Log when non-root ksu authorization fails

Resolves: #1575771
2018-06-01 14:04:16 -04:00 · 2018-06-01 14:04:16 -04:00 · 6e3058a9c5
commit 6e3058a9c5
parent 9467290bc7
3 changed files with 175 additions and 1 deletions
--- a/Fix-segfault-in-finish_dispatch.patch
+++ b/Fix-segfault-in-finish_dispatch.patch
@ -0,0 +1,133 @@
 From d134cd489a6841f510b3efdf4ddcb283493655f0 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 18 Apr 2018 14:13:28 -0400
 Subject: [PATCH] Fix segfault in finish_dispatch()
 dispatch() doesn't necessarily initialize state->active_realm which
 led to an explicit NULL dereference in finish_dispatch().
 Additionally, fix make_too_big_error() so that it won't subsequently
 dereference state->active_realm.
 tags: pullup
 target_version: 1.16-next
 target_version: 1.15-next
 ---
 src/kdc/dispatch.c | 79 ++++++++++++++++++++++++----------------------
 1 file changed, 42 insertions(+), 37 deletions(-)
 diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
 index 3ed5176a8..fb3686c98 100644
 --- a/src/kdc/dispatch.c
 +++ b/src/kdc/dispatch.c
@@ -35,9 +35,6 @@
 static krb5_int32 last_usec = 0, last_os_random = 0;
 -static krb5_error_code make_too_big_error(kdc_realm_t *kdc_active_realm,
 -                                          krb5_data **out);
 -
 struct dispatch_state {
     loop_respond_fn respond;
     void *arg;
@@ -47,6 +44,41 @@ struct dispatch_state {
     krb5_context kdc_err_context;
 };
 +
 +static krb5_error_code
 +make_too_big_error(krb5_context context, krb5_principal tgsprinc,
 +                   krb5_data **out)
 +{
 +    krb5_error errpkt;
 +    krb5_error_code retval;
 +    krb5_data *scratch;
 +
 +    *out = NULL;
 +    memset(&errpkt, 0, sizeof(errpkt));
 +
 +    retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec);
 +    if (retval)
 +        return retval;
 +    errpkt.error = KRB_ERR_RESPONSE_TOO_BIG;
 +    errpkt.server = tgsprinc;
 +    errpkt.client = NULL;
 +    errpkt.text.length = 0;
 +    errpkt.text.data = 0;
 +    errpkt.e_data.length = 0;
 +    errpkt.e_data.data = 0;
 +    scratch = malloc(sizeof(*scratch));
 +    if (scratch == NULL)
 +        return ENOMEM;
 +    retval = krb5_mk_error(context, &errpkt, scratch);
 +    if (retval) {
 +        free(scratch);
 +        return retval;
 +    }
 +
 +    *out = scratch;
 +    return 0;
 +}
 +
 static void
 finish_dispatch(struct dispatch_state *state, krb5_error_code code,
                 krb5_data *response)
@@ -54,12 +86,17 @@ finish_dispatch(struct dispatch_state *state, krb5_error_code code,
     loop_respond_fn oldrespond = state->respond;
     void *oldarg = state->arg;
     kdc_realm_t *kdc_active_realm = state->active_realm;
 +    krb5_principal tgsprinc = NULL;
 +
 +    if (kdc_active_realm != NULL)
 +        tgsprinc = kdc_active_realm->realm_tgsprinc;
     if (state->is_tcp == 0 && response &&
         response->length > (unsigned int)max_dgram_reply_size) {
 -        krb5_free_data(kdc_context, response);
 +        krb5_free_data(state->kdc_err_context, response);
         response = NULL;
 -        code = make_too_big_error(kdc_active_realm, &response);
 +        code = make_too_big_error(state->kdc_err_context, tgsprinc,
 +                                  &response);
         if (code)
             krb5_klog_syslog(LOG_ERR, "error constructing "
                              "KRB_ERR_RESPONSE_TOO_BIG error: %s",
@@ -208,38 +245,6 @@ done:
     finish_dispatch_cache(state, retval, response);
 }
 -static krb5_error_code
 -make_too_big_error(kdc_realm_t *kdc_active_realm, krb5_data **out)
 -{
 -    krb5_error errpkt;
 -    krb5_error_code retval;
 -    krb5_data *scratch;
 -
 -    *out = NULL;
 -    memset(&errpkt, 0, sizeof(errpkt));
 -
 -    retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec);
 -    if (retval)
 -        return retval;
 -    errpkt.error = KRB_ERR_RESPONSE_TOO_BIG;
 -    errpkt.server = tgs_server;
 -    errpkt.client = NULL;
 -    errpkt.text.length = 0;
 -    errpkt.text.data = 0;
 -    errpkt.e_data.length = 0;
 -    errpkt.e_data.data = 0;
 -    scratch = malloc(sizeof(*scratch));
 -    if (scratch == NULL)
 -        return ENOMEM;
 -    retval = krb5_mk_error(kdc_context, &errpkt, scratch);
 -    if (retval) {
 -        free(scratch);
 -        return retval;
 -    }
 -
 -    *out = scratch;
 -    return 0;
 -}
 krb5_context get_context(void *handle)
 {
--- a/Log-when-non-root-ksu-authorization-fails.patch
+++ b/Log-when-non-root-ksu-authorization-fails.patch
@ -0,0 +1,35 @@
 From 6b85df6c6f4bb0e61ba0913722317f4e2c3c23fc Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 7 May 2018 16:42:59 -0400
 Subject: [PATCH] Log when non-root ksu authorization fails
 If non-root user attempts to ksu but is denied by policy, log to
 syslog at LOG_WARNING in keeping with other failure messages.
 ticket: 8270
 (cherry picked from commit 6cfa5c113e981f14f70ccafa20abfa5c46b665ba)
 ---
 src/clients/ksu/main.c | 10 ++++++++++
 1 file changed, 10 insertions(+)
 diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
 index c6321c01b..35ff8978f 100644
 --- a/src/clients/ksu/main.c
 +++ b/src/clients/ksu/main.c
@@ -417,6 +417,16 @@ main (argc, argv)
     if (hp){
         if (gb_err) fprintf(stderr, "%s", gb_err);
         fprintf(stderr, _("account %s: authorization failed\n"), target_user);
 +
 +        if (cmd != NULL) {
 +            syslog(LOG_WARNING,
 +                   "Account %s: authorization for %s for execution of %s failed",
 +                   target_user, source_user, cmd);
 +        } else {
 +            syslog(LOG_WARNING, "Account %s: authorization of %s failed",
 +                   target_user, source_user);
 +        }
 +
         exit(1);
     }
--- a/krb5.spec
+++ b/krb5.spec
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.16.1
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 2%{?dist}
+Release: 3%{?dist}
 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
@ -87,6 +87,8 @@ Patch64: Zap-data-when-freeing-krb5_spake_factor.patch
 Patch65: Be-more-careful-asking-for-AS-key-in-SPAKE-client.patch
 Patch68: Restrict-pre-authentication-fallback-cases.patch
 Patch69: Remove-nodes-option-from-make-certs-scripts.patch
 Patch70: Fix-segfault-in-finish_dispatch.patch
 Patch71: Log-when-non-root-ksu-authorization-fails.patch
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -738,6 +740,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 %changelog
 * Fri Jun 01 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-3
 - Log when non-root ksu authorization fails
 - Resolves: #1575771
 * Fri May 04 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-2
 - Remove "-nodes" option from make-certs scripts