285 lines
12 KiB
Diff
285 lines
12 KiB
Diff
From 121baf75c457c2642a2408173c5240027734a3fd Mon Sep 17 00:00:00 2001
|
|
From: Simo Sorce <simo@redhat.com>
|
|
Date: Tue, 3 Sep 2013 22:48:02 -0400
|
|
Subject: [PATCH 1/2] krb5: Remove ability to create public directories
|
|
|
|
Setting up public directories is the job of the admin, and
|
|
current sssd syntax can't express the actual intention of the admin with
|
|
regrads to which parts of the path should be public or private.
|
|
|
|
Resolves:
|
|
https://fedorahosted.org/sssd/ticket/2071
|
|
---
|
|
src/providers/krb5/krb5_auth.c | 7 ++-
|
|
src/providers/krb5/krb5_utils.c | 96 ++++++++++++++---------------------------
|
|
src/providers/krb5/krb5_utils.h | 6 +--
|
|
3 files changed, 38 insertions(+), 71 deletions(-)
|
|
|
|
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
|
index 51c0d739247b7d40a17b6ee367c502df140a7383..a16b5395d21c40e53a5e69519141cbd3c47d7907 100644
|
|
--- a/src/providers/krb5/krb5_auth.c
|
|
+++ b/src/providers/krb5/krb5_auth.c
|
|
@@ -292,7 +292,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr,
|
|
struct be_ctx *be_ctx)
|
|
{
|
|
const char *ccname_template;
|
|
- bool private_path = false;
|
|
+ const char *realm;
|
|
errno_t ret;
|
|
|
|
if (!kr->is_offline) {
|
|
@@ -317,8 +317,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr,
|
|
ccname_template = dp_opt_get_cstring(kr->krb5_ctx->opts,
|
|
KRB5_CCNAME_TMPL);
|
|
kr->ccname = expand_ccname_template(kr, kr, ccname_template, true,
|
|
- be_ctx->domain->case_sensitive,
|
|
- &private_path);
|
|
+ be_ctx->domain->case_sensitive);
|
|
if (kr->ccname == NULL) {
|
|
DEBUG(1, ("expand_ccname_template failed.\n"));
|
|
return ENOMEM;
|
|
@@ -326,7 +325,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr,
|
|
|
|
ret = sss_krb5_precreate_ccache(kr->ccname,
|
|
kr->krb5_ctx->illegal_path_re,
|
|
- kr->uid, kr->gid, private_path);
|
|
+ kr->uid, kr->gid);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE, ("ccache creation failed.\n"));
|
|
return ret;
|
|
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
|
|
index e6860482d9d330cbf12ad42d04e2e3af894cee89..cf6d72ad2e67f0d09ce423738003aa719cc43456 100644
|
|
--- a/src/providers/krb5/krb5_utils.c
|
|
+++ b/src/providers/krb5/krb5_utils.c
|
|
@@ -203,7 +203,7 @@ done:
|
|
|
|
char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
|
|
const char *template, bool file_mode,
|
|
- bool case_sensitive, bool *private_path)
|
|
+ bool case_sensitive)
|
|
{
|
|
char *copy;
|
|
char *p;
|
|
@@ -217,8 +217,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
|
|
char action;
|
|
bool rerun;
|
|
|
|
- *private_path = false;
|
|
-
|
|
if (template == NULL) {
|
|
DEBUG(1, ("Missing template.\n"));
|
|
return NULL;
|
|
@@ -269,7 +267,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
|
|
|
|
result = talloc_asprintf_append(result, "%s%s", p,
|
|
name);
|
|
- if (!file_mode) *private_path = true;
|
|
break;
|
|
case 'U':
|
|
if (kr->uid <= 0) {
|
|
@@ -279,7 +276,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
|
|
}
|
|
result = talloc_asprintf_append(result, "%s%"SPRIuid, p,
|
|
kr->uid);
|
|
- if (!file_mode) *private_path = true;
|
|
break;
|
|
case 'p':
|
|
if (kr->upn == NULL) {
|
|
@@ -288,7 +284,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
|
