diff options
author | Simo Sorce <simo@redhat.com> | 2013-08-28 23:18:37 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2013-09-09 15:11:45 -0400 |
commit | a70e88f62e8ba48c5042b881f20ed6586cb135a8 (patch) | |
tree | 3fa1fa5b0f248268cedda1bf443bca0d10475835 | |
parent | 04c49a183f49c28f9ef900bdbc4eb30f23278e17 (diff) | |
download | sssd-a70e88f62e8ba48c5042b881f20ed6586cb135a8.tar.gz sssd-a70e88f62e8ba48c5042b881f20ed6586cb135a8.tar.bz2 sssd-a70e88f62e8ba48c5042b881f20ed6586cb135a8.zip |
krb5: Use krb5_cc_destroy to remove old ccaches
This completely replaces the per-ccache-type custom code to remove old cacches
and instead uses libkrb5 base doperations (krb5_cc_destroy) and operating as
the user owner.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
-rw-r--r-- | Makefile.am | 2 | ||||
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 63 | ||||
-rw-r--r-- | src/providers/krb5/krb5_utils.c | 71 | ||||
-rw-r--r-- | src/providers/krb5/krb5_utils.h | 2 | ||||
-rw-r--r-- | src/tests/krb5_child-test.c | 2 |
5 files changed, 21 insertions, 119 deletions
diff --git a/Makefile.am b/Makefile.am index 150f53e7..25a4cbf8 100644 --- a/Makefile.am +++ b/Makefile.am @@ -962,6 +962,7 @@ strtonum_tests_LDADD = \ krb5_utils_tests_SOURCES = \ src/tests/krb5_utils-tests.c \ src/providers/krb5/krb5_utils.c \ + src/providers/krb5/krb5_become_user.c \ src/providers/krb5/krb5_common.c \ src/util/sss_krb5.c \ src/util/find_uid.c \ @@ -1532,6 +1533,7 @@ libsss_ldap_la_SOURCES = \ src/providers/ldap/ldap_access.c \ src/providers/krb5/krb5_common.c \ src/providers/krb5/krb5_utils.c \ + src/providers/krb5/krb5_become_user.c \ src/util/user_info_msg.c \ src/util/sss_ldap.c \ src/util/sss_krb5.c diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index db0aa936..5d33dddb 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -40,48 +40,19 @@ #include "providers/krb5/krb5_auth.h" #include "providers/krb5/krb5_utils.h" -static errno_t safe_remove_old_ccache_file(struct sss_krb5_cc_be *cc_be, - const char *princ, - const char *old_ccache, - const char *new_ccache) +static errno_t safe_remove_old_ccache_file(const char *old_ccache, + const char *new_ccache, + uid_t uid, gid_t gid) { - int ret; - enum sss_krb5_cc_type old_type; - struct sss_krb5_cc_be *old_cc_ops; - - if (old_ccache == NULL) { - DEBUG(SSSDBG_FUNC_DATA, ("No old ccache, nothing to do\n")); - return EOK; - } - - if (new_ccache == NULL) { - DEBUG(SSSDBG_OP_FAILURE, - ("Missing new ccache file, old ccache file is not deleted.\n")); - return EINVAL; - } - - old_type = sss_krb5_get_type(old_ccache); - old_cc_ops = get_cc_be_ops(old_type); - if (!old_cc_ops) { - DEBUG(SSSDBG_CRIT_FAILURE, ("Cannot get ccache operations\n")); - return EINVAL; - } - - if (cc_be->type == old_type && - strcmp(old_ccache, new_ccache) == 0) { + if ((old_ccache == new_ccache) + || (old_ccache && new_ccache + && (strcmp(old_ccache, new_ccache) == 0))) { DEBUG(SSSDBG_TRACE_FUNC, ("New and old ccache file are the same, " - "no one will be deleted.\n")); + "none will be deleted.\n")); return EOK; } - ret = old_cc_ops->remove(old_ccache); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("Cannot remove ccache [%s]\n", old_ccache)); - return EIO; - } - - return EOK; + return sss_krb5_cc_destroy(old_ccache, uid, gid); } static errno_t @@ -1037,8 +1008,8 @@ static void krb5_auth_done(struct tevent_req *subreq) * used. */ if (pd->cmd == SSS_PAM_AUTHENTICATE && !kr->active_ccache) { if (kr->old_ccname != NULL) { - ret = safe_remove_old_ccache_file(kr->cc_be, kr->upn, - kr->old_ccname, "dummy"); + ret = safe_remove_old_ccache_file(kr->old_ccname, NULL, + kr->uid, kr->gid); if (ret != EOK) { DEBUG(1, ("Failed to remove old ccache file [%s], " "please remove it manually.\n", kr->old_ccname)); @@ -1114,12 +1085,14 @@ static void krb5_auth_done(struct tevent_req *subreq) goto done; } - ret = safe_remove_old_ccache_file(kr->cc_be, kr->upn, - kr->old_ccname, store_ccname); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Failed to remove old ccache file [%s], " - "please remove it manually.