diff options
| author | Simo Sorce <simo@redhat.com> | 2013-09-03 22:48:02 -0400 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-07 10:57:13 +0200 |
| commit | 047ed117f80c0fcc7710d930123af4f21233c369 (patch) | |
| tree | 0a4e3d55e22aa98c2e277decbf218c4bac6f27e6 | |
| parent | 9a9a813906472ffff3911b6006d023e1c6cbff8a (diff) | |
| download | sssd-047ed117f80c0fcc7710d930123af4f21233c369.tar.gz sssd-047ed117f80c0fcc7710d930123af4f21233c369.tar.bz2 sssd-047ed117f80c0fcc7710d930123af4f21233c369.zip | |
krb5: Remove ability to create public directories
Setting up public directories is the job of the admin, and
current sssd syntax can't express the actual intention of the admin with
regrads to which parts of the path should be public or private.
Resolves:
https://fedorahosted.org/sssd/ticket/2071
| -rw-r--r-- | src/providers/krb5/krb5_auth.c | 6 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_utils.c | 96 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_utils.h | 6 |
3 files changed, 37 insertions, 71 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 51c0d739..a4183dca 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -292,7 +292,6 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr, struct be_ctx *be_ctx) { const char *ccname_template; - bool private_path = false; errno_t ret; if (!kr->is_offline) { @@ -317,8 +316,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr, ccname_template = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_CCNAME_TMPL); kr->ccname = expand_ccname_template(kr, kr, ccname_template, true, - be_ctx->domain->case_sensitive, - &private_path); + be_ctx->domain->case_sensitive); if (kr->ccname == NULL) { DEBUG(1, ("expand_ccname_template failed.\n")); return ENOMEM; @@ -326,7 +324,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr, ret = sss_krb5_precreate_ccache(kr->ccname, kr->krb5_ctx->illegal_path_re, - kr->uid, kr->gid, private_path); + kr->uid, kr->gid); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("ccache creation failed.\n")); return ret; diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c index e6860482..cf6d72ad 100644 --- a/src/providers/krb5/krb5_utils.c +++ b/src/providers/krb5/krb5_utils.c @@ -203,7 +203,7 @@ done: char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, const char *template, bool file_mode, - bool case_sensitive, bool *private_path) + bool case_sensitive) { char *copy; char *p; @@ -217,8 +217,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, char action; bool rerun; - *private_path = false; - if (template == NULL) { DEBUG(1, ("Missing template.\n")); return NULL; @@ -269,7 +267,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, result = talloc_asprintf_append(result, "%s%s", p, name); - if (!file_mode) *private_path = true; break; case 'U': if (kr->uid <= 0) { @@ -279,7 +276,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, } result = talloc_asprintf_append(result, "%s%"SPRIuid, p, kr->uid); - if (!file_mode) *private_path = true; break; case 'p': if (kr->upn == NULL) { @@ -288,7 +284,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, goto done; } result = talloc_asprintf_append(result, "%s%s", p, kr->upn); - if (!file_mode) *private_path = true; break; case '%': result = talloc_asprintf_append(result, "%s%%", p); @@ -308,7 +303,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, goto done; } result = talloc_asprintf_append(result, "%s%s", p, kr->homedir); - if (!file_mode) *private_path = true; break; case 'd': if (file_mode) { @@ -320,8 +314,7 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, } dummy = expand_ccname_template(tmp_ctx, kr, cache_dir_tmpl, - false, case_sensitive, - private_path); + false, case_sensitive); if (dummy == NULL) { DEBUG(1, ("Expanding credential cache directory " "template failed.\n")); @@ -414,41 +407,30 @@ done: return res; } -static errno_t check_parent_stat(bool private_path, struct stat *parent_stat, +static errno_t check_parent_stat(struct stat *parent_stat, uid_t uid, gid_t gid) { - if (private_path) { - if (!((parent_stat->st_uid == 0 && parent_stat->st_gid == 0) || - parent_stat->st_uid == uid)) { - DEBUG(1, ("Private directory can only be created below a " - "directory belonging to root or to " - "[%"SPRIuid"][%"SPRIgid"].\n", uid, gid)); - return EINVAL; - } + if (!