Handle extra large NSS entries

Resolves: #1498175
2017-10-03 17:03:10 -04:00 · 2017-10-03 17:03:10 -04:00 · 58d1024252
commit 58d1024252
parent 8bc6d6bb1c
3 changed files with 209 additions and 1 deletions
--- a/Fix-strtol-error-checking.patch
+++ b/Fix-strtol-error-checking.patch
@ -0,0 +1,34 @@
 From 47795ee7ee34121d98b3bd528b499f19ebe3923d Mon Sep 17 00:00:00 2001
 From: Simo Sorce <simo@redhat.com>
 Date: Tue, 3 Oct 2017 12:33:38 -0400
 Subject: [PATCH] Fix strtol error checking
 Signed-off-by: Simo Sorce <simo@redhat.com>
 Reviewed-by: Robbie Harwood <rharwood@redhat.com>
 (cherry picked from commit 7cddf31b6ea7d0c67ac8a086d6b61d3f3631f47c)
 ---
 src/mod_auth_gssapi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
 index 59120d1..74962d1 100644
 --- a/src/mod_auth_gssapi.c
 +++ b/src/mod_auth_gssapi.c
@@ -1502,7 +1502,7 @@ static const char *mag_deleg_ccache_perms(cmd_parms *parms, void *mconfig,
         if (isdigit(*p)) {
             char *endptr;
             cfg->deleg_ccache_uid = strtol(p, &endptr, 0);
 -            if (errno != 0 || endptr != '\0') {
 +            if (errno != 0 || (endptr && *endptr != '\0')) {
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
                              "Invalid GssapiDelegCcachePerms uid value [%s]",
                              p);
@@ -1527,7 +1527,7 @@ static const char *mag_deleg_ccache_perms(cmd_parms *parms, void *mconfig,
         if (isdigit(*p)) {
             char *endptr;
             cfg->deleg_ccache_gid = strtol(p, &endptr, 0);
 -            if (errno != 0 || endptr != '\0') {
 +            if (errno != 0 || (endptr && *endptr != '\0')) {
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
                              "Invalid GssapiDelegCcachePerms gid value [%s]",
                              p);
--- a/Handle-extra-large-NSS-entries.patch
+++ b/Handle-extra-large-NSS-entries.patch
@ -0,0 +1,168 @@
 From 31372b8220da331e8dc81f343ff3d6b5585a842f Mon Sep 17 00:00:00 2001
 From: Simo Sorce <simo@redhat.com>
 Date: Tue, 3 Oct 2017 12:31:02 -0400
 Subject: [PATCH] Handle extra large NSS entries
 Signed-off-by: Simo Sorce <simo@redhat.com>
 Reviewed-by: Robbie Harwood <rharwood@redhat.com>
 Closes #152
 (cherry picked from commit 9813eb46c6c415a933c5edf5076fd0a8e39c86b2)
 [rharwood@redhat.com: conflicts due to no lex/yacc stuff yet]
 ---
 src/Makefile.am       |  2 +-
 src/mod_auth_gssapi.c | 26 +++++++-------------
 src/mod_auth_gssapi.h |  2 ++
 src/util.c            | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 78 insertions(+), 18 deletions(-)
 create mode 100644 src/util.c
 diff --git a/src/Makefile.am b/src/Makefile.am
 index 0605261..d8dd3ec 100644
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
@@ -8,7 +8,7 @@ dist_noinst_HEADERS = \
     mod_auth_gssapi.h crypto.h sessions.h environ.h
 mod_auth_gssapi_la_SOURCES = \
 -    mod_auth_gssapi.c crypto.c sessions.c environ.c
 +    mod_auth_gssapi.c crypto.c sessions.c environ.c util.c
 mod_auth_gssapi_la_CFLAGS = \
     $(MAG_CFLAGS)
 mod_auth_gssapi_la_LIBADD = \
 diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
 index 74962d1..c2dd039 100644
 --- a/src/mod_auth_gssapi.c
 +++ b/src/mod_auth_gssapi.c
@@ -1476,7 +1476,7 @@ static const char *mag_deleg_ccache_dir(cmd_parms *parms, void *mconfig,
 #define CCMODE "mode:"
 #define CCUID "uid:"
 #define CCGID "gid:"
 -#define NSS_BUF_LEN 2048 /* just use a uid/gid number if not big enough */
 +
 static const char *mag_deleg_ccache_perms(cmd_parms *parms, void *mconfig,
                                           const char *w)
 {
@@ -1510,15 +1510,11 @@ static const char *mag_deleg_ccache_perms(cmd_parms *parms, void *mconfig,
                 cfg->deleg_ccache_uid = 0;
             }
         } else {
 -            struct passwd pwd, *user;
 -            char buf[NSS_BUF_LEN];
 -            int ret = getpwnam_r(p, &pwd, buf, NSS_BUF_LEN, &user);
 -            if ((ret != 0) || user != &pwd) {
 +            int ret = mag_get_user_uid(p, &cfg->deleg_ccache_uid);
 +            if (ret != 0) {
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
 -                             "Invalid GssapiDelegCcachePerms uid value [%s]",
 -                             p);
 -            } else {
 -                cfg->deleg_ccache_uid = user->pw_uid;
 +                    "Invalid GssapiDelegCcachePerms uid value [%s](%s)",
