mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-22 21:51:04 +01:00
4d65a7c695
Apply the following automated changes to try to eliminate no-longer-needed sys/cdefs.h includes as well as now-empty blank lines in a row. Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/ Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/ Remove /\n+#if.*\n#endif.*\n+/ Remove /^#if.*\n#endif.*\n/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/ Sponsored by: Netflix
1333 lines
36 KiB
C
1333 lines
36 KiB
C
/*-
|
|
* SPDX-License-Identifier: BSD-2-Clause
|
|
*
|
|
* Copyright (c) 2008 Isilon Inc http://www.isilon.com/
|
|
* Authors: Doug Rabson <dfr@rabson.org>
|
|
* Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org>
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/linker.h>
|
|
#include <sys/module.h>
|
|
#include <sys/queue.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/sysctl.h>
|
|
#include <sys/syslog.h>
|
|
#include <ctype.h>
|
|
#include <dirent.h>
|
|
#include <err.h>
|
|
#include <errno.h>
|
|
#ifndef WITHOUT_KERBEROS
|
|
#include <krb5.h>
|
|
#endif
|
|
#include <netdb.h>
|
|
#include <pwd.h>
|
|
#include <signal.h>
|
|
#include <stdarg.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <arpa/inet.h>
|
|
#include <netinet/in.h>
|
|
#include <gssapi/gssapi.h>
|
|
#include <rpc/rpc.h>
|
|
#include <rpc/rpc_com.h>
|
|
|
|
#include "gssd.h"
|
|
|
|
#ifndef _PATH_GSS_MECH
|
|
#define _PATH_GSS_MECH "/etc/gss/mech"
|
|
#endif
|
|
#ifndef _PATH_GSSDSOCK
|
|
#define _PATH_GSSDSOCK "/var/run/gssd.sock"
|
|
#endif
|
|
#define GSSD_CREDENTIAL_CACHE_FILE "/tmp/krb5cc_gssd"
|
|
|
|
struct gss_resource {
|
|
LIST_ENTRY(gss_resource) gr_link;
|
|
uint64_t gr_id; /* identifier exported to kernel */
|
|
void* gr_res; /* GSS-API resource pointer */
|
|
};
|
|
LIST_HEAD(gss_resource_list, gss_resource) gss_resources;
|
|
int gss_resource_count;
|
|
uint32_t gss_next_id;
|
|
uint32_t gss_start_time;
|
|
int debug_level;
|
|
static char ccfile_dirlist[PATH_MAX + 1], ccfile_substring[NAME_MAX + 1];
|
|
static char pref_realm[1024];
|
|
static int verbose;
|
|
static int hostbased_initiator_cred;
|
|
#ifndef WITHOUT_KERBEROS
|
|
/* 1.2.752.43.13.14 */
|
|
static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
|
|
{6, (void *) "\x2a\x85\x70\x2b\x0d\x0e"};
|
|
static gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X =
|
|
&gss_krb5_set_allowable_enctypes_x_desc;
|
|
static gss_OID_desc gss_krb5_mech_oid_x_desc =
|
|
{9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
|
|
static gss_OID GSS_KRB5_MECH_OID_X =
|
|
&gss_krb5_mech_oid_x_desc;
|
|
#endif
|
|
|
|
static void gssd_load_mech(void);
|
|
static int find_ccache_file(const char *, uid_t, char *);
|
|
static int is_a_valid_tgt_cache(const char *, uid_t, int *, time_t *);
|
|
static void gssd_verbose_out(const char *, ...);
|
|
#ifndef WITHOUT_KERBEROS
|
|
static krb5_error_code gssd_get_cc_from_keytab(const char *);
|
|
static OM_uint32 gssd_get_user_cred(OM_uint32 *, uid_t, gss_cred_id_t *);
|
|
#endif
|
|
void gssd_terminate(int);
|
|
|
|
extern void gssd_1(struct svc_req *rqstp, SVCXPRT *transp);
|
|
extern int gssd_syscall(char *path);
|
|
|
|
int
|
|
main(int argc, char **argv)
|
|
{
|
|
/*
|
|
* We provide an RPC service on a local-domain socket. The
|
|
* kernel's GSS-API code will pass what it can't handle
|
|
* directly to us.
|
|
*/
|
|
struct sockaddr_un sun;
|
|
int fd, oldmask, ch, debug, jailed;
|
|
SVCXPRT *xprt;
|
|
size_t jailed_size;
|
|
|
|
/*
|
|
* Initialize the credential cache file name substring and the
|
|
* search directory list.
