Line data Source code
1 : /*
2 : * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 : * (Royal Institute of Technology, Stockholm, Sweden).
4 : * All rights reserved.
5 : *
6 : * Redistribution and use in source and binary forms, with or without
7 : * modification, are permitted provided that the following conditions
8 : * are met:
9 : *
10 : * 1. Redistributions of source code must retain the above copyright
11 : * notice, this list of conditions and the following disclaimer.
12 : *
13 : * 2. Redistributions in binary form must reproduce the above copyright
14 : * notice, this list of conditions and the following disclaimer in the
15 : * documentation and/or other materials provided with the distribution.
16 : *
17 : * 3. Neither the name of the Institute nor the names of its contributors
18 : * may be used to endorse or promote products derived from this software
19 : * without specific prior written permission.
20 : *
21 : * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 : * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 : * SUCH DAMAGE.
32 : */
33 :
34 : #include "krb5_locl.h"
35 : #include "kuserok_plugin.h"
36 : #include <dirent.h>
37 :
38 : #ifndef SYSTEM_K5LOGIN_DIR
39 : /*
40 : * System k5login location. File namess in this directory are expected
41 : * to be usernames and to contain a list of principals allowed to login
42 : * as the user named the same as the file.
43 : */
44 : #define SYSTEM_K5LOGIN_DIR SYSCONFDIR "/k5login.d"
45 : #endif
46 :
47 : /* Plugin framework bits */
48 :
49 : struct plctx {
50 : const char *rule;
51 : const char *k5login_dir;
52 : const char *luser;
53 : krb5_const_principal principal;
54 : unsigned int flags;
55 : krb5_boolean result;
56 : };
57 :
58 : static krb5_error_code KRB5_LIB_CALL
59 0 : plcallback(krb5_context context, const void *plug, void *plugctx, void *userctx)
60 : {
61 0 : const krb5plugin_kuserok_ftable *locate = plug;
62 0 : struct plctx *plctx = userctx;
63 :
64 0 : return locate->kuserok(plugctx, context, plctx->rule, plctx->flags,
65 : plctx->k5login_dir, plctx->luser, plctx->principal,
66 : &plctx->result);
67 : }
68 :
69 : static krb5_error_code plugin_reg_ret;
70 : static const krb5plugin_kuserok_ftable kuserok_simple_plug;
71 : static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug;
72 : static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug;
73 : static const krb5plugin_kuserok_ftable kuserok_deny_plug;
74 :
75 : static void
76 0 : reg_def_plugins_once(void *ctx)
77 : {
78 0 : krb5_error_code ret;
79 0 : krb5_context context = ctx;
80 :
81 0 : plugin_reg_ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA,
82 : KRB5_PLUGIN_KUSEROK,
83 : &kuserok_simple_plug);
84 0 : ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA,
85 : KRB5_PLUGIN_KUSEROK, &kuserok_sys_k5login_plug);
86 0 : if (!plugin_reg_ret)
87 0 : plugin_reg_ret = ret;
88 0 : ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA,
89 : KRB5_PLUGIN_KUSEROK, &kuserok_user_k5login_plug);
90 0 : if (!plugin_reg_ret)
91 0 : plugin_reg_ret = ret;
92 0 : ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA,
93 : KRB5_PLUGIN_KUSEROK, &kuserok_deny_plug);
94 0 : if (!plugin_reg_ret)
95 0 : plugin_reg_ret = ret;
96 0 : }
97 :
98 : /**
99 : * This function is designed to be portable for Win32 and POSIX. The
100 : * design does lead to multiple getpwnam_r() calls, but this is probably
101 : * not a big deal.
102 : *
103 : * Inputs:
104 : *
105 : * @param context A krb5_context
106 : * @param filename Name of item to introspection
107 : * @param is_system_location TRUE if the dir/file are system locations or
108 : * FALSE if they are user home directory locations
109 : * @param dir Directory (optional)
110 : * @param dirlstat A pointer to struct stat for the directory (optional)
111 : * @param file File (optional)
112 : * @param owner Name of user that is expected to own the file
113 : */
114 :
115 : static krb5_error_code
116 0 : check_owner_dir(krb5_context context,
117 : const char *filename,
118 : krb5_boolean is_system_location,
119 : DIR *dir,
120 : struct stat *dirlstat,
121 : const char *owner)
122 : {
123 : #ifdef _WIN32
124 : /*
125 : * XXX Implement this!
