First, it allows root to ignore the
naming conventions. Second, it allows root to always perform any operation on any ccache. Note that root could do this anyway with FILE ccaches git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20470 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
		| @@ -93,12 +93,13 @@ kcm_access(krb5_context context, | |||||||
|  |  | ||||||
|     mask = 0; |     mask = 0; | ||||||
|  |  | ||||||
|     if (client->uid == ccache->uid) { |     /* Root may do whatever they like */ | ||||||
|  |     if (client->uid == ccache->uid || CLIENT_IS_ROOT(client)) { | ||||||
| 	if (read_p) | 	if (read_p) | ||||||
| 	    mask |= S_IRUSR; | 	    mask |= S_IRUSR; | ||||||
| 	if (write_p) | 	if (write_p) | ||||||
| 	    mask |= S_IWUSR; | 	    mask |= S_IWUSR; | ||||||
|     } else if (client->gid == ccache->gid) { |     } else if (client->gid == ccache->gid || CLIENT_IS_ROOT(client->uid)) { | ||||||
| 	if (read_p) | 	if (read_p) | ||||||
| 	    mask |= S_IRGRP; | 	    mask |= S_IRGRP; | ||||||
| 	if (write_p) | 	if (write_p) | ||||||
|   | |||||||
							
								
								
									
										31
									
								
								kcm/client.c
									
									
									
									
									
								
							
							
						
						
									
										31
									
								
								kcm/client.c
									
									
									
									
									
								
							| @@ -31,6 +31,7 @@ | |||||||
|  */ |  */ | ||||||
|  |  | ||||||
| #include "kcm_locl.h" | #include "kcm_locl.h" | ||||||
|  | #include <pwd.h> | ||||||
|  |  | ||||||
| RCSID("$Id$"); | RCSID("$Id$"); | ||||||
|  |  | ||||||
| @@ -116,17 +117,18 @@ kcm_ccache_new_client(krb5_context context, | |||||||
| 		bad = 0; | 		bad = 0; | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if (bad) | 	/* Allow root to create badly-named ccaches */ | ||||||
|  | 	if (bad && CLIENT_IS_ROOT(client)) | ||||||
| 	    return KRB5_CC_BADNAME; | 	    return KRB5_CC_BADNAME; | ||||||
|     } |     } | ||||||
| 	 | 	 | ||||||
|     ret = kcm_ccache_resolve(context, name, &ccache); |     ret = kcm_ccache_resolve(context, name, &ccache); | ||||||
|     if (ret == 0) { |     if (ret == 0) { | ||||||
| 	if (ccache->uid != client->uid || | 	if ((ccache->uid != client->uid || | ||||||
| 	    ccache->gid != client->gid) | 	     ccache->gid != client->gid) && !CLIENT_IS_ROOT(client)) | ||||||
| 	    return KRB5_FCC_PERM; | 	    return KRB5_FCC_PERM; | ||||||
|     } else if (ret != KRB5_FCC_NOFILE) { |     } else if (ret != KRB5_FCC_NOFILE && !(CLIENT_IS_ROOT(client) && ret == KRB5_FCC_PERM)) { | ||||||
| 	return ret; | 		return ret; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     if (ret == KRB5_FCC_NOFILE) { |     if (ret == KRB5_FCC_NOFILE) { | ||||||
| @@ -158,6 +160,25 @@ kcm_ccache_new_client(krb5_context context, | |||||||
| 	return ret; | 	return ret; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |     /*  | ||||||
|  |      * Finally, if the user is root and the cache was created under | ||||||
|  |      * another user's name, chown the cache to that user and their | ||||||
|  |      * default gid. | ||||||
|  |      */ | ||||||
|  |     if (CLIENT_IS_ROOT(client)) { | ||||||
|  | 	uid_t uid; | ||||||
|  | 	int matches = sscanf(name,"%ld:",&uid); | ||||||
|  | 	if (matches == 0) | ||||||
|  | 	    matches = sscanf(name,"%ld",&uid); | ||||||
|  | 	if (matches == 1) { | ||||||
|  | 	    struct passwd *pwd = getpwuid(uid); | ||||||
|  | 	    if (pwd != NULL) { | ||||||
|  | 		gid_t gid = pwd->pw_gid; | ||||||
|  | 		kcm_chown(context, client, ccache, uid, gid); | ||||||
|  | 	    } | ||||||
|  | 	} | ||||||
|  |     } | ||||||
|  |      | ||||||
|     *ccache_p = ccache; |     *ccache_p = ccache; | ||||||
|     return 0; |     return 0; | ||||||
| } | } | ||||||
|   | |||||||
| @@ -140,6 +140,8 @@ typedef struct kcm_client { | |||||||
|     gid_t gid; |     gid_t gid; | ||||||
| } kcm_client; | } kcm_client; | ||||||
|  |  | ||||||
|  | #define CLIENT_IS_ROOT(client) ((client)->uid == 0) | ||||||
|  |  | ||||||
| /* Dispatch table */ | /* Dispatch table */ | ||||||
| /* passed in OPERATION | ... ; returns STATUS | ... */ | /* passed in OPERATION | ... ; returns STATUS | ... */ | ||||||
| typedef krb5_error_code (*kcm_method)(krb5_context, kcm_client *, kcm_operation, krb5_storage *, krb5_storage *); | typedef krb5_error_code (*kcm_method)(krb5_context, kcm_client *, kcm_operation, krb5_storage *, krb5_storage *); | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Love Hörnquist Åstrand
					Love Hörnquist Åstrand