diff options
Diffstat (limited to 'src/providers/krb5')
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 6 | ||||
-rw-r--r-- | src/providers/krb5/krb5_utils.c | 96 | ||||
-rw-r--r-- | src/providers/krb5/krb5_utils.h | 6 |
3 files changed, 37 insertions, 71 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 51c0d739..a4183dca 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -292,7 +292,6 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr, struct be_ctx *be_ctx) { const char *ccname_template; - bool private_path = false; errno_t ret; if (!kr->is_offline) { @@ -317,8 +316,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr, ccname_template = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_CCNAME_TMPL); kr->ccname = expand_ccname_template(kr, kr, ccname_template, true, - be_ctx->domain->case_sensitive, - &private_path); + be_ctx->domain->case_sensitive); if (kr->ccname == NULL) { DEBUG(1, ("expand_ccname_template failed.\n")); return ENOMEM; @@ -326,7 +324,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr, ret = sss_krb5_precreate_ccache(kr->ccname, kr->krb5_ctx->illegal_path_re, - kr->uid, kr->gid, private_path); + kr->uid, kr->gid); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("ccache creation failed.\n")); return ret; diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c index e6860482..cf6d72ad 100644 --- a/src/providers/krb5/krb5_utils.c +++ b/src/providers/krb5/krb5_utils.c @@ -203,7 +203,7 @@ done: char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, const char *template, bool file_mode, - bool case_sensitive, bool *private_path) + bool case_sensitive) { char *copy; char *p; @@ -217,8 +217,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, char action; bool rerun; - *private_path = false; - if (template == NULL) { DEBUG(1, ("Missing template.\n")); return NULL; @@ -269,7 +267,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, result = talloc_asprintf_append(result, "%s%s", p, name); - if (!file_mode) *private_path = true; break; case 'U': if (kr->uid <= 0) { @@ -279,7 +276,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, } result = talloc_asprintf_append(result, "%s%"SPRIuid, p, kr->uid); - if (!file_mode) *private_path = true; break; case 'p': if (kr->upn == NULL) { @@ -288,7 +284,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, goto done; } result = talloc_asprintf_append(result, "%s%s", p, kr->upn); - if (!file_mode) *private_path = true; break; case '%': result = talloc_asprintf_append(result, "%s%%", p); @@ -308,7 +303,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, goto done; } result = talloc_asprintf_append(result, "%s%s", p, kr->homedir); - if (!file_mode) *private_path = true; break; case 'd': if (file_mode) { @@ -320,8 +314,7 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, } dummy = expand_ccname_template(tmp_ctx, kr, cache_dir_tmpl, - false, case_sensitive, - private_path); + false, case_sensitive); if (dummy == NULL) { DEBUG(1, ("Expanding credential cache directory " "template failed.\n")); @@ -414,41 +407,30 @@ done: return res; } -static errno_t check_parent_stat(bool private_path, struct stat *parent_stat, +static errno_t check_parent_stat(struct stat *parent_stat, uid_t uid, gid_t gid) { - if (private_path) { - if (!((parent_stat->st_uid == 0 && parent_stat->st_gid == 0) || - parent_stat->st_uid == uid)) { - DEBUG(1, ("Private directory can only be created below a " - "directory belonging to root or to " - "[%"SPRIuid"][%"SPRIgid"].\n", uid, gid)); - return EINVAL; - } + if (!((parent_stat->st_uid == 0 && parent_stat->st_gid == 0) || + parent_stat->st_uid == uid)) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Private directory can only be created below a directory " + "belonging to root or to [%"SPRIuid"][%"SPRIgid"].\n", + uid, gid)); + return EINVAL; + } - if (parent_stat->st_uid == uid) { - if (!(parent_stat->st_mode & S_IXUSR)) { - DEBUG(1, ("Parent directory does have the search bit set for " - "the owner.\n")); - return EINVAL; - } - } else { - if (!