126 : *
127 : * The thing to do is to call _get_osfhandle() on fileno(file) and
128 : * dirfd(dir) to get HANDLEs to the same, then call
129 : * GetSecurityInfo() on those HANDLEs to get the security descriptor
130 : * (SD), then check the owner and DACL. Checking the DACL sounds
131 : * like a lot of work (what, derive a mode from the ACL the way
132 : * NFSv4 servers do?). Checking the owner means doing an LSARPC
133 : * lookup at least (to get the user's SID).
134 : */
135 : if (is_system_location || owner == NULL)
136 : return 0;
137 : krb5_set_error_message(context, EACCES,
138 : "User k5login files not supported on Windows");
139 : return EACCES;
140 : #else
141 0 : struct passwd pw, *pwd = NULL;
142 0 : char pwbuf[2048];
143 0 : struct stat st;
144 :
145 0 : heim_assert(owner != NULL, "no directory owner ?");
146 :
147 0 : if (getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) {
148 0 : krb5_set_error_message(context, errno,
149 : "User unknown %s (getpwnam_r())", owner);
150 0 : return EACCES;
151 : }
152 0 : if (pwd == NULL) {
153 0 : krb5_set_error_message(context, EACCES, "no user %s", owner);
154 0 : return EACCES;
155 : }
156 :
157 0 : if (fstat(dirfd(dir), &st) == -1) {
158 0 : krb5_set_error_message(context, EACCES,
159 : "fstat(%s) of k5login.d failed",
160 : filename);
161 0 : return EACCES;
162 : }
163 0 : if (!S_ISDIR(st.st_mode)) {
164 0 : krb5_set_error_message(context, ENOTDIR, "%s not a directory",
165 : filename);
166 0 : return ENOTDIR;
167 : }
168 0 : if (st.st_dev != dirlstat->st_dev || st.st_ino != dirlstat->st_ino) {
169 0 : krb5_set_error_message(context, EACCES,
170 : "%s was renamed during kuserok "
171 : "operation", filename);
172 0 : return EACCES;
173 : }
174 0 : if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) {
175 0 : krb5_set_error_message(context, EACCES,
176 : "%s has world and/or group write "
177 : "permissions", filename);
178 0 : return EACCES;
179 : }
180 0 : if (pwd->pw_uid != st.st_uid && st.st_uid != 0) {
181 0 : krb5_set_error_message(context, EACCES,
182 : "%s not owned by the user (%s) or root",
183 : filename, owner);
184 0 : return EACCES;
185 : }
186 :
187 0 : return 0;
188 : #endif
189 : }
190 :
191 : static krb5_error_code
192 0 : check_owner_file(krb5_context context,
193 : const char *filename,
194 : FILE *file, const char *owner)
195 : {
196 : #ifdef _WIN32
197 : /*
198 : * XXX Implement this!
199 : *
200 : * The thing to do is to call _get_osfhandle() on fileno(file) and
201 : * dirfd(dir) to get HANDLEs to the same, then call
202 : * GetSecurityInfo() on those HANDLEs to get the security descriptor
203 : * (SD), then check the owner and DACL. Checking the DACL sounds
204 : * like a lot of work (what, derive a mode from the ACL the way
205 : * NFSv4 servers do?). Checking the owner means doing an LSARPC
206 : * lookup at least (to get the user's SID).