|
|
*/
|
|
strlcpy(ccfile_substring, "krb5cc_", sizeof(ccfile_substring));
|
|
ccfile_dirlist[0] = '\0';
|
|
pref_realm[0] = '\0';
|
|
debug = 0;
|
|
verbose = 0;
|
|
while ((ch = getopt(argc, argv, "dhvs:c:r:")) != -1) {
|
|
switch (ch) {
|
|
case 'd':
|
|
debug_level++;
|
|
break;
|
|
case 'h':
|
|
#ifndef WITHOUT_KERBEROS
|
|
/*
|
|
* Enable use of a host based initiator credential
|
|
* in the default keytab file.
|
|
*/
|
|
hostbased_initiator_cred = 1;
|
|
#else
|
|
errx(1, "This option not available when built"
|
|
" without MK_KERBEROS\n");
|
|
#endif
|
|
break;
|
|
case 'v':
|
|
verbose = 1;
|
|
break;
|
|
case 's':
|
|
#ifndef WITHOUT_KERBEROS
|
|
/*
|
|
* Set the directory search list. This enables use of
|
|
* find_ccache_file() to search the directories for a
|
|
* suitable credentials cache file.
|
|
*/
|
|
strlcpy(ccfile_dirlist, optarg, sizeof(ccfile_dirlist));
|
|
#else
|
|
errx(1, "This option not available when built"
|
|
" without MK_KERBEROS\n");
|
|
#endif
|
|
break;
|
|
case 'c':
|
|
/*
|
|
* Specify a non-default credential cache file
|
|
* substring.
|
|
*/
|
|
strlcpy(ccfile_substring, optarg,
|
|
sizeof(ccfile_substring));
|
|
break;
|
|
case 'r':
|
|
/*
|
|
* Set the preferred realm for the credential cache tgt.
|
|
*/
|
|
strlcpy(pref_realm, optarg, sizeof(pref_realm));
|
|
break;
|
|
default:
|
|
fprintf(stderr,
|
|
"usage: %s [-d] [-s dir-list] [-c file-substring]"
|
|
" [-r preferred-realm]\n", argv[0]);
|
|
exit(1);
|
|
break;
|
|
}
|
|
}
|
|
|
|
gssd_load_mech();
|
|
|
|
if (!debug_level) {
|
|
if (daemon(0, 0) != 0)
|
|
err(1, "Can't daemonize");
|
|
signal(SIGINT, SIG_IGN);
|
|
signal(SIGQUIT, SIG_IGN);
|
|
signal(SIGHUP, SIG_IGN);
|
|
}
|
|
signal(SIGTERM, gssd_terminate);
|
|
signal(SIGPIPE, gssd_terminate);
|
|
|
|
memset(&sun, 0, sizeof sun);
|
|
sun.sun_family = AF_LOCAL;
|
|
unlink(_PATH_GSSDSOCK);
|
|
strcpy(sun.sun_path, _PATH_GSSDSOCK);
|
|
sun.sun_len = SUN_LEN(&sun);
|
|
fd = socket(AF_LOCAL, SOCK_STREAM, 0);
|
|
if (fd < 0) {
|
|
if (debug_level == 0) {
|
|
syslog(LOG_ERR, "Can't create local gssd socket");
|
|
exit(1);
|
|
}
|
|
err(1, "Can't create local gssd socket");
|
|
}
|
|
oldmask = umask(S_IXUSR|S_IRWXG|S_IRWXO);
|
|
if (bind(fd, (struct sockaddr *) &sun, sun.sun_len) < 0) {
|
|
if (debug_level == 0) {
|
|
syslog(LOG_ERR, "Can't bind local gssd socket");
|
|
exit(1);
|
|
}
|
|
err(1, "Can't bind local gssd socket");
|
|
}
|
|
umask(oldmask);
|
|
if (listen(fd, SOMAXCONN) < 0) {
|
|
if (debug_level == 0) {
|
|
syslog(LOG_ERR, "Can't listen on local gssd socket");
|
|
exit(1);
|
|
}
|
|
err(1, "Can't listen on local gssd socket");
|
|
}
|
|
xprt = svc_vc_create(fd, RPC_MAXDATASIZE, RPC_MAXDATASIZE);
|
|
if (!xprt) {
|
|
if (debug_level == 0) {
|
|
syslog(LOG_ERR,
|
|
"Can't create transport for local gssd socket");
|
|
exit(1);
|
|
}
|
|
err(1, "Can't create transport for local gssd socket");
|
|
}
|
|
if (!svc_reg(xprt, GSSD, GSSDVERS, gssd_1, NULL)) {
|
|
if (debug_level == 0) {
|
|
syslog(LOG_ERR,
|
|
"Can't register service for local gssd socket");
|
|
exit(1);
|
|
}
|
|
err(1, "Can't register service for local gssd socket");
|
|
}
|
|
|
|
LIST_INIT(&gss_resources);
|
|
gss_next_id = 1;
|
|
gss_start_time = time(0);
|
|
|
|
if (gssd_syscall(_PATH_GSSDSOCK) < 0) {
|
|
jailed = 0;
|
|
if (errno == EPERM) {
|
|
jailed_size = sizeof(jailed);
|
|
sysctlbyname("security.jail.jailed", &jailed,
|
|
&jailed_size, NULL, 0);
|
|
}
|
|
if (debug_level == 0) {
|
|
if (jailed != 0)
|
|
syslog(LOG_ERR, "Cannot start gssd."