 +                    p, strerror(ret));
             }
         }
     } else if (strncmp(w, CCGID, sizeof(CCGID) - 1) == 0) {
@@ -1535,15 +1531,11 @@ static const char *mag_deleg_ccache_perms(cmd_parms *parms, void *mconfig,
                 cfg->deleg_ccache_gid = 0;
             }
         } else {
 -            struct group grp, *group;
 -            char buf[NSS_BUF_LEN];
 -            int ret = getgrnam_r(p, &grp, buf, NSS_BUF_LEN, &group);
 -            if ((ret != 0) || group != &grp) {
 +            int ret = mag_get_group_gid(p, &cfg->deleg_ccache_gid);
 +            if (ret != 0) {
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
 -                             "Invalid GssapiDelegCcachePerms gid value [%s]",
 -                             p);
 -            } else {
 -                cfg->deleg_ccache_gid = group->gr_gid;
 +                    "Invalid GssapiDelegCcachePerms gid value [%s](%s)",
 +                    p, strerror(ret));
             }
         }
     } else {
 diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h
 index 159d6b7..2ea52a3 100644
 --- a/src/mod_auth_gssapi.h
 +++ b/src/mod_auth_gssapi.h
@@ -138,3 +138,5 @@ struct mag_conn {
 struct mag_conn *mag_new_conn_ctx(apr_pool_t *pool);
 const char *mag_str_auth_type(int auth_type);
 char *mag_error(apr_pool_t *pool, const char *msg, uint32_t maj, uint32_t min);
 +int mag_get_user_uid(const char *name, uid_t *uid);
 +int mag_get_group_gid(const char *name, gid_t *gid);
 diff --git a/src/util.c b/src/util.c
 new file mode 100644
 index 0000000..6b2a4a0
 --- /dev/null
 +++ b/src/util.c
@@ -0,0 +1,66 @@
 +/* Copyright (C) 2017 mod_auth_gssapi contributors - See COPYING for (C) terms */
 +
 +#include "mod_auth_gssapi.h"
 +
 +#define NSS_BUF_MIN 1024
 +#define NSS_BUF_MAX 1024*1024
 +static char *get_buf(char *cur, size_t *len)
 +{
 +    if (*len == 0) {
 +        *len = NSS_BUF_MIN;
 +    } else {
 +        *len *= 2;
 +    }
 +    if (*len > NSS_BUF_MAX) {
 +        *len = 0; /* will free the buf and return NULL */
 +    }
 +    return realloc(cur, *len);
 +}
 +
 +int mag_get_user_uid(const char *name, uid_t *uid)
 +{
 +    struct passwd pwd, *user;
 +    size_t buflen = 0;
 +    char *buf = NULL;
 +    int ret;
 +
 +    do {
 +        buf = get_buf(buf, &buflen);
 +        if (buf == NULL || buflen == 0) {
 +            ret = ENOMEM;
 +            break;
 +        }
 +        ret = getpwnam_r(name, &pwd, buf, buflen, &user);
 +    } while (ret == ERANGE);
 +    if (ret != 0 || user != &pwd) {
 +        ret = (ret == 0) ? EINVAL : ret;
 +    } else {
 +        *uid = user->pw_uid;
 +    }
 +    free(buf);
 +    return ret;
 +}
 +
 +int mag_get_group_gid(const char *name, gid_t *gid)
 +{
 +    struct group grp, *group;
 +    size_t buflen = 0;
 +    char *buf = NULL;
 +    int ret;
 +
 +    do {
 +        buf = get_buf(buf, &buflen);
 +        if (buf == NULL || buflen == 0) {
 +            ret = ENOMEM;
 +            break;
 +        }
 +        ret = getgrnam_r(name, &grp, buf, buflen, &group);
 +    } while (ret == ERANGE);
 +    if (ret != 0 || group != &grp) {
 +        ret = (ret == 0) ? EINVAL : ret;
 +    } else {
 +        *gid = group->gr_gid;
 +    }
 +    free(buf);
 +    return ret;
 +}
--- a/mod_auth_gssapi.spec
+++ b/mod_auth_gssapi.spec
@ -1,6 +1,6 @@
 Name:           mod_auth_gssapi
 Version:        1.5.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        A GSSAPI Authentication module for Apache
 Group:          System Environment/Daemons
@ -9,6 +9,8 @@ URL:            https://github.com/modauthgssapi/mod_auth_gssapi
 Source0:        https://github.com/modauthgssapi/%{name}/releases/download/v%{version}/%name-%{version}.tar.gz
 Patch0: Allow-admins-to-selectively-suppress-negotiation.patch
 Patch1: Fix-strtol-error-checking.patch
 Patch2: Handle-extra-large-NSS-entries.patch
 BuildRequires:  httpd-devel, krb5-devel, openssl-devel, autoconf, automake, libtool
 BuildRequires:  gssntlmssp-devel
@ -46,6 +48,10 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
 %{_httpd_moddir}/mod_auth_gssapi.so
 %changelog
 * Tue Oct 03 2017 Robbie Harwood <rharwood@redhat.com> - 1.5.1-5
 - Handle extra large NSS entries
 - Resolves: #1498175
 * Mon Oct 02 2017 Robbie Harwood <rharwood@redhat.com> - 1.5.1-4
 - Allow admins to selectively suppress negotiation
 - Migrate to autosetup