207 : */
208 : if (owner == NULL)
209 : return 0;
210 :
211 : krb5_set_error_message(context, EACCES,
212 : "User k5login files not supported on Windows");
213 : return EACCES;
214 : #else
215 0 : struct passwd pw, *pwd = NULL;
216 0 : char pwbuf[2048];
217 0 : struct stat st;
218 :
219 0 : if (owner == NULL)
220 0 : return 0;
221 :
222 0 : if (getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) {
223 0 : krb5_set_error_message(context, errno,
224 : "User unknown %s (getpwnam_r())", owner);
225 0 : return EACCES;
226 : }
227 0 : if (pwd == NULL) {
228 0 : krb5_set_error_message(context, EACCES, "no user %s", owner);
229 0 : return EACCES;
230 : }
231 :
232 0 : if (fstat(fileno(file), &st) == -1) {
233 0 : krb5_set_error_message(context, EACCES, "fstat(%s) of k5login failed",
234 : filename);
235 0 : return EACCES;
236 : }
237 0 : if (S_ISDIR(st.st_mode)) {
238 0 : krb5_set_error_message(context, EISDIR, "k5login: %s is a directory",
239 : filename);
240 0 : return EISDIR;
241 : }
242 0 : if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) {
243 0 : krb5_set_error_message(context, EISDIR,
244 : "k5login %s has world and/or group write "
245 : "permissions", filename);
246 0 : return EACCES;
247 : }
248 0 : if (pwd->pw_uid != st.st_uid && st.st_uid != 0) {
249 0 : krb5_set_error_message(context, EACCES,
250 : "k5login %s not owned by the user or root",
251 : filename);
252 0 : return EACCES;
253 : }
254 :
255 0 : return 0;
256 : #endif
257 : }
258 :
259 :
260 : /* see if principal is mentioned in the filename access file, return
261 : TRUE (in result) if so, FALSE otherwise */
262 :
263 : static krb5_error_code
264 0 : check_one_file(krb5_context context,
265 : const char *filename,
266 : const char *owner,
267 : krb5_boolean is_system_location,
268 : krb5_const_principal principal,
269 : krb5_boolean *result)
270 : {
271 0 : FILE *f;
272 0 : char buf[BUFSIZ];
273 0 : krb5_error_code ret;
274 :
275 0 : *result = FALSE;
276 :
277 0 : f = fopen(filename, "r");
278 0 : if (f == NULL)
279 0 : return errno;
280 0 : rk_cloexec_file(f);
281 :
282 0 : ret = check_owner_file(context, filename, f, owner);
283 0 : if (ret)
284 0 : goto out;
285 :
286 0 : while (fgets(buf, sizeof(buf), f) != NULL) {
287 0 : krb5_principal tmp;
288 0 : char *newline = buf + strcspn(buf, "\n");
289 :
290 0 : if (*newline != '\n') {
291 0 : int c;
292 0 : c = fgetc(f);
293 0 : if (c != EOF) {
294 0 : while (c != EOF && c != '\n')
295 0 : c = fgetc(f);
296 : /* line was too long, so ignore it */
297 0 : continue;
298 : }
299 : }
300 0 : *newline = '\0';
301 0 : ret = krb5_parse_name(context, buf, &tmp);
302 0 : if (ret)
303 0 : continue;
304 0 : *result = krb5_principal_compare(context, principal, tmp);
305 0 : krb5_free_principal(context, tmp);
306 0 : if (*result) {
307 0 : fclose (f);
308 0 : return 0;
309 : }
310 : }
311 :
312 0 : out:
313 0 : fclose(f);
314 0 : return 0;
315 : }
316 :
317 : static krb5_error_code
318 0 : check_directory(krb5_context context,
319 : const char *dirname,
320 : const char *owner,
321 : krb5_boolean is_system_location,
322 : krb5_const_principal principal,
323 : krb5_boolean *result)
324 : {
325 0 : DIR *d;
326 0 : struct dirent *dent;
327 0 : char filename[MAXPATHLEN];
328 0 : size_t len;
329 0 : krb5_error_code ret = 0;
330 0 : struct stat st;
331 :
332 0 : *result = FALSE;
333 :
334 0 : if (lstat(dirname, &st) < 0)
335 0 : return errno;
336 :
337 0 : if (!S_ISDIR(st.st_mode)) {
338 0 : krb5_set_error_message(context, ENOTDIR, "k5login.d not a directory");
339 0 : return ENOTDIR;
340 : }
341 :
342 0 : if ((d = opendir(dirname)) == NULL) {
343 0 : krb5_set_error_message(context, ENOTDIR, "Could not open k5login.d");
344 0 : return errno;
345 : }
346 :
347 0 : ret = check_owner_dir(context, dirname, is_system_location, d, &st, owner);
348 0 : if (ret)
349 0 : goto out;
350 :
351 0 : while ((dent = readdir(d)) != NULL) {
352 : /*
353 : * XXX: Should we also skip files whose names start with "."?