|
|
" allow.nfsd must be configured");
|
|
else
|
|
syslog(LOG_ERR, "Cannot start gssd");
|
|
exit(1);
|
|
}
|
|
if (jailed != 0)
|
|
err(1, "Cannot start gssd."
|
|
" allow.nfsd must be configured");
|
|
else
|
|
err(1, "Cannot start gssd");
|
|
}
|
|
svc_run();
|
|
gssd_syscall("");
|
|
|
|
return (0);
|
|
}
|
|
|
|
static void
|
|
gssd_load_mech(void)
|
|
{
|
|
FILE *fp;
|
|
char buf[256];
|
|
char *p;
|
|
char *name, *oid, *lib, *kobj;
|
|
|
|
fp = fopen(_PATH_GSS_MECH, "r");
|
|
if (!fp)
|
|
return;
|
|
|
|
while (fgets(buf, sizeof(buf), fp)) {
|
|
if (*buf == '#')
|
|
continue;
|
|
p = buf;
|
|
name = strsep(&p, "\t\n ");
|
|
if (p) while (isspace(*p)) p++;
|
|
oid = strsep(&p, "\t\n ");
|
|
if (p) while (isspace(*p)) p++;
|
|
lib = strsep(&p, "\t\n ");
|
|
if (p) while (isspace(*p)) p++;
|
|
kobj = strsep(&p, "\t\n ");
|
|
if (!name || !oid || !lib || !kobj)
|
|
continue;
|
|
|
|
if (strcmp(kobj, "-")) {
|
|
/*
|
|
* Attempt to load the kernel module if its
|
|
* not already present.
|
|
*/
|
|
if (modfind(kobj) < 0) {
|
|
if (kldload(kobj) < 0) {
|
|
fprintf(stderr,
|
|
"%s: can't find or load kernel module %s for %s\n",
|
|
getprogname(), kobj, name);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
fclose(fp);
|
|
}
|
|
|
|
static void *
|
|
gssd_find_resource(uint64_t id)
|
|
{
|
|
struct gss_resource *gr;
|
|
|
|
if (!id)
|
|
return (NULL);
|
|
|
|
LIST_FOREACH(gr, &gss_resources, gr_link)
|
|
if (gr->gr_id == id)
|
|
return (gr->gr_res);
|
|
|
|
return (NULL);
|
|
}
|
|
|
|
static uint64_t
|
|
gssd_make_resource(void *res)
|
|
{
|
|
struct gss_resource *gr;
|
|
|
|
if (!res)
|
|
return (0);
|
|
|
|
gr = malloc(sizeof(struct gss_resource));
|
|
if (!gr)
|
|
return (0);
|
|
gr->gr_id = (gss_next_id++) + ((uint64_t) gss_start_time << 32);
|
|
gr->gr_res = res;
|
|
LIST_INSERT_HEAD(&gss_resources, gr, gr_link);
|
|
gss_resource_count++;
|
|
if (debug_level > 1)
|
|
printf("%d resources allocated\n", gss_resource_count);
|
|
|
|
return (gr->gr_id);
|
|
}
|
|
|
|
static void
|
|
gssd_delete_resource(uint64_t id)
|
|
{
|
|
struct gss_resource *gr;
|
|
|
|
LIST_FOREACH(gr, &gss_resources, gr_link) {
|
|
if (gr->gr_id == id) {
|
|
LIST_REMOVE(gr, gr_link);
|
|
free(gr);
|
|
gss_resource_count--;
|
|
if (debug_level > 1)
|
|
printf("%d resources allocated\n",
|
|
gss_resource_count);
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
|
|
static void
|
|
gssd_verbose_out(const char *fmt, ...)
