rpms/mod_auth_gssapi
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Handle extra large NSS entries

Browse Source 
Resolves: #1498175
This commit is contained in:
Robbie Harwood 2017-10-03 17:03:10 -04:00
parent 8bc6d6bb1c
commit 58d1024252
3 changed files with 209 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
Fix-strtol-error-checking.patch Normal file
View File

@ -0,0 +1,34 @@
From 47795ee7ee34121d98b3bd528b499f19ebe3923d Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 3 Oct 2017 12:33:38 -0400
Subject: [PATCH] Fix strtol error checking
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 7cddf31b6ea7d0c67ac8a086d6b61d3f3631f47c)
---
src/mod_auth_gssapi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 59120d1..74962d1 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -1502,7 +1502,7 @@ static const char *mag_deleg_ccache_perms(cmd_parms *parms, void *mconfig,
if (isdigit(*p)) {
char *endptr;
cfg->deleg_ccache_uid = strtol(p, &endptr, 0);
- if (errno != 0 || endptr != '\0') {
+ if (errno != 0 || (endptr && *endptr != '\0')) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
"Invalid GssapiDelegCcachePerms uid value [%s]",
p);
@@ -1527,7 +1527,7 @@ static const char *mag_deleg_ccache_perms(cmd_parms *parms, void *mconfig,
if (isdigit(*p)) {
char *endptr;
cfg->deleg_ccache_gid = strtol(p, &endptr, 0);
- if (errno != 0 || endptr != '\0') {
+ if (errno != 0 || (endptr && *endptr != '\0')) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
"Invalid GssapiDelegCcachePerms gid value [%s]",
p);

