summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimo Sorce <simo@redhat.com>2013-08-28 23:18:37 -0400
committerSimo Sorce <simo@redhat.com>2013-09-09 15:11:45 -0400
commita70e88f62e8ba48c5042b881f20ed6586cb135a8 (patch)
tree3fa1fa5b0f248268cedda1bf443bca0d10475835
parent04c49a183f49c28f9ef900bdbc4eb30f23278e17 (diff)
downloadsssd-a70e88f62e8ba48c5042b881f20ed6586cb135a8.tar.gz
sssd-a70e88f62e8ba48c5042b881f20ed6586cb135a8.tar.bz2
sssd-a70e88f62e8ba48c5042b881f20ed6586cb135a8.zip
krb5: Use krb5_cc_destroy to remove old ccaches
This completely replaces the per-ccache-type custom code to remove old cacches and instead uses libkrb5 base doperations (krb5_cc_destroy) and operating as the user owner. Resolves: https://fedorahosted.org/sssd/ticket/2061
-rw-r--r--Makefile.am2
-rw-r--r--src/providers/krb5/krb5_auth.c63
-rw-r--r--src/providers/krb5/krb5_utils.c71
-rw-r--r--src/providers/krb5/krb5_utils.h2
-rw-r--r--src/tests/krb5_child-test.c2
5 files changed, 21 insertions, 119 deletions
diff --git a/Makefile.am b/Makefile.am
index 150f53e7..25a4cbf8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -962,6 +962,7 @@ strtonum_tests_LDADD = \
krb5_utils_tests_SOURCES = \
src/tests/krb5_utils-tests.c \
src/providers/krb5/krb5_utils.c \
+ src/providers/krb5/krb5_become_user.c \
src/providers/krb5/krb5_common.c \
src/util/sss_krb5.c \
src/util/find_uid.c \
@@ -1532,6 +1533,7 @@ libsss_ldap_la_SOURCES = \
src/providers/ldap/ldap_access.c \
src/providers/krb5/krb5_common.c \
src/providers/krb5/krb5_utils.c \
+ src/providers/krb5/krb5_become_user.c \
src/util/user_info_msg.c \
src/util/sss_ldap.c \
src/util/sss_krb5.c
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index db0aa936..5d33dddb 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -40,48 +40,19 @@
#include "providers/krb5/krb5_auth.h"
#include "providers/krb5/krb5_utils.h"
-static errno_t safe_remove_old_ccache_file(struct sss_krb5_cc_be *cc_be,
- const char *princ,
- const char *old_ccache,
- const char *new_ccache)
+static errno_t safe_remove_old_ccache_file(const char *old_ccache,
+ const char *new_ccache,
+ uid_t uid, gid_t gid)
{
- int ret;
- enum sss_krb5_cc_type old_type;
- struct sss_krb5_cc_be *old_cc_ops;
-
- if (old_ccache == NULL) {
- DEBUG(SSSDBG_FUNC_DATA, ("No old ccache, nothing to do\n"));
- return EOK;
- }
-
- if (new_ccache == NULL) {
- DEBUG(SSSDBG_OP_FAILURE,
- ("Missing new ccache file, old ccache file is not deleted.\n"));
- return EINVAL;
- }
-
- old_type = sss_krb5_get_type(old_ccache);
- old_cc_ops = get_cc_be_ops(old_type);
- if (!old_cc_ops) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("Cannot get ccache operations\n"));
- return EINVAL;
- }
-
- if (cc_be->type == old_type &&
- strcmp(old_ccache, new_ccache) == 0) {
+ if ((old_ccache == new_ccache)
+ || (old_ccache && new_ccache
+ && (strcmp(old_ccache, new_ccache) == 0))) {
DEBUG(SSSDBG_TRACE_FUNC, ("New and old ccache file are the same, "
- "no one will be deleted.\n"));
+ "none will be deleted.\n"));
return EOK;
}
- ret = old_cc_ops->remove(old_ccache);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- ("Cannot remove ccache [%s]\n", old_ccache));
- return EIO;
- }
-
- return EOK;
+ return sss_krb5_cc_destroy(old_ccache, uid, gid);
}
static errno_t
@@ -1037,8 +1008,8 @@ static void krb5_auth_done(struct tevent_req *subreq)
* used. */
if (pd->cmd == SSS_PAM_AUTHENTICATE && !kr->active_ccache) {
if (kr->old_ccname != NULL) {
- ret = safe_remove_old_ccache_file(kr->cc_be, kr->upn,
- kr->old_ccname, "dummy");
+ ret = safe_remove_old_ccache_file(kr->old_ccname, NULL,
+ kr->uid, kr->gid);
if (ret != EOK) {
DEBUG(1, ("Failed to remove old ccache file [%s], "
"please remove it manually.\n", kr->old_ccname));
@@ -1114,12 +1085,14 @@ static void krb5_auth_done(struct tevent_req *subreq)
goto done;
}
- ret = safe_remove_old_ccache_file(kr->cc_be, kr->upn,
- kr->old_ccname, store_ccname);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("Failed to remove old ccache file [%s], "
- "please remove it manually.\n", kr->old_ccname));