|
|
{
|
|
va_list ap;
|
|
|
|
if (verbose != 0) {
|
|
va_start(ap, fmt);
|
|
if (debug_level == 0)
|
|
vsyslog(LOG_INFO | LOG_DAEMON, fmt, ap);
|
|
else
|
|
vfprintf(stderr, fmt, ap);
|
|
va_end(ap);
|
|
}
|
|
}
|
|
|
|
bool_t
|
|
gssd_null_1_svc(void *argp, void *result, struct svc_req *rqstp)
|
|
{
|
|
|
|
gssd_verbose_out("gssd_null: done\n");
|
|
return (TRUE);
|
|
}
|
|
|
|
bool_t
|
|
gssd_init_sec_context_1_svc(init_sec_context_args *argp, init_sec_context_res *result, struct svc_req *rqstp)
|
|
{
|
|
gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
|
|
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
|
|
gss_name_t name = GSS_C_NO_NAME;
|
|
char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
|
|
int gotone, gotcred;
|
|
OM_uint32 min_stat;
|
|
#ifndef WITHOUT_KERBEROS
|
|
gss_buffer_desc principal_desc;
|
|
char enctype[sizeof(uint32_t)];
|
|
int key_enctype;
|
|
OM_uint32 maj_stat;
|
|
#endif
|
|
|
|
memset(result, 0, sizeof(*result));
|
|
if (hostbased_initiator_cred != 0 && argp->cred != 0 &&
|
|
argp->uid == 0) {
|
|
/*
|
|
* These credentials are for a host based initiator name
|
|
* in a keytab file, which should now have credentials
|
|
* in /tmp/krb5cc_gssd, because gss_acquire_cred() did
|
|
* the equivalent of "kinit -k".
|
|
*/
|
|
snprintf(ccname, sizeof(ccname), "FILE:%s",
|
|
GSSD_CREDENTIAL_CACHE_FILE);
|
|
} else if (ccfile_dirlist[0] != '\0' && argp->cred == 0) {
|
|
/*
|
|
* For the "-s" case and no credentials provided as an
|
|
* argument, search the directory list for an appropriate
|
|
* credential cache file. If the search fails, return failure.
|
|
*/
|
|
gotone = 0;
|
|
cp = ccfile_dirlist;
|
|
do {
|
|
cp2 = strchr(cp, ':');
|
|
if (cp2 != NULL)
|
|
*cp2 = '\0';
|
|
gotone = find_ccache_file(cp, argp->uid, ccname);
|
|
if (gotone != 0)
|
|
break;
|
|
if (cp2 != NULL)
|
|
*cp2++ = ':';
|
|
cp = cp2;
|
|
} while (cp != NULL && *cp != '\0');
|
|
if (gotone == 0) {
|
|
result->major_status = GSS_S_CREDENTIALS_EXPIRED;
|
|
gssd_verbose_out("gssd_init_sec_context: -s no"
|
|
" credential cache file found for uid=%d\n",
|
|
(int)argp->uid);
|
|
return (TRUE);
|
|
}
|
|
} else {
|
|
/*
|
|
* If there wasn't a "-s" option or the credentials have
|
|
* been provided as an argument, do it the old way.
|
|
* When credentials are provided, the uid should be root.