354 : * Vim ".filename.swp" files are also good candidates to skip.
355 : * Once we ignore "#*" and "*~", it is not clear what other
356 : * heuristics to apply.
357 : */
358 0 : if (strcmp(dent->d_name, ".") == 0 ||
359 0 : strcmp(dent->d_name, "..") == 0 ||
360 0 : dent->d_name[0] == '#' || /* emacs autosave */
361 0 : dent->d_name[strlen(dent->d_name) - 1] == '~') /* emacs backup */
362 0 : continue;
363 0 : len = snprintf(filename, sizeof(filename), "%s/%s", dirname, dent->d_name);
364 : /* Skip too-long filenames that got truncated by snprintf() */
365 0 : if (len < sizeof(filename)) {
366 0 : ret = check_one_file(context, filename, owner, is_system_location,
367 : principal, result);
368 0 : if (ret == 0 && *result == TRUE)
369 0 : break;
370 : }
371 0 : ret = 0; /* don't propagate errors upstream */
372 : }
373 :
374 0 : out:
375 0 : closedir(d);
376 0 : return ret;
377 : }
378 :
379 : static krb5_error_code
380 0 : check_an2ln(krb5_context context,
381 : krb5_const_principal principal,
382 : const char *luser,
383 : krb5_boolean *result)
384 : {
385 0 : krb5_error_code ret;
386 0 : char *lname;
387 :
388 : #if 0
389 : /* XXX Should we make this an option? */
390 : /* multi-component principals can never match */
391 : if (krb5_principal_get_comp_string(context, principal, 1) != NULL) {
392 : *result = FALSE;
393 : return 0;
394 : }
395 : #endif
396 :
397 0 : lname = malloc(strlen(luser) + 1);
398 0 : if (lname == NULL)
399 0 : return krb5_enomem(context);
400 0 : ret = krb5_aname_to_localname(context, principal, strlen(luser)+1, lname);
401 0 : if (ret)
402 0 : goto out;
403 0 : if (strcmp(lname, luser) == 0)
404 0 : *result = TRUE;
405 : else
406 0 : *result = FALSE;
407 :
408 0 : out:
409 0 : free(lname);
410 0 : return 0;
411 :
412 : }
413 :
414 : /**
415 : * This function takes the name of a local user and checks if
416 : * principal is allowed to log in as that user.
417 : *
418 : * The user may have a ~/.k5login file listing principals that are
419 : * allowed to login as that user. If that file does not exist, all
420 : * principals with a only one component that is identical to the
421 : * username, and a realm considered local, are allowed access.
422 : *
423 : * The .k5login file must contain one principal per line, be owned by
424 : * user and not be writable by group or other (but must be readable by
425 : * anyone).
426 : *
427 : * Note that if the file exists, no implicit access rights are given
428 : * to user@@LOCALREALM.
429 : *
430 : * Optionally, a set of files may be put in ~/.k5login.d (a
431 : * directory), in which case they will all be checked in the same
432 : * manner as .k5login. The files may be called anything, but files
433 : * starting with a hash (#) , or ending with a tilde (~) are
434 : * ignored. Subdirectories are not traversed. Note that this directory
435 : * may not be checked by other Kerberos implementations.
436 : *
437 : * If no configuration file exists, match user against local domains,
438 : * ie luser@@LOCAL-REALMS-IN-CONFIGURATION-FILES.
439 : *
440 : * @param context Kerberos 5 context.
441 : * @param principal principal to check if allowed to login
442 : * @param luser local user id
443 : *
444 : * @return returns TRUE if access should be granted, FALSE otherwise.