+ if (kr->old_ccname) {
+ ret = safe_remove_old_ccache_file(kr->old_ccname, store_ccname,
+ kr->uid, kr->gid);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Failed to remove old ccache file [%s], "
+ "please remove it manually.\n", kr->old_ccname));
+ }
}
ret = krb5_save_ccname(state, state->sysdb, state->domain,
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
index 1141f3fc..0245cc9d 100644
--- a/src/providers/krb5/krb5_utils.c
+++ b/src/providers/krb5/krb5_utils.c
@@ -1120,42 +1120,11 @@ cc_file_cache_for_princ(TALLOC_CTX *mem_ctx, const char *location,
return talloc_strdup(mem_ctx, location);
}
-errno_t
-cc_file_remove(const char *location)
-{
- errno_t ret;
- const char *filename;
-
- filename = sss_krb5_residual_check_type(location, SSS_KRB5_TYPE_FILE);
- if (!filename) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("%s is not of type FILE:\n", location));
- return EINVAL;
- }
-
- if (filename[0] != '/') {
- DEBUG(SSSDBG_CRIT_FAILURE,
- ("Ccache file name [%s] is not an absolute path.\n", filename));
- return EINVAL;
- }
-
- errno = 0;
- ret = unlink(filename);
- if (ret == -1 && errno != ENOENT) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- ("unlink [%s] failed [%d][%s].\n", filename, ret,
- strerror(ret)));
- return ret;
- }
- return EOK;
-}
-
struct sss_krb5_cc_be file_cc = {
.type = SSS_KRB5_TYPE_FILE,
.create = cc_file_create,
.check_existing = cc_file_check_existing,
.ccache_for_princ = cc_file_cache_for_princ,
- .remove = cc_file_remove,
};
#ifdef HAVE_KRB5_CC_COLLECTION
@@ -1333,32 +1302,11 @@ done:
return name;
}
-errno_t
-cc_dir_remove(const char *location)
-{
- const char *subsidiary;
-
- if (sss_krb5_get_type(location) != SSS_KRB5_TYPE_DIR) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("%s is not of type DIR\n", location));
- return EINVAL;
- }
-
- subsidiary = sss_krb5_cc_file_path(location);
- if (!subsidiary) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("Cannot get subsidiary cache from %s\n",
- location));
- return EINVAL;
- }
-
- return cc_file_remove(subsidiary);
-}
-
struct sss_krb5_cc_be dir_cc = {
.type = SSS_KRB5_TYPE_DIR,
.create = cc_dir_create,
.check_existing = cc_dir_check_existing,
.ccache_for_princ = cc_dir_cache_for_princ,
- .remove = cc_dir_remove
};
@@ -1485,30 +1433,11 @@ done:
return name;
}
-errno_t
-cc_keyring_remove(const char *location)
-{
- const char *residual;
-
- residual = sss_krb5_residual_check_type(location, SSS_KRB5_TYPE_KEYRING);
- if (!residual) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- ("%s is not of type KEYRING:\n", location));
- return EINVAL;
- }
-
- /* No special steps are needed to create a kernel keyring.
- * Everything is handled in libkrb5.
- */
- return EOK;
-}
-
struct sss_krb5_cc_be keyring_cc = {
.type = SSS_KRB5_TYPE_KEYRING,
.create = cc_keyring_create,
.check_existing = cc_keyring_check_existing,
.ccache_for_princ = cc_keyring_cache_for_princ,
- .remove = cc_keyring_remove
};
#endif /* HAVE_KRB5_CC_COLLECTION */
diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h
index ebcfe938..ac29d61e 100644
--- a/src/providers/krb5/krb5_utils.h
+++ b/src/providers/krb5/krb5_utils.h
@@ -52,7 +52,6 @@ typedef errno_t (*cc_be_check_existing)(const char *location, uid_t uid,
typedef const char * (*cc_be_ccache_for_princ)(TALLOC_CTX *mem_ctx,
const char *location,
const char *princ);
-typedef errno_t (*cc_be_remove)(const char *location);
/* A ccache back end */
struct sss_krb5_cc_be {
@@ -61,7 +60,6 @@ struct sss_krb5_cc_be {
cc_be_create_fn create;
cc_be_check_existing check_existing;
cc_be_ccache_for_princ ccache_for_princ;
- cc_be_remove remove;
};
extern struct sss_krb5_cc_be file_cc;
diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c
index 24d07728..dff62ab6 100644
--- a/src/tests/krb5_child-test.c
+++ b/src/tests/krb5_child-test.c
@@ -561,7 +561,7 @@ done:
if (rm_ccache && ctx->res
&& ctx->res->ccname
&& ctx->kr) {
- ctx->kr->krb5_ctx->cc_be->remove(ctx->res->ccname);
+ sss_krb5_cc_destroy(ctx->res->ccname, ctx->kr->uid, ctx->kr->gid);
}
free(password);
talloc_free(ctx);