|
goto done;
|
|
}
|
|
result = talloc_asprintf_append(result, "%s%s", p, kr->upn);
|
|
- if (!file_mode) *private_path = true;
|
|
break;
|
|
case '%':
|
|
result = talloc_asprintf_append(result, "%s%%", p);
|
|
@@ -308,7 +303,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
|
|
goto done;
|
|
}
|
|
result = talloc_asprintf_append(result, "%s%s", p, kr->homedir);
|
|
- if (!file_mode) *private_path = true;
|
|
break;
|
|
case 'd':
|
|
if (file_mode) {
|
|
@@ -320,8 +314,7 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
|
|
}
|
|
|
|
dummy = expand_ccname_template(tmp_ctx, kr, cache_dir_tmpl,
|
|
- false, case_sensitive,
|
|
- private_path);
|
|
+ false, case_sensitive);
|
|
if (dummy == NULL) {
|
|
DEBUG(1, ("Expanding credential cache directory "
|
|
"template failed.\n"));
|
|
@@ -414,41 +407,30 @@ done:
|
|
return res;
|
|
}
|
|
|
|
-static errno_t check_parent_stat(bool private_path, struct stat *parent_stat,
|
|
+static errno_t check_parent_stat(struct stat *parent_stat,
|
|
uid_t uid, gid_t gid)
|
|
{
|
|
- if (private_path) {
|
|
- if (!((parent_stat->st_uid == 0 && parent_stat->st_gid == 0) ||
|
|
- parent_stat->st_uid == uid)) {
|
|
- DEBUG(1, ("Private directory can only be created below a "
|
|
- "directory belonging to root or to "
|
|
- "[%"SPRIuid"][%"SPRIgid"].\n", uid, gid));
|
|
- return EINVAL;
|
|
- }
|
|
+ if (!((parent_stat->st_uid == 0 && parent_stat->st_gid == 0) ||
|
|
+ parent_stat->st_uid == uid)) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ ("Private directory can only be created below a directory "
|
|
+ "belonging to root or to [%"SPRIuid"][%"SPRIgid"].\n",
|
|
+ uid, gid));
|
|
+ return EINVAL;
|
|
+ }
|
|
|
|
- if (parent_stat->st_uid == uid) {
|
|
- if (!(parent_stat->st_mode & S_IXUSR)) {
|
|
- DEBUG(1, ("Parent directory does have the search bit set for "
|
|
- "the owner.\n"));
|
|
- return EINVAL;
|
|
- }
|
|
- } else {
|
|
- if (!(parent_stat->st_mode & S_IXOTH)) {
|
|
- DEBUG(1, ("Parent directory does have the search bit set for "
|
|
- "others.\n"));
|
|
- return EINVAL;
|
|
- }
|
|
+ if (parent_stat->st_uid == uid) {
|
|
+ if (!(parent_stat->st_mode & S_IXUSR)) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ ("Parent directory does not have the search bit set for "
|
|
+ "the owner.\n"));
|
|
+ return EINVAL;
|
|
}
|
|
} else {
|
|
- if (parent_stat->st_uid != 0 || parent_stat->st_gid != 0) {
|
|
- DEBUG(1, ("Public directory cannot be created below a user "
|
|
- "directory.\n"));
|
|
- return EINVAL;
|
|
- }
|
|
-
|
|
if (!(parent_stat->st_mode & S_IXOTH)) {
|
|
- DEBUG(1, ("Parent directory does have the search bit set for "
|
|
- "others.\n"));
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ ("Parent directory does not have the search bit set for "
|
|
+ "others.\n"));
|
|
return EINVAL;
|
|
}
|
|
}
|
|
@@ -559,7 +541,7 @@ check_ccache_re(const char *filename, pcre *illegal_re)
|
|
|
|
errno_t
|
|
create_ccache_dir(const char *ccdirname, pcre *illegal_re,
|
|
- uid_t uid, gid_t gid, bool private_path)
|
|
+ uid_t uid, gid_t gid)
|
|
{
|
|
int ret = EFAULT;
|
|
struct stat parent_stat;
|
|
@@ -598,27 +580,17 @@ create_ccache_dir(const char *ccdirname, pcre *illegal_re,
|
|
goto done;
|
|
}
|
|
|
|
- ret = check_parent_stat(private_path, &parent_stat, uid, gid);
|
|
