sssd/0006-krb5-move-template-check-to-initializzation.patch

161 lines
6.3 KiB
Diff
Raw Normal View History

From 5dc3b01fd9b2fa244e7c2820ce04602c9f059370 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 30 Aug 2013 12:21:39 -0400
Subject: [PATCH 06/14] krb5: move template check to initializzation
The randomized template check realy only makes sense for the FILE ccache
which is the only one that normally needs to use randomizing chars.
Also it is better to warn the admin early rather than to warn 'when it
is too late'.
So move the check at initialization time when we determine what the
template actually is.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
---
src/providers/krb5/krb5_auth.c | 5 +----
src/providers/krb5/krb5_common.c | 17 +++++++++++++++++
src/providers/krb5/krb5_utils.c | 22 +++-------------------
src/providers/krb5/krb5_utils.h | 2 +-
4 files changed, 22 insertions(+), 24 deletions(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 178f18a3c5dec4772a59c6d6cfbcdc419c20d48c..ca00ce7a3aefa6dae3116f57c994d1f5cd1f50ea 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -60,7 +60,6 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr,
const char *realm, bool *active, bool *valid)
{
struct sss_krb5_cc_be *old_cc_ops;
- const char *cc_template;
errno_t ret;
/* ccache file might be of a different type if the user changed
@@ -73,10 +72,8 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr,
return EINVAL;
}
- cc_template = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_CCNAME_TMPL);
-
ret = old_cc_ops->check_existing(old_ccache, kr->uid, realm, kr->upn,
- cc_template, valid);
+ valid);
if (ret == ENOENT) {
DEBUG(SSSDBG_TRACE_FUNC,
("Saved ccache %s doesn't exist.\n", old_ccache));
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index c7ce574d513702132cb7e0c8ca4f1f1b80430f0b..de7ae0a8fe345c38f9458fb9642a5c1b83c906f5 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -144,6 +144,19 @@ static errno_t sss_get_system_ccname_template(TALLOC_CTX *mem_ctx,
}
#endif
+static void sss_check_cc_template(const char *cc_template)
+{
+ size_t template_len;
+
+ template_len = strlen(cc_template);
+ if (template_len >= 6 &&
+ strcmp(cc_template + (template_len - 6), "XXXXXX") != 0) {
+ DEBUG(SSSDBG_CONF_SETTINGS, ("ccache file name template [%s] doesn't "
+ "contain randomizing characters (XXXXXX), file might not "
+ "be rewritable\n", cc_template));
+ }
+}
+
errno_t check_and_export_options(struct dp_option *opts,
struct sss_domain_info *dom,
struct krb5_ctx *krb5_ctx)
@@ -282,6 +295,10 @@ errno_t check_and_export_options(struct dp_option *opts,
switch (cc_be) {
case SSS_KRB5_TYPE_FILE:
DEBUG(SSSDBG_CONF_SETTINGS, ("ccache is of type FILE\n"));
+ /* warn if the file type (which is usally created in a sticky bit
+ * laden directory) does not have randomizing chracters */
+ sss_check_cc_template(ccname);
+
krb5_ctx->cc_be = &file_cc;
if (ccname[0] != '/') {
/* FILE:/path/to/cc */
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
index 7f2ca2d5ba570e3467ec7dc4060f58f38b1f3428..b174462ee4e8f3992e6d9c06f91118098c598149 100644
--- a/src/providers/krb5/krb5_utils.c
+++ b/src/providers/krb5/krb5_utils.c
@@ -1122,24 +1122,10 @@ cc_residual_exists(uid_t uid, const char *ccname,
return EOK;
}
-static void
-cc_check_template(const char *cc_template)
-{
- size_t template_len;
-
- template_len = strlen(cc_template);
- if (template_len >= 6 &&
- strcmp(cc_template + (template_len - 6), "XXXXXX") != 0) {
- DEBUG(SSSDBG_CONF_SETTINGS, ("ccache file name template [%s] doesn't "
- "contain randomizing characters (XXXXXX), file might not "
- "be rewritable\n", cc_template));
- }
-}
-
errno_t
cc_file_check_existing(const char *location, uid_t uid,
const char *realm, const char *princ,
- const char *cc_template, bool *_valid)
+ bool *_valid)
{
errno_t ret;
bool valid;
@@ -1162,7 +1148,6 @@ cc_file_check_existing(const char *location, uid_t uid,
DEBUG(SSSDBG_OP_FAILURE,
("Could not check if ccache is active.\n"));
}
- cc_check_template(cc_template);
return ret;
}
@@ -1201,7 +1186,7 @@ cc_dir_create(const char *location, pcre *illegal_re,
errno_t
cc_dir_check_existing(const char *location, uid_t uid,
const char *realm, const char *princ,
- const char *cc_template, bool *_valid)
+ bool *_valid)
{
bool valid;
enum sss_krb5_cc_type type;
@@ -1262,7 +1247,6 @@ cc_dir_check_existing(const char *location, uid_t uid,
DEBUG(SSSDBG_OP_FAILURE,
("Could not check if ccache is active.\n"));
}
- cc_check_template(cc_template);
goto done;
}
@@ -1326,7 +1310,7 @@ cc_keyring_create(const char *location, pcre *illegal_re,
errno_t
cc_keyring_check_existing(const char *location, uid_t uid,
const char *realm, const char *princ,
- const char *cc_template, bool *_valid)
+ bool *_valid)
{
errno_t ret;
bool valid;
diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h
index ca33205817cbb726a75b809f71d1fb1589744e15..e241666289193bdc3c5eccadfffc4d3d669dff16 100644
--- a/src/providers/krb5/krb5_utils.h
+++ b/src/providers/krb5/krb5_utils.h
@@ -47,7 +47,7 @@ typedef errno_t (*cc_be_create_fn)(const char *location, pcre *illegal_re,
uid_t uid, gid_t gid, bool private_path);
typedef errno_t (*cc_be_check_existing)(const char *location, uid_t uid,
const char *realm, const char *princ,
- const char *cc_template, bool *valid);
+ bool *valid);
/* A ccache back end */
struct sss_krb5_cc_be {
--
1.8.3.1