diff options
author | Ondrej Kos <okos@redhat.com> | 2012-10-02 18:56:39 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-10-04 19:43:23 +0200 |
commit | 8fe574521b7f8b14e17aea1d9afb471b80761b83 (patch) | |
tree | 4ae0aa549e9e5c43e2c6862a0ec72a740d1aca87 /src/providers | |
parent | e7dd2a5102ba6cfd28be6eccdd62768e9758d9f4 (diff) | |
download | sssd-8fe574521b7f8b14e17aea1d9afb471b80761b83.tar.gz sssd-8fe574521b7f8b14e17aea1d9afb471b80761b83.tar.bz2 sssd-8fe574521b7f8b14e17aea1d9afb471b80761b83.zip |
Log possibly non-randomizable ccache file template
fixes https://fedorahosted.org/sssd/ticket/1533
ccache file template is now checked for appended XXXXXX for use with
mkstemp. When those characters are not present, warning is written to log.
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 7 | ||||
-rw-r--r-- | src/providers/krb5/krb5_child.c | 2 | ||||
-rw-r--r-- | src/providers/krb5/krb5_utils.c | 20 | ||||
-rw-r--r-- | src/providers/krb5/krb5_utils.h | 3 |
4 files changed, 26 insertions, 6 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index a305bb69..e244cea5 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -88,6 +88,7 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr, const char *realm, bool *active, bool *valid) { struct sss_krb5_cc_be *old_cc_ops; + const char *cc_template; errno_t ret; /* ccache file might be of a different type if the user changed @@ -100,8 +101,10 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr, return EINVAL; } - ret = old_cc_ops->check_existing(old_ccache, kr->uid, realm, - kr->upn, active, valid); + cc_template = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_CCNAME_TMPL); + + ret = old_cc_ops->check_existing(old_ccache, kr->uid, realm, kr->upn, + cc_template, active, valid); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Cannot check if saved ccache %s is active and valid\n", diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 6987d2b9..b2d5bdae 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -337,7 +337,7 @@ static krb5_error_code create_ccache_file(krb5_context ctx, ccname_len = strlen(cc_file_name); - if (ccname_len >= 6 && strcmp(cc_file_name + (ccname_len-6), "XXXXXX")==0 ) { + if (ccname_len >= 6 && strcmp(cc_file_name + (ccname_len - 6), "XXXXXX") == 0) { fd = mkstemp(cc_file_name); if (fd == -1) { kerr = errno; diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c index 774f62da..73a711d9 100644 --- a/src/providers/krb5/krb5_utils.c +++ b/src/providers/krb5/krb5_utils.c @@ -695,10 +695,24 @@ cc_residual_is_used(uid_t uid, const char *ccname, return EOK; } +static void +cc_check_template(const char *cc_template) +{ + size_t template_len; + + template_len = strlen(cc_template); + if (template_len >= 6 && + strcmp(cc_template + (template_len - 6), "XXXXXX") != 0) { + DEBUG(SSSDBG_CONF_SETTINGS, ("ccache file name template [%s] doesn't " + "contain randomizing characters (XXXXXX), file might not " + "be rewritable\n", cc_template)); + } +} + errno_t cc_file_check_existing(const char *location, uid_t uid, const char *realm, const char *princ, - bool *_active, bool *_valid) + const char *cc_template, bool *_active, bool *_valid) { errno_t ret; bool active; @@ -723,6 +737,7 @@ cc_file_check_existing(const char *location, uid_t uid, if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Could not check if ccache is active. " "Will create a new one.\n")); + cc_check_template(cc_template); active = false; } @@ -846,7 +861,7 @@ get_ccache_for_princ(krb5_context context, const char *location, errno_t cc_dir_check_existing(const char *location, uid_t uid, const char *realm, const char *princ, - bool *_active, bool *_valid) + const char *cc_template, bool *_active, bool *_valid) { bool active = false; bool valid = false; @@ -893,6 +908,7 @@ cc_dir_check_existing(const char *location, uid_t uid, if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Could not check if ccache is active. " "Will create a new one.\n")); + cc_check_template(cc_template); active = false; } diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h index d8d96d25..00dfc851 100644 --- a/src/providers/krb5/krb5_utils.h +++ b/src/providers/krb5/krb5_utils.h @@ -37,7 +37,8 @@ typedef errno_t (*cc_be_create_fn)(const char *location, pcre *illegal_re, uid_t uid, gid_t gid, bool private_path); typedef errno_t (*cc_be_check_existing)(const char *location, uid_t uid, const char *realm, const char *princ, - bool *active, bool *valid); + const char *cc_template, bool *active, + bool *valid); typedef const char * (*cc_be_ccache_for_princ)(TALLOC_CTX *mem_ctx, const char *location, const char *princ); |