(SIGTERM, &sa, NULL); +#ifdef SIGXCPU sigaction(SIGXCPU, &sa, NULL); +#endif sa.sa_handler = SIG_IGN; +#ifdef SIGPIPE sigaction(SIGPIPE, &sa, NULL); +#endif } #else signal(SIGINT, sigterm); signal(SIGTERM, sigterm); +#ifdef SIGXCPU signal(SIGXCPU, sigterm); +#endif +#ifdef SIGPIPE signal(SIGPIPE, SIG_IGN); #endif +#endif #ifdef SUPPORT_DETACH if (detach_from_console) daemon(0, 0); diff --git a/lib/roken/mini_inetd.c b/lib/roken/mini_inetd.c index a9398f4fd..4d8ccb6e5 100644 --- a/lib/roken/mini_inetd.c +++ b/lib/roken/mini_inetd.c @@ -124,7 +124,7 @@ mini_inetd_addrinfo (struct addrinfo *ai, rk_socket_t *ret_socket) fds[i] = rk_INVALID_SOCKET; continue; } -#ifndef NO_LIMIT_FD_SETSIZE +#ifdef FD_SETSIZE if (fds[i] >= FD_SETSIZE) errx (1, "fd too large"); #endif