+ ret = check_parent_stat(&parent_stat, uid, gid);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
- ("check_parent_stat failed for %s directory [%s].\n",
|
|
- private_path ? "private" : "public", ccdirname));
|
|
+ ("check_parent_stat failed for directory [%s].\n", ccdirname));
|
|
goto done;
|
|
}
|
|
|
|
DLIST_FOR_EACH(li, missing_parents) {
|
|
DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
("Creating directory [%s].\n", li->s));
|
|
- if (li->next == NULL) {
|
|
- new_dir_mode = private_path ? 0700 : 01777;
|
|
- } else {
|
|
- if (private_path &&
|
|
- parent_stat.st_uid == uid && parent_stat.st_gid == gid) {
|
|
- new_dir_mode = 0700;
|
|
- } else {
|
|
- new_dir_mode = 0755;
|
|
- }
|
|
- }
|
|
+ new_dir_mode = 0700;
|
|
|
|
old_umask = umask(0000);
|
|
ret = mkdir(li->s, new_dir_mode);
|
|
@@ -630,16 +602,12 @@ create_ccache_dir(const char *ccdirname, pcre *illegal_re,
|
|
strerror(ret)));
|
|
goto done;
|
|
}
|
|
- if (private_path &&
|
|
- ((parent_stat.st_uid == uid && parent_stat.st_gid == gid) ||
|
|
- li->next == NULL)) {
|
|
- ret = chown(li->s, uid, gid);
|
|
- if (ret != EOK) {
|
|
- ret = errno;
|
|
- DEBUG(SSSDBG_MINOR_FAILURE,
|
|
- ("chown failed [%d][%s].\n", ret, strerror(ret)));
|
|
- goto done;
|
|
- }
|
|
+ ret = chown(li->s, uid, gid);
|
|
+ if (ret != EOK) {
|
|
+ ret = errno;
|
|
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
|
+ ("chown failed [%d][%s].\n", ret, strerror(ret)));
|
|
+ goto done;
|
|
}
|
|
}
|
|
|
|
@@ -758,7 +726,7 @@ done:
|
|
}
|
|
|
|
errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re,
|
|
- uid_t uid, gid_t gid, bool private_path)
|
|
+ uid_t uid, gid_t gid)
|
|
{
|
|
TALLOC_CTX *tmp_ctx = NULL;
|
|
const char *filename;
|
|
@@ -802,7 +770,7 @@ errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re,
|
|
*end = '\0';
|
|
} while (*(end+1) == '\0');
|
|
|
|
- ret = create_ccache_dir(ccdirname, illegal_re, uid, gid, private_path);
|
|
+ ret = create_ccache_dir(ccdirname, illegal_re, uid, gid);
|
|
done:
|
|
talloc_free(tmp_ctx);
|
|
return ret;
|
|
diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h
|
|
index 33cc6112b02af6991ef4aa4f1988dcbe08ed9266..4b1ebb0bb7a9e13d68ee62820f6408d029a2f072 100644
|
|
--- a/src/providers/krb5/krb5_utils.h
|
|
+++ b/src/providers/krb5/krb5_utils.h
|
|
@@ -43,11 +43,11 @@ errno_t check_if_cached_upn_needs_update(struct sysdb_ctx *sysdb,
|
|
const char *upn);
|
|
|
|
errno_t create_ccache_dir(const char *dirname, pcre *illegal_re,
|
|
- uid_t uid, gid_t gid, bool private_path);
|
|
+ uid_t uid, gid_t gid);
|
|
|
|
char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
|
|
const char *template, bool file_mode,
|
|
- bool case_sensitive, bool *private_path);
|
|
+ bool case_sensitive);
|
|
|
|
errno_t become_user(uid_t uid, gid_t gid);
|
|
struct sss_creds;
|
|
@@ -58,7 +58,7 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx,
|
|
errno_t restore_creds(struct sss_creds *saved_creds);
|
|
|
|
errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re,
|
|
- uid_t uid, gid_t gid, bool private_path);
|
|
+ uid_t uid, gid_t gid);
|
|
errno_t sss_krb5_cc_destroy(const char *ccname, uid_t uid, gid_t gid);
|
|
errno_t sss_krb5_check_ccache_princ(uid_t uid, gid_t gid,
|
|
const char *ccname, const char *principal);
|
|
--
|
|
1.8.3.1
|
|
|