|
|
*/
|
|
if (argp->cred != 0 && argp->uid != 0) {
|
|
if (debug_level == 0)
|
|
syslog(LOG_ERR, "gss_init_sec_context:"
|
|
" cred for non-root");
|
|
else
|
|
fprintf(stderr, "gss_init_sec_context:"
|
|
" cred for non-root\n");
|
|
}
|
|
snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
|
|
(int) argp->uid);
|
|
}
|
|
setenv("KRB5CCNAME", ccname, TRUE);
|
|
|
|
if (argp->cred) {
|
|
cred = gssd_find_resource(argp->cred);
|
|
if (!cred) {
|
|
result->major_status = GSS_S_CREDENTIALS_EXPIRED;
|
|
gssd_verbose_out("gssd_init_sec_context: cred"
|
|
" resource not found\n");
|
|
return (TRUE);
|
|
}
|
|
}
|
|
if (argp->ctx) {
|
|
ctx = gssd_find_resource(argp->ctx);
|
|
if (!ctx) {
|
|
result->major_status = GSS_S_CONTEXT_EXPIRED;
|
|
gssd_verbose_out("gssd_init_sec_context: context"
|
|
" resource not found\n");
|
|
return (TRUE);
|
|
}
|
|
}
|
|
if (argp->name) {
|
|
name = gssd_find_resource(argp->name);
|
|
if (!name) {
|
|
result->major_status = GSS_S_BAD_NAME;
|
|
gssd_verbose_out("gssd_init_sec_context: name"
|
|
" resource not found\n");
|
|
return (TRUE);
|
|
}
|
|
}
|
|
gotcred = 0;
|
|
|
|
result->major_status = gss_init_sec_context(&result->minor_status,
|
|
cred, &ctx, name, argp->mech_type,
|
|
argp->req_flags, argp->time_req, argp->input_chan_bindings,
|
|
&argp->input_token, &result->actual_mech_type,
|
|
&result->output_token, &result->ret_flags, &result->time_rec);
|
|
gssd_verbose_out("gssd_init_sec_context: done major=0x%x minor=%d"
|
|
" uid=%d\n", (unsigned int)result->major_status,
|
|
(int)result->minor_status, (int)argp->uid);
|
|
if (gotcred != 0)
|
|
gss_release_cred(&min_stat, &cred);
|
|
|
|
if (result->major_status == GSS_S_COMPLETE
|
|
|| result->major_status == GSS_S_CONTINUE_NEEDED) {
|
|
if (argp->ctx)
|
|
result->ctx = argp->ctx;
|
|
else
|
|
result->ctx = gssd_make_resource(ctx);
|
|
}
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
bool_t
|
|
gssd_accept_sec_context_1_svc(accept_sec_context_args *argp, accept_sec_context_res *result, struct svc_req *rqstp)
|
|
{
|
|
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
|
|
gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
|
|
gss_name_t src_name;
|
|
gss_cred_id_t delegated_cred_handle;
|
|
|
|
memset(result, 0, sizeof(*result));
|
|
if (argp->ctx) {
|
|
ctx = gssd_find_resource(argp->ctx);
|
|
if (!ctx) {
|
|
result->major_status = GSS_S_CONTEXT_EXPIRED;
|
|
gssd_verbose_out("gssd_accept_sec_context: ctx"
|
|
" resource not found\n");
|
|
return (TRUE);
|
|
}
|
|
}
|
|
if (argp->cred) {
|
|
cred = gssd_find_resource(argp->cred);
|
|
if (!cred) {
|
|
result->major_status = GSS_S_CREDENTIALS_EXPIRED;
|
|
gssd_verbose_out("gssd_accept_sec_context: cred"
|
|
" resource not found\n");
|
|
return (TRUE);
|
|
}
|
|
}
|
|
|
|
memset(result, 0, sizeof(*result));
|
|
result->major_status = gss_accept_sec_context(&result->minor_status,
|
|
&ctx, cred, &argp->input_token, argp->input_chan_bindings,
|
|
&src_name, &result->mech_type, &result->output_token,
|
|
&result->ret_flags, &result->time_rec,
|
|
&delegated_cred_handle);
|
|
gssd_verbose_out("gssd_accept_sec_context: done major=0x%x minor=%d\n",
|
|
(unsigned int)result->major_status, (int)result->minor_status);
|
|
|
|
if (result->major_status == GSS_S_COMPLETE
|
|
|| result->major_status == GSS_S_CONTINUE_NEEDED) {
|
|
if (argp->ctx)
|
|
result->ctx = argp->ctx;
|
|
else
|
|
result->ctx = gssd_make_resource(ctx);
|
|
result->src_name = gssd_make_resource(src_name);
|
|
result->delegated_cred_handle =
|
|
gssd_make_resource(delegated_cred_handle);
|
|
}
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
bool_t
|
|
gssd_delete_sec_context_1_svc(delete_sec_context_args *argp, delete_sec_context_res *result, struct svc_req *rqstp)