(parent_stat->st_mode & S_IXOTH)) { - DEBUG(1, ("Parent directory does have the search bit set for " - "others.\n")); - return EINVAL; - } - } - } else { - if (parent_stat->st_uid != 0 || parent_stat->st_gid != 0) { - DEBUG(1, ("Public directory cannot be created below a user " - "directory.\n")); + if (parent_stat->st_uid == uid) { + if (!(parent_stat->st_mode & S_IXUSR)) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Parent directory does not have the search bit set for " + "the owner.\n")); return EINVAL; } - + } else { if (!(parent_stat->st_mode & S_IXOTH)) { - DEBUG(1, ("Parent directory does have the search bit set for " - "others.\n")); + DEBUG(SSSDBG_CRIT_FAILURE, + ("Parent directory does not have the search bit set for " + "others.\n")); return EINVAL; } } @@ -559,7 +541,7 @@ check_ccache_re(const char *filename, pcre *illegal_re) errno_t create_ccache_dir(const char *ccdirname, pcre *illegal_re, - uid_t uid, gid_t gid, bool private_path) + uid_t uid, gid_t gid) { int ret = EFAULT; struct stat parent_stat; @@ -598,27 +580,17 @@ create_ccache_dir(const char *ccdirname, pcre *illegal_re, goto done; } - ret = check_parent_stat(private_path, &parent_stat, uid, gid); + ret = check_parent_stat(&parent_stat, uid, gid); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, - ("check_parent_stat failed for %s directory [%s].\n", - private_path ? "private" : "public", ccdirname)); + ("check_parent_stat failed for directory [%s].\n", ccdirname)); goto done; } DLIST_FOR_EACH(li, missing_parents) { DEBUG(SSSDBG_TRACE_INTERNAL, ("Creating directory [%s].\n", li->s)); - if (li->next == NULL) { - new_dir_mode = private_path ? 0700 : 01777; - } else { - if (private_path && - parent_stat.st_uid == uid && parent_stat.st_gid == gid) { - new_dir_mode = 0700; - } else { - new_dir_mode = 0755; - } - } + new_dir_mode = 0700; old_umask = umask(0000); ret = mkdir(li->s, new_dir_mode); @@ -630,16 +602,12 @@ create_ccache_dir(const char *ccdirname, pcre *illegal_re, strerror(ret))); goto done; } - if (private_path && - ((parent_stat.st_uid == uid && parent_stat.st_gid == gid) || - li->next == NULL)) { - ret = chown(li->s, uid, gid); - if (ret != EOK) { - ret = errno; - DEBUG(SSSDBG_MINOR_FAILURE, - ("chown failed [%d][%s].\n", ret, strerror(ret))); - goto done; - } + ret = chown(li->s, uid, gid); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + ("chown failed [%d][%s].\n", ret, strerror(ret))); + goto done; } } @@ -758,7 +726,7 @@ done: } errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re, - uid_t uid, gid_t gid, bool private_path) + uid_t uid, gid_t gid) { TALLOC_CTX *tmp_ctx = NULL; const char *filename; @@ -802,7 +770,7 @@ errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re, *end = '\0'; } while (*(end+1) == '\0'); - ret = create_ccache_dir(ccdirname, illegal_re, uid, gid, private_path); + ret = create_ccache_dir(ccdirname, illegal_re, uid, gid); done: talloc_free(tmp_ctx); return ret; diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h index 33cc6112..4b1ebb0b 100644 --- a/src/providers/krb5/krb5_utils.h +++ b/src/providers/krb5/krb5_utils.h @@ -43,11 +43,11 @@ errno_t check_if_cached_upn_needs_update(struct sysdb_ctx *sysdb, const char *upn); errno_t create_ccache_dir(const char *dirname, pcre *illegal_re, - uid_t uid, gid_t gid, bool private_path); + uid_t uid, gid_t gid); char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, const char *template, bool file_mode, - bool case_sensitive, bool *private_path); + bool case_sensitive); errno_t become_user(uid_t uid, gid_t gid); struct sss_creds; @@ -58,7 +58,7 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx, errno_t restore_creds(struct sss_creds *saved_creds); errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re, - uid_t uid, gid_t gid, bool private_path); + uid_t uid, gid_t gid); errno_t sss_krb5_cc_destroy(const char *ccname, uid_t uid, gid_t gid); errno_t sss_krb5_check_ccache_princ(uid_t uid, gid_t gid, const char *ccname, const char *principal); |