diff options
Diffstat (limited to 'source3/lib')
-rw-r--r-- | source3/lib/afs.c | 60 | ||||
-rw-r--r-- | source3/lib/util_sec.c | 4 |
2 files changed, 40 insertions, 24 deletions
diff --git a/source3/lib/afs.c b/source3/lib/afs.c index b96703e986..882442a79f 100644 --- a/source3/lib/afs.c +++ b/source3/lib/afs.c @@ -35,18 +35,6 @@ _syscall5(int, afs_syscall, int, subcall, char *, cmarg, int, follow); -char *afs_cell(void) -{ - static char *cell = NULL; - - if (cell == NULL) { - cell = strdup(lp_realm()); - strlower_m(cell); - } - - return cell; -} - struct ClearToken { uint32 AuthHandle; char HandShakeKey[8]; @@ -65,7 +53,8 @@ struct ClearToken { to avoid. */ -static BOOL afs_settoken(char *username, const struct ClearToken *ctok, +static BOOL afs_settoken(const char *username, const char *cell, + const struct ClearToken *ctok, char *v4tkt_data, int v4tkt_length) { int ret; @@ -94,13 +83,13 @@ static BOOL afs_settoken(char *username, const struct ClearToken *ctok, memcpy(p, &tmp, sizeof(uint32)); p += sizeof(uint32); - tmp = strlen(afs_cell()); + tmp = strlen(cell); if (tmp >= MAXKTCREALMLEN) { DEBUG(1, ("Realm too long\n")); return False; } - strncpy(p, afs_cell(), tmp); + strncpy(p, cell, tmp); p += tmp; *p = 0; p +=1; @@ -135,12 +124,14 @@ static BOOL afs_settoken(char *username, const struct ClearToken *ctok, For the comments "Alice" is the User to be auth'ed, and "Bob" is the AFS server. */ -BOOL afs_login(char *username) +BOOL afs_login(connection_struct *conn) { fstring ticket; char *p = ticket; uint32 len; struct afs_key key; + pstring afs_username; + char *cell; struct ClearToken ct; @@ -148,13 +139,28 @@ BOOL afs_login(char *username) des_key_schedule key_schedule; - DEBUG(10, ("Trying to log into AFS for user %s@%s\n", - username, afs_cell())); + pstrcpy(afs_username, lp_afs_username_map()); + standard_sub_conn(conn, afs_username, sizeof(afs_username)); + + cell = strchr(afs_username, '@'); + + if (cell == NULL) { + DEBUG(1, ("AFS username doesn't contain a @, " + "could not find cell\n")); + return False; + } + + *cell = '\0'; + cell += 1; + strlower_m(cell); + + DEBUG(10, ("Trying to log into AFS for user %s@%s\n", + afs_username, cell)); if (!secrets_init()) return False; - if (!secrets_fetch_afs_key(afs_cell(), &key)) { + if (!secrets_fetch_afs_key(cell, &key)) { DEBUG(5, ("Could not fetch AFS service key\n")); return False; } @@ -172,14 +178,20 @@ BOOL afs_login(char *username) p += 1; /* "Alice", the client username */ - strncpy(p, username, sizeof(ticket)-PTR_DIFF(p,ticket)-1); + strncpy(p, afs_username, sizeof(ticket)-PTR_DIFF(p,ticket)-1); p += strlen(p)+1; strncpy(p, "", sizeof(ticket)-PTR_DIFF(p,ticket)-1); p += strlen(p)+1; - strncpy(p, afs_cell(), sizeof(ticket)-PTR_DIFF(p,ticket)-1); + strncpy(p, cell, sizeof(ticket)-PTR_DIFF(p,ticket)-1); p += strlen(p)+1; - ct.ViceId = getuid(); + /* As long as we still only use the effective UID we need to set the + * token for it here as well. This involves patching AFS in two + * places. Once we start using the real uid where we have the + * setresuid function, we can use getuid() here which would be more + * correct. */ + + ct.ViceId = geteuid(); DEBUG(10, ("Creating Token for uid %d\n", ct.ViceId)); /* Alice's network layer address. At least Openafs-1.2.10 @@ -235,12 +247,12 @@ BOOL afs_login(char *username) ZERO_STRUCT(key); - return afs_settoken(username, &ct, ticket, len); + return afs_settoken(afs_username, cell, &ct, ticket, len); } #else -BOOL afs_login(char *username) +BOOL afs_login(connection_struct *conn) { return True; } diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 132748ce13..1980b8bfb7 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -183,6 +183,10 @@ void gain_root_group_privilege(void) void set_effective_uid(uid_t uid) { #if USE_SETRESUID + /* On Systems which have this function, would it not be more + * appropriate to also set the real uid by doing + * setresuid(uid,uid,-1)? This would make patching AFS + * unnecessary. See comment in lib/afs.c. */ setresuid(-1,uid,-1); #endif |