445 : *
446 : * @ingroup krb5_support
447 : */
448 :
449 : KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
450 0 : krb5_kuserok(krb5_context context,
451 : krb5_principal principal,
452 : const char *luser)
453 : {
454 0 : return _krb5_kuserok(context, principal, luser, TRUE);
455 : }
456 :
457 :
458 : static const char *const kuserok_plugin_deps[] = { "krb5", NULL };
459 :
460 : static const struct heim_plugin_data
461 : kuserok_plugin_data = {
462 : "krb5",
463 : KRB5_PLUGIN_KUSEROK,
464 : KRB5_PLUGIN_KUSEROK_VERSION_0,
465 : kuserok_plugin_deps,
466 : krb5_get_instance
467 : };
468 :
469 : KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
470 0 : _krb5_kuserok(krb5_context context,
471 : krb5_principal principal,
472 : const char *luser,
473 : krb5_boolean an2ln_ok)
474 : {
475 0 : static heim_base_once_t reg_def_plugins = HEIM_BASE_ONCE_INIT;
476 0 : krb5_error_code ret;
477 0 : struct plctx ctx;
478 0 : char **rules;
479 :
480 : /*
481 : * XXX we should have a struct with a krb5_context field and a
482 : * krb5_error_code fied and pass the address of that as the ctx
483 : * argument of heim_base_once_f(). For now we use a static to
484 : * communicate failures. Actually, we ignore failures anyways,
485 : * since we can't return them.
486 : */
487 0 : heim_base_once_f(®_def_plugins, context, reg_def_plugins_once);
488 :
489 0 : ctx.flags = 0;
490 0 : ctx.luser = luser;
491 0 : ctx.principal = principal;
492 0 : ctx.result = FALSE;
493 :
494 0 : ctx.k5login_dir = krb5_config_get_string(context, NULL, "libdefaults",
495 : "k5login_directory", NULL);
496 :
497 0 : if (an2ln_ok)
498 0 : ctx.flags |= KUSEROK_ANAME_TO_LNAME_OK;
499 :
500 0 : if (krb5_config_get_bool_default(context, NULL, FALSE, "libdefaults",
501 : "k5login_authoritative", NULL))
502 0 : ctx.flags |= KUSEROK_K5LOGIN_IS_AUTHORITATIVE;
503 :
504 0 : if ((ctx.flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE) && plugin_reg_ret)
505 0 : return plugin_reg_ret; /* fail safe */
506 :
507 0 : rules = krb5_config_get_strings(context, NULL, "libdefaults",
508 : "kuserok", NULL);
509 0 : if (rules == NULL) {
510 : /* Default: check ~/.k5login */
511 0 : ctx.rule = "USER-K5LOGIN";
512 :
513 0 : ret = plcallback(context, &kuserok_user_k5login_plug, NULL, &ctx);
514 0 : if (ret == 0)
515 0 : goto out;
516 :
517 0 : ctx.rule = "SIMPLE";
518 0 : ret = plcallback(context, &kuserok_simple_plug, NULL, &ctx);
519 0 : if (ret == 0)
520 0 : goto out;
521 :
522 0 : ctx.result = FALSE;
523 : } else {
524 : size_t n;
525 :
526 0 : for (n = 0; rules[n]; n++) {
527 0 : ctx.rule = rules[n];
528 :
529 0 : ret = _krb5_plugin_run_f(context, &kuserok_plugin_data,
530 : 0, &ctx, plcallback);
531 0 : if (ret != KRB5_PLUGIN_NO_HANDLE)
532 0 : goto out;
533 : }
534 : }
535 :
536 0 : out:
537 0 : krb5_config_free_strings(rules);
538 :
539 0 : return ctx.result;
540 : }
541 :
542 : /*
543 : * Simple kuserok: check that the lname for the aname matches luser.