168
Handle-extra-large-NSS-entries.patch Normal file
View File

@ -0,0 +1,168 @@
From 31372b8220da331e8dc81f343ff3d6b5585a842f Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 3 Oct 2017 12:31:02 -0400
Subject: [PATCH] Handle extra large NSS entries
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Closes #152
(cherry picked from commit 9813eb46c6c415a933c5edf5076fd0a8e39c86b2)
[rharwood@redhat.com: conflicts due to no lex/yacc stuff yet]
---
src/Makefile.am | 2 +-
src/mod_auth_gssapi.c | 26 +++++++-------------
src/mod_auth_gssapi.h | 2 ++
src/util.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 78 insertions(+), 18 deletions(-)
create mode 100644 src/util.c
diff --git a/src/Makefile.am b/src/Makefile.am
index 0605261..d8dd3ec 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -8,7 +8,7 @@ dist_noinst_HEADERS = \
mod_auth_gssapi.h crypto.h sessions.h environ.h
mod_auth_gssapi_la_SOURCES = \
- mod_auth_gssapi.c crypto.c sessions.c environ.c
+ mod_auth_gssapi.c crypto.c sessions.c environ.c util.c
mod_auth_gssapi_la_CFLAGS = \
$(MAG_CFLAGS)
mod_auth_gssapi_la_LIBADD = \
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 74962d1..c2dd039 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -1476,7 +1476,7 @@ static const char *mag_deleg_ccache_dir(cmd_parms *parms, void *mconfig,
#define CCMODE "mode:"
#define CCUID "uid:"
#define CCGID "gid:"
-#define NSS_BUF_LEN 2048 /* just use a uid/gid number if not big enough */
+
static const char *mag_deleg_ccache_perms(cmd_parms *parms, void *mconfig,
const char *w)
{
@@ -1510,15 +1510,11 @@ static const char *mag_deleg_ccache_perms(cmd_parms *parms, void *mconfig,
cfg->deleg_ccache_uid = 0;
}
} else {
- struct passwd pwd, *user;
- char buf[NSS_BUF_LEN];
- int ret = getpwnam_r(p, &pwd, buf, NSS_BUF_LEN, &user);
- if ((ret != 0) || user != &pwd) {
+ int ret = mag_get_user_uid(p, &cfg->deleg_ccache_uid);
+ if (ret != 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
- "Invalid GssapiDelegCcachePerms uid value [%s]",
- p);
- } else {
- cfg->deleg_ccache_uid = user->pw_uid;
+ "Invalid GssapiDelegCcachePerms uid value [%s](%s)",
+ p, strerror(ret));
}
}
} else if (strncmp(w, CCGID, sizeof(CCGID) - 1) == 0) {
@@ -1535,15 +1531,11 @@ static const char *mag_deleg_ccache_perms(cmd_parms *parms, void *mconfig,
cfg->deleg_ccache_gid = 0;
}
} else {
- struct group grp, *group;
- char buf[NSS_BUF_LEN];
- int ret = getgrnam_r(p, &grp, buf, NSS_BUF_LEN, &group);
- if ((ret != 0) || group != &grp) {
+ int ret = mag_get_group_gid(p, &cfg->deleg_ccache_gid);
+ if (ret != 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
- "Invalid GssapiDelegCcachePerms gid value [%s]",
- p);
- } else {
- cfg->deleg_ccache_gid = group->gr_gid;
+ "Invalid GssapiDelegCcachePerms gid value [%s](%s)",
+ p, strerror(ret));
}
}
} else {
diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h
index 159d6b7..2ea52a3 100644
--- a/src/mod_auth_gssapi.h
+++ b/src/mod_auth_gssapi.h
@@ -138,3 +138,5 @@ struct mag_conn {
struct mag_conn *mag_new_conn_ctx(apr_pool_t *pool);
const char *mag_str_auth_type(int auth_type);
char *mag_error(apr_pool_t *pool, const char *msg, uint32_t maj, uint32_t min);
+int mag_get_user_uid(const char *name, uid_t *uid);
+int mag_get_group_gid(const char *name, gid_t *gid);
diff --git a/src/util.c b/src/util.c
new file mode 100644
index 0000000..6b2a4a0
--- /dev/null
+++ b/src/util.c
@@ -0,0 +1,66 @@
+/* Copyright (C) 2017 mod_auth_gssapi contributors - See COPYING for (C) terms */
+
+#include "mod_auth_gssapi.h"
+
+#define NSS_BUF_MIN 1024
+#define NSS_BUF_MAX 1024*1024
+static char *get_buf(char *cur, size_t *len)
+{
+ if (*len == 0) {
+ *len = NSS_BUF_MIN;
+ } else {
+ *len *= 2;
+ }
+ if (*len > NSS_BUF_MAX) {
+ *len = 0; /* will free the buf and return NULL */
+ }
+ return realloc(cur, *len);
+}
+
+int mag_get_user_uid(const char *name, uid_t *uid)
+{
+ struct passwd pwd, *user;
+ size_t buflen = 0;
+ char *buf = NULL;
+ int ret;
+
+ do {
+ buf = get_buf(buf, &buflen);
+ if (buf == NULL || buflen == 0) {
+ ret = ENOMEM;
+ break;
+ }
+ ret = getpwnam_r(name, &pwd, buf, buflen, &user);
+ } while (ret == ERANGE);
+ if (ret != 0 || user != &pwd) {
+ ret = (ret == 0) ? EINVAL : ret;
+ } else {
+ *uid = user->pw_uid;
+ }
+ free(buf);
+ return ret;
+}
+
+int mag_get_group_gid(const char *name, gid_t *gid)
+{
+ struct group grp, *group;
+ size_t buflen = 0;
+ char *buf = NULL;
+ int ret;
+
+ do {
+ buf = get_buf(buf, &buflen);
+ if (buf == NULL || buflen == 0) {
+ ret = ENOMEM;
+ break;
+ }
+ ret = getgrnam_r(name, &grp, buf, buflen, &group);
+ } while (ret == ERANGE);
+ if (ret != 0 || group != &grp) {
+ ret = (ret == 0) ? EINVAL : ret;
+ } else {
+ *gid = group->gr_gid;
+ }
+ free(buf);
+ return ret;
+}

8
mod_auth_gssapi.spec
View File

@ -1,6 +1,6 @@
Name: mod_auth_gssapi
Version: 1.5.1
Release: 4%{?dist}
Release: 5%{?dist}
Summary: A GSSAPI Authentication module for Apache
Group: System Environment/Daemons
@ -9,6 +9,8 @@ URL: https://github.com/modauthgssapi/mod_auth_gssapi
Source0: https://github.com/modauthgssapi/%{name}/releases/download/v%{version}/%name-%{version}.tar.gz
Patch0: Allow-admins-to-selectively-suppress-negotiation.patch
Patch1: Fix-strtol-error-checking.patch
Patch2: Handle-extra-large-NSS-entries.patch
BuildRequires: httpd-devel, krb5-devel, openssl-devel, autoconf, automake, libtool
BuildRequires: gssntlmssp-devel
@ -46,6 +48,10 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
%{_httpd_moddir}/mod_auth_gssapi.so
%changelog
* Tue Oct 03 2017 Robbie Harwood <rharwood@redhat.com> - 1.5.1-5
- Handle extra large NSS entries
- Resolves: #1498175
* Mon Oct 02 2017 Robbie Harwood <rharwood@redhat.com> - 1.5.1-4
- Allow admins to selectively suppress negotiation
- Migrate to autosetup