((parent_stat->st_uid == 0 && parent_stat->st_gid == 0) || + parent_stat->st_uid == uid)) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Private directory can only be created below a directory " + "belonging to root or to [%"SPRIuid"][%"SPRIgid"].\n", + uid, gid)); + return EINVAL; + } - if (parent_stat->st_uid == uid) { - if (!(parent_stat->st_mode & S_IXUSR)) { - DEBUG(1, ("Parent directory does have the search bit set for " - "the owner.\n")); - return EINVAL; - } - } else { - if (!(parent_stat->st_mode & S_IXOTH)) { - DEBUG(1, ("Parent directory does have the search bit set for " - "others.\n")); - return EINVAL; - } - } - } else { - if (parent_stat->st_uid != 0 || parent_stat->st_gid != 0) { - DEBUG(1, ("Public directory cannot be created below a user " - "directory.\n")); + if (parent_stat->st_uid == uid) { + if (!(parent_stat->st_mode & S_IXUSR)) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Parent directory does not have the search bit set for " + "the owner.\n")); return EINVAL; } - + } else { if (!(parent_stat->st_mode & S_IXOTH)) { - DEBUG(1, ("Parent directory does have the search bit set for " - "others.\n")); + DEBUG(SSSDBG_CRIT_FAILURE, + ("Parent directory does not have the search bit set for " + "others.\n")); return EINVAL; } } @@ -559,7 +541,7 @@ check_ccache_re(const char *filename, pcre *illegal_re) errno_t create_ccache_dir(const char *ccdirname, pcre *illegal_re, - uid_t uid, gid_t gid, bool private_path) + uid_t uid, gid_t gid) { int ret = EFAULT; struct stat parent_stat; @@ -598,27 +580,17 @@ create_ccache_dir(const char *ccdirname, pcre *illegal_re, goto done; } - ret = check_parent_stat(private_path, &parent_stat, uid, gid); + ret = check_parent_stat(&parent_stat, uid, gid); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, - ("check_parent_stat failed for %s directory [%s].\n", - private_path ? "private" : "public", ccdirname)); + ("check_parent_stat failed for directory [%s].\n", ccdirname)); goto done; } DLIST_FOR_EACH(li, missing_parents) { DEBUG(SSSDBG_TRACE_INTERNAL, ("Creating directory [%s].\n", li->s)); - if (li->next == NULL) { - new_dir_mode = private_path ? 0700 : 01777; - } else { - if (private_path && - parent_stat.st_uid == uid && parent_stat.st_gid == gid) { - new_dir_mode = 0700; - } else { - new_dir_mode = 0755; - } - } + new_dir_mode = 0700; old_umask = umask(0000); ret = mkdir(li->s, new_dir_mode); @@ -630,16 +602,12 @@ create_ccache_dir(const char *ccdirname, pcre *illegal_re, strerror(ret))); goto done; } - if (private_path && - ((parent_stat.st_uid == uid && parent_stat.st_gid == gid) || - li->next == NULL)) { - ret = chown(li->s, uid, gid); - if (ret != EOK) { - ret = errno; - DEBUG(SSSDBG_MINOR_FAILURE, - ("chown failed [%d][%s].\n", ret, strerror(ret))); - goto done; - } + ret = chown(li->s, uid, gid); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + ("chown failed [%d][%s].\n", ret, strerror(ret))); + goto done; } } @@ -758,7 +726,7 @@ done: } errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re, - uid_t uid, gid_t gid, bool private_path) + uid_t uid, gid_t gid) { TALLOC_CTX *tmp_ctx = NULL; const char *filename; @@ -802,7 +770,7 @@ errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re, *end = '\0'; } while (*(end+1) == '\0'); - ret = create_ccache_dir(ccdirname, illegal_re, uid, gid, private_path); + ret = create_ccache_dir(ccdirname, illegal_re, uid, gid); done: talloc_free(tmp_ctx); return ret; diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h index 33cc6112..4b1ebb0b 100644 --- a/src/providers/krb5/krb5_utils.h +++ b/src/providers/krb5/krb5_utils.h @@ -43,11 +43,11 @@ errno_t check_if_cached_upn_needs_update(struct sysdb_ctx *sysdb, const char *upn); errno_t create_ccache_dir(const char *dirname, pcre *illegal_re, - uid_t uid, gid_t gid, bool private_path); + uid_t uid, gid_t gid); char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, const char *template, bool file_mode, - bool case_sensitive, bool *private_path); + bool case_sensitive); errno_t become_user(uid_t uid, gid_t gid); struct sss_creds; @@ -58,7 +58,7 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx, errno_t restore_creds(struct sss_creds *saved_creds); errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re, - uid_t uid, gid_t gid, bool private_path); + uid_t uid, gid_t gid); errno_t sss_krb5_cc_destroy(const char *ccname, uid_t uid, gid_t gid); errno_t sss_krb5_check_ccache_princ(uid_t uid, gid_t gid, const char *ccname, const char *principal); |