544 : */
545 :
546 : static krb5_error_code KRB5_LIB_CALL
547 0 : kuserok_simple_plug_f(void *plug_ctx, krb5_context context, const char *rule,
548 : unsigned int flags, const char *k5login_dir,
549 : const char *luser, krb5_const_principal principal,
550 : krb5_boolean *result)
551 : {
552 0 : krb5_error_code ret;
553 :
554 0 : if (strcmp(rule, "SIMPLE") != 0 || (flags & KUSEROK_ANAME_TO_LNAME_OK) == 0)
555 0 : return KRB5_PLUGIN_NO_HANDLE;
556 :
557 0 : ret = check_an2ln(context, principal, luser, result);
558 0 : if (ret == 0 && *result == FALSE)
559 0 : return KRB5_PLUGIN_NO_HANDLE;
560 :
561 0 : return 0;
562 : }
563 :
564 : /*
565 : * Check k5login files in a system location, rather than in home
566 : * directories.
567 : */
568 :
569 : static krb5_error_code KRB5_LIB_CALL
570 0 : kuserok_sys_k5login_plug_f(void *plug_ctx, krb5_context context,
571 : const char *rule, unsigned int flags,
572 : const char *k5login_dir, const char *luser,
573 : krb5_const_principal principal, krb5_boolean *result)
574 : {
575 0 : char filename[MAXPATHLEN];
576 0 : size_t len;
577 0 : const char *profile_dir = NULL;
578 0 : krb5_error_code ret;
579 :
580 0 : *result = FALSE;
581 :
582 0 : if (strcmp(rule, "SYSTEM-K5LOGIN") != 0 &&
583 0 : strncmp(rule, "SYSTEM-K5LOGIN:", strlen("SYSTEM-K5LOGIN:")) != 0)
584 0 : return KRB5_PLUGIN_NO_HANDLE;
585 :
586 0 : profile_dir = strchr(rule, ':');
587 0 : if (profile_dir == NULL)
588 0 : profile_dir = k5login_dir ? k5login_dir : SYSTEM_K5LOGIN_DIR;
589 : else
590 0 : profile_dir++;
591 :
592 0 : len = snprintf(filename, sizeof(filename), "%s/%s", profile_dir, luser);
593 0 : if (len < sizeof(filename)) {
594 0 : ret = check_one_file(context, filename, NULL, TRUE, principal, result);
595 :
596 0 : if (ret == 0 &&
597 0 : ((flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE) || *result == TRUE))
598 0 : return 0;
599 : }
600 :
601 0 : *result = FALSE;
602 0 : return KRB5_PLUGIN_NO_HANDLE;
603 : }
604 :
605 : /*
606 : * Check ~luser/.k5login and/or ~/luser/.k5login.d
607 : */
608 :
609 : static krb5_error_code KRB5_LIB_CALL
610 0 : kuserok_user_k5login_plug_f(void *plug_ctx, krb5_context context,
611 : const char *rule, unsigned int flags,
612 : const char *k5login_dir, const char *luser,
613 : krb5_const_principal principal,
614 : krb5_boolean *result)
615 : {
616 : #ifdef _WIN32
617 : return KRB5_PLUGIN_NO_HANDLE;
618 : #else
619 0 : char *path;
620 0 : char *path_exp;
621 0 : const char *profile_dir = NULL;
622 0 : krb5_error_code ret;
623 0 : krb5_boolean found_file = FALSE;
624 0 : struct passwd pw, *pwd = NULL;
625 0 : char pwbuf[2048];
626 :
627 0 : if (strcmp(rule, "USER-K5LOGIN") != 0)
628 0 : return KRB5_PLUGIN_NO_HANDLE;
629 :
630 0 : profile_dir = k5login_dir;
631 0 : if (profile_dir == NULL) {
632 : /* Don't deadlock with gssd or anything of the sort */
633 0 : if (!_krb5_homedir_access(context))
634 0 : return KRB5_PLUGIN_NO_HANDLE;
635 :
636 0 : if (getpwnam_r(luser, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) {
637 0 : krb5_set_error_message(context, errno, "User unknown (getpwnam_r())");
638 0 : return KRB5_PLUGIN_NO_HANDLE;
639 : }
640 0 : if (pwd == NULL) {
641 0 : krb5_set_error_message(context, errno, "User unknown (getpwnam())");
642 0 : return KRB5_PLUGIN_NO_HANDLE;
643 : }
644 0 : profile_dir = pwd->pw_dir;
645 : }
646 :
647 : #define KLOGIN "/.k5login"
648 :
649 0 : if (asprintf(&path, "%s/.k5login.d", profile_dir) == -1)
650 0 : return krb5_enomem(context);
651 :
652 0 : ret = _krb5_expand_path_tokensv(context, path, 1, &path_exp,
653 : "luser", luser, NULL);
654 0 : free(path);
655 0 : if (ret)
656 0 : return ret;
657 0 : path = path_exp;
658 :
659 : /* check user's ~/.k5login */
660 0 : path[strlen(path) - strlen(".d")] = '\0';
661 0 : ret = check_one_file(context, path, luser, FALSE, principal, result);
662 :
663 : /*
664 : * A match in ~/.k5login is sufficient. A non-match, falls through to the
665 : * .k5login.d code below.