\n", kr->old_ccname)); + if (kr->old_ccname) { + ret = safe_remove_old_ccache_file(kr->old_ccname, store_ccname, + kr->uid, kr->gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Failed to remove old ccache file [%s], " + "please remove it manually.\n", kr->old_ccname)); + } } ret = krb5_save_ccname(state, state->sysdb, state->domain, diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c index 1141f3fc..0245cc9d 100644 --- a/src/providers/krb5/krb5_utils.c +++ b/src/providers/krb5/krb5_utils.c @@ -1120,42 +1120,11 @@ cc_file_cache_for_princ(TALLOC_CTX *mem_ctx, const char *location, return talloc_strdup(mem_ctx, location); } -errno_t -cc_file_remove(const char *location) -{ - errno_t ret; - const char *filename; - - filename = sss_krb5_residual_check_type(location, SSS_KRB5_TYPE_FILE); - if (!filename) { - DEBUG(SSSDBG_CRIT_FAILURE, ("%s is not of type FILE:\n", location)); - return EINVAL; - } - - if (filename[0] != '/') { - DEBUG(SSSDBG_CRIT_FAILURE, - ("Ccache file name [%s] is not an absolute path.\n", filename)); - return EINVAL; - } - - errno = 0; - ret = unlink(filename); - if (ret == -1 && errno != ENOENT) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, - ("unlink [%s] failed [%d][%s].\n", filename, ret, - strerror(ret))); - return ret; - } - return EOK; -} - struct sss_krb5_cc_be file_cc = { .type = SSS_KRB5_TYPE_FILE, .create = cc_file_create, .check_existing = cc_file_check_existing, .ccache_for_princ = cc_file_cache_for_princ, - .remove = cc_file_remove, }; #ifdef HAVE_KRB5_CC_COLLECTION @@ -1333,32 +1302,11 @@ done: return name; } -errno_t -cc_dir_remove(const char *location) -{ - const char *subsidiary; - - if (sss_krb5_get_type(location) != SSS_KRB5_TYPE_DIR) { - DEBUG(SSSDBG_CRIT_FAILURE, ("%s is not of type DIR\n", location)); - return EINVAL; - } - - subsidiary = sss_krb5_cc_file_path(location); - if (!subsidiary) { - DEBUG(SSSDBG_CRIT_FAILURE, ("Cannot get subsidiary cache from %s\n", - location)); - return EINVAL; - } - - return cc_file_remove(subsidiary); -} - struct sss_krb5_cc_be dir_cc = { .type = SSS_KRB5_TYPE_DIR, .create = cc_dir_create, .check_existing = cc_dir_check_existing, .ccache_for_princ = cc_dir_cache_for_princ, - .remove = cc_dir_remove }; @@ -1485,30 +1433,11 @@ done: return name; } -errno_t -cc_keyring_remove(const char *location) -{ - const char *residual; - - residual = sss_krb5_residual_check_type(location, SSS_KRB5_TYPE_KEYRING); - if (!residual) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("%s is not of type KEYRING:\n", location)); - return EINVAL; - } - - /* No special steps are needed to create a kernel keyring. - * Everything is handled in libkrb5. - */ - return EOK; -} - struct sss_krb5_cc_be keyring_cc = { .type = SSS_KRB5_TYPE_KEYRING, .create = cc_keyring_create, .check_existing = cc_keyring_check_existing, .ccache_for_princ = cc_keyring_cache_for_princ, - .remove = cc_keyring_remove }; #endif /* HAVE_KRB5_CC_COLLECTION */ diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h index ebcfe938..ac29d61e 100644 --- a/src/providers/krb5/krb5_utils.h +++ b/src/providers/krb5/krb5_utils.h @@ -52,7 +52,6 @@ typedef errno_t (*cc_be_check_existing)(const char *location, uid_t uid, typedef const char * (*cc_be_ccache_for_princ)(TALLOC_CTX *mem_ctx, const char *location, const char *princ); -typedef errno_t (*cc_be_remove)(const char *location); /* A ccache back end */ struct sss_krb5_cc_be { @@ -61,7 +60,6 @@ struct sss_krb5_cc_be { cc_be_create_fn create; cc_be_check_existing check_existing; cc_be_ccache_for_princ ccache_for_princ; - cc_be_remove remove; }; extern struct sss_krb5_cc_be file_cc; diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c index 24d07728..dff62ab6 100644 --- a/src/tests/krb5_child-test.c +++ b/src/tests/krb5_child-test.c @@ -561,7 +561,7 @@ done: if (rm_ccache && ctx->res && ctx->res->ccname && ctx->kr) { - ctx->kr->krb5_ctx->cc_be->remove(ctx->res->ccname); + sss_krb5_cc_destroy(ctx->res->ccname, ctx->kr->uid, ctx->kr->gid); } free(password); talloc_free(ctx); |