161 lines
6.3 KiB
Diff
161 lines
6.3 KiB
Diff
|
From 5dc3b01fd9b2fa244e7c2820ce04602c9f059370 Mon Sep 17 00:00:00 2001
|
||
|
From: Simo Sorce <simo@redhat.com>
|
||
|
Date: Fri, 30 Aug 2013 12:21:39 -0400
|
||
|
Subject: [PATCH 06/14] krb5: move template check to initializzation
|
||
|
|
||
|
The randomized template check realy only makes sense for the FILE ccache
|
||
|
which is the only one that normally needs to use randomizing chars.
|
||
|
Also it is better to warn the admin early rather than to warn 'when it
|
||
|
is too late'.
|
||
|
So move the check at initialization time when we determine what the
|
||
|
template actually is.
|
||
|
|
||
|
Resolves:
|
||
|
https://fedorahosted.org/sssd/ticket/2061
|
||
|
---
|
||
|
src/providers/krb5/krb5_auth.c | 5 +----
|
||
|
src/providers/krb5/krb5_common.c | 17 +++++++++++++++++
|
||
|
src/providers/krb5/krb5_utils.c | 22 +++-------------------
|
||
|
src/providers/krb5/krb5_utils.h | 2 +-
|
||
|
4 files changed, 22 insertions(+), 24 deletions(-)
|
||
|
|
||
|
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
||
|
index 178f18a3c5dec4772a59c6d6cfbcdc419c20d48c..ca00ce7a3aefa6dae3116f57c994d1f5cd1f50ea 100644
|
||
|
--- a/src/providers/krb5/krb5_auth.c
|
||
|
+++ b/src/providers/krb5/krb5_auth.c
|
||
|
@@ -60,7 +60,6 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr,
|
||
|
const char *realm, bool *active, bool *valid)
|
||
|
{
|
||
|
struct sss_krb5_cc_be *old_cc_ops;
|
||
|
- const char *cc_template;
|
||
|
errno_t ret;
|
||
|
|
||
|
/* ccache file might be of a different type if the user changed
|
||
|
@@ -73,10 +72,8 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr,
|
||
|
return EINVAL;
|
||
|
}
|
||
|
|
||
|
- cc_template = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_CCNAME_TMPL);
|
||
|
-
|
||
|
ret = old_cc_ops->check_existing(old_ccache, kr->uid, realm, kr->upn,
|
||
|
- cc_template, valid);
|
||
|
+ valid);
|
||
|
if (ret == ENOENT) {
|
||
|
DEBUG(SSSDBG_TRACE_FUNC,
|
||
|
("Saved ccache %s doesn't exist.\n", old_ccache));
|
||
|
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
|
||
|
index c7ce574d513702132cb7e0c8ca4f1f1b80430f0b..de7ae0a8fe345c38f9458fb9642a5c1b83c906f5 100644
|
||
|
--- a/src/providers/krb5/krb5_common.c
|
||
|
+++ b/src/providers/krb5/krb5_common.c
|
||
|
@@ -144,6 +144,19 @@ static errno_t sss_get_system_ccname_template(TALLOC_CTX *mem_ctx,
|
||
|
}
|
||
|
#endif
|
||
|
|
||
|
+static void sss_check_cc_template(const char *cc_template)
|
||
|
+{
|
||
|
+ size_t template_len;
|
||
|
+
|
||
|
+ template_len = strlen(cc_template);
|
||
|
+ if (template_len >= 6 &&
|
||
|
+ strcmp(cc_template + (template_len - 6), "XXXXXX") != 0) {
|
||
|
+ DEBUG(SSSDBG_CONF_SETTINGS, ("ccache file name template [%s] doesn't "
|
||
|
+ "contain randomizing characters (XXXXXX), file might not "
|
||
|
+ "be rewritable\n", cc_template));
|
||
|
+ }
|
||
|
+}
|
||
|
+
|
||
|
errno_t check_and_export_options(struct dp_option *opts,
|
||
|
struct sss_domain_info *dom,
|
||
|
struct krb5_ctx *krb5_ctx)
|
||
|
@@ -282,6 +295,10 @@ errno_t check_and_export_options(struct dp_option *opts,
|
||
|
switch (cc_be) {
|
||
|
case SSS_KRB5_TYPE_FILE:
|
||
|
DEBUG(SSSDBG_CONF_SETTINGS, ("ccache is of type FILE\n"));
|
||
|