666 : */
667 0 : if (ret == 0 && *result == TRUE) {
668 0 : free(path);
669 0 : return 0;
670 : }
671 0 : if (ret != ENOENT)
672 0 : found_file = TRUE;
673 :
674 : /*
675 : * A match in ~/.k5login.d/somefile is sufficient. A non-match, falls
676 : * through to the code below that handles negative results.
677 : *
678 : * XXX: put back the .d; clever|hackish? you decide
679 : */
680 0 : path[strlen(path)] = '.';
681 0 : ret = check_directory(context, path, luser, FALSE, principal, result);
682 0 : free(path);
683 0 : if (ret == 0 && *result == TRUE)
684 0 : return 0;
685 0 : if (ret != ENOENT && ret != ENOTDIR)
686 0 : found_file = TRUE;
687 :
688 : /*
689 : * When either ~/.k5login or ~/.k5login.d/ exists, but neither matches
690 : * and we're authoritative, we're done. Otherwise, give other plugins
691 : * a chance.
692 : */
693 0 : *result = FALSE;
694 0 : if (found_file && (flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE))
695 0 : return 0;
696 0 : return KRB5_PLUGIN_NO_HANDLE;
697 : #endif
698 : }
699 :
700 : static krb5_error_code KRB5_LIB_CALL
701 0 : kuserok_deny_plug_f(void *plug_ctx, krb5_context context, const char *rule,
702 : unsigned int flags, const char *k5login_dir,
703 : const char *luser, krb5_const_principal principal,
704 : krb5_boolean *result)
705 : {
706 0 : if (strcmp(rule, "DENY") != 0)
707 0 : return KRB5_PLUGIN_NO_HANDLE;
708 :
709 0 : *result = FALSE;
710 0 : return 0;
711 : }
712 :
713 : static krb5_error_code KRB5_LIB_CALL
714 0 : kuser_ok_null_plugin_init(krb5_context context, void **ctx)
715 : {
716 0 : *ctx = NULL;
717 0 : return 0;
718 : }
719 :
720 : static void KRB5_LIB_CALL
721 0 : kuser_ok_null_plugin_fini(void *ctx)
722 : {
723 0 : return;
724 : }
725 :
726 : static const krb5plugin_kuserok_ftable kuserok_simple_plug = {
727 : KRB5_PLUGIN_KUSEROK_VERSION_0,
728 : kuser_ok_null_plugin_init,
729 : kuser_ok_null_plugin_fini,
730 : kuserok_simple_plug_f,
731 : };
732 :
733 : static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug = {
734 : KRB5_PLUGIN_KUSEROK_VERSION_0,
735 : kuser_ok_null_plugin_init,
736 : kuser_ok_null_plugin_fini,
737 : kuserok_sys_k5login_plug_f,
738 : };
739 :
740 : static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug = {
741 : KRB5_PLUGIN_KUSEROK_VERSION_0,
742 : kuser_ok_null_plugin_init,
743 : kuser_ok_null_plugin_fini,
744 : kuserok_user_k5login_plug_f,
745 : };
746 :
747 : static const krb5plugin_kuserok_ftable kuserok_deny_plug = {
748 : KRB5_PLUGIN_KUSEROK_VERSION_0,
749 : kuser_ok_null_plugin_init,
750 : kuser_ok_null_plugin_fini,
751 : kuserok_deny_plug_f,
752 : };
753 :
|