+ /* warn if the file type (which is usally created in a sticky bit
|
||
|
+ * laden directory) does not have randomizing chracters */
|
||
|
+ sss_check_cc_template(ccname);
|
||
|
+
|
||
|
krb5_ctx->cc_be = &file_cc;
|
||
|
if (ccname[0] != '/') {
|
||
|
/* FILE:/path/to/cc */
|
||
|
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
|
||
|
index 7f2ca2d5ba570e3467ec7dc4060f58f38b1f3428..b174462ee4e8f3992e6d9c06f91118098c598149 100644
|
||
|
--- a/src/providers/krb5/krb5_utils.c
|
||
|
+++ b/src/providers/krb5/krb5_utils.c
|
||
|
@@ -1122,24 +1122,10 @@ cc_residual_exists(uid_t uid, const char *ccname,
|
||
|
return EOK;
|
||
|
}
|
||
|
|
||
|
-static void
|
||
|
-cc_check_template(const char *cc_template)
|
||
|
-{
|
||
|
- size_t template_len;
|
||
|
-
|
||
|
- template_len = strlen(cc_template);
|
||
|
- if (template_len >= 6 &&
|
||
|
- strcmp(cc_template + (template_len - 6), "XXXXXX") != 0) {
|
||
|
- DEBUG(SSSDBG_CONF_SETTINGS, ("ccache file name template [%s] doesn't "
|
||
|
- "contain randomizing characters (XXXXXX), file might not "
|
||
|
- "be rewritable\n", cc_template));
|
||
|
- }
|
||
|
-}
|
||
|
-
|
||
|
errno_t
|
||
|
cc_file_check_existing(const char *location, uid_t uid,
|
||
|
const char *realm, const char *princ,
|
||
|
- const char *cc_template, bool *_valid)
|
||
|
+ bool *_valid)
|
||
|
{
|
||
|
errno_t ret;
|
||
|
bool valid;
|
||
|
@@ -1162,7 +1148,6 @@ cc_file_check_existing(const char *location, uid_t uid,
|
||
|
DEBUG(SSSDBG_OP_FAILURE,
|
||
|
("Could not check if ccache is active.\n"));
|
||
|
}
|
||
|
- cc_check_template(cc_template);
|
||
|
return ret;
|
||
|
}
|
||
|
|
||
|
@@ -1201,7 +1186,7 @@ cc_dir_create(const char *location, pcre *illegal_re,
|
||
|
errno_t
|
||
|
cc_dir_check_existing(const char *location, uid_t uid,
|
||
|
const char *realm, const char *princ,
|
||
|
- const char *cc_template, bool *_valid)
|
||
|
+ bool *_valid)
|
||
|
{
|
||
|
bool valid;
|
||
|
enum sss_krb5_cc_type type;
|
||
|
@@ -1262,7 +1247,6 @@ cc_dir_check_existing(const char *location, uid_t uid,
|
||
|
DEBUG(SSSDBG_OP_FAILURE,
|
||
|
("Could not check if ccache is active.\n"));
|
||
|
}
|
||
|
- cc_check_template(cc_template);
|
||
|
goto done;
|
||
|
}
|
||
|
|
||
|
@@ -1326,7 +1310,7 @@ cc_keyring_create(const char *location, pcre *illegal_re,
|
||
|
errno_t
|
||
|
cc_keyring_check_existing(const char *location, uid_t uid,
|
||
|
const char *realm, const char *princ,
|
||
|
- const char *cc_template, bool *_valid)
|
||
|
+ bool *_valid)
|
||
|
{
|
||
|
errno_t ret;
|
||
|
bool valid;
|
||
|
diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h
|
||
|
index ca33205817cbb726a75b809f71d1fb1589744e15..e241666289193bdc3c5eccadfffc4d3d669dff16 100644
|
||
|
--- a/src/providers/krb5/krb5_utils.h
|
||
|
+++ b/src/providers/krb5/krb5_utils.h
|
||
|
@@ -47,7 +47,7 @@ typedef errno_t (*cc_be_create_fn)(const char *location, pcre *illegal_re,
|
||
|
uid_t uid, gid_t gid, bool private_path);
|
||
|
typedef errno_t (*cc_be_check_existing)(const char *location, uid_t uid,
|
||
|
const char *realm, const char *princ,
|
||
|
- const char *cc_template, bool *valid);
|
||
|
+ bool *valid);
|
||
|
|
||
|
/* A ccache back end */
|
||
|
struct sss_krb5_cc_be {
|
||
|
--
|
||
|
1.8.3.1
|
||
|
|