|
|
{
|
|
gss_ctx_id_t ctx = gssd_find_resource(argp->ctx);
|
|
|
|
if (ctx) {
|
|
result->major_status = gss_delete_sec_context(
|
|
&result->minor_status, &ctx, &result->output_token);
|
|
gssd_delete_resource(argp->ctx);
|
|
} else {
|
|
result->major_status = GSS_S_COMPLETE;
|
|
result->minor_status = 0;
|
|
}
|
|
gssd_verbose_out("gssd_delete_sec_context: done major=0x%x minor=%d\n",
|
|
(unsigned int)result->major_status, (int)result->minor_status);
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
bool_t
|
|
gssd_export_sec_context_1_svc(export_sec_context_args *argp, export_sec_context_res *result, struct svc_req *rqstp)
|
|
{
|
|
gss_ctx_id_t ctx = gssd_find_resource(argp->ctx);
|
|
|
|
if (ctx) {
|
|
result->major_status = gss_export_sec_context(
|
|
&result->minor_status, &ctx,
|
|
&result->interprocess_token);
|
|
result->format = KGSS_HEIMDAL_1_1;
|
|
gssd_delete_resource(argp->ctx);
|
|
} else {
|
|
result->major_status = GSS_S_FAILURE;
|
|
result->minor_status = 0;
|
|
result->interprocess_token.length = 0;
|
|
result->interprocess_token.value = NULL;
|
|
}
|
|
gssd_verbose_out("gssd_export_sec_context: done major=0x%x minor=%d\n",
|
|
(unsigned int)result->major_status, (int)result->minor_status);
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
bool_t
|
|
gssd_import_name_1_svc(import_name_args *argp, import_name_res *result, struct svc_req *rqstp)
|
|
{
|
|
gss_name_t name;
|
|
|
|
result->major_status = gss_import_name(&result->minor_status,
|
|
&argp->input_name_buffer, argp->input_name_type, &name);
|
|
gssd_verbose_out("gssd_import_name: done major=0x%x minor=%d\n",
|
|
(unsigned int)result->major_status, (int)result->minor_status);
|
|
|
|
if (result->major_status == GSS_S_COMPLETE)
|
|
result->output_name = gssd_make_resource(name);
|
|
else
|
|
result->output_name = 0;
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
/*
|
|
* If the name is a numeric IP host address, do a DNS lookup on it and
|
|
* return the DNS name in a malloc'd string.
|
|
*/
|
|
static char *
|
|
gssd_conv_ip_to_dns(int len, char *name)
|
|
{
|
|
struct sockaddr_in sin;
|
|
struct sockaddr_in6 sin6;
|
|
char *retcp;
|
|
|
|
retcp = NULL;
|
|
if (len > 0) {
|
|
retcp = mem_alloc(NI_MAXHOST);
|
|
memcpy(retcp, name, len);
|
|
retcp[len] = '\0';
|
|
if (inet_pton(AF_INET, retcp, &sin.sin_addr) != 0) {
|
|
sin.sin_family = AF_INET;
|
|
sin.sin_len = sizeof(sin);
|
|
sin.sin_port = 0;
|
|
if (getnameinfo((struct sockaddr *)&sin,
|
|
sizeof(sin), retcp, NI_MAXHOST,
|
|
NULL, 0, NI_NAMEREQD) != 0) {
|
|
mem_free(retcp, NI_MAXHOST);
|
|
return (NULL);
|
|
}
|
|
} else if (inet_pton(AF_INET6, retcp, &sin6.sin6_addr) != 0) {
|
|
sin6.sin6_family = AF_INET6;
|
|
sin6.sin6_len = sizeof(sin6);
|
|
sin6.sin6_port = 0;
|
|
if (getnameinfo((struct sockaddr *)&sin6,
|
|
sizeof(sin6), retcp, NI_MAXHOST,
|
|
NULL, 0, NI_NAMEREQD) != 0) {
|
|
mem_free(retcp, NI_MAXHOST);
|
|
return (NULL);
|
|
}
|
|
} else {
|
|
mem_free(retcp, NI_MAXHOST);
|
|
return (NULL);
|
|
}
|
|
gssd_verbose_out("gssd_conv_ip_to_dns: %s\n", retcp);
|
|
}
|
|
return (retcp);
|
|
}
|
|
|
|
bool_t
|
|
gssd_canonicalize_name_1_svc(canonicalize_name_args *argp, canonicalize_name_res *result, struct svc_req *rqstp)
|
|
{
|
|
gss_name_t name = gssd_find_resource(argp->input_name);
|
|
gss_name_t output_name;
|
|
|
|
memset(result, 0, sizeof(*result));
|
|
if (!name) {
|
|
result->major_status = GSS_S_BAD_NAME;
|
|
return (TRUE);
|
|
}
|
|
|
|
result->major_status = gss_canonicalize_name(&result->minor_status,
|
|
name, argp->mech_type, &output_name);
|
|
gssd_verbose_out("gssd_canonicalize_name: done major=0x%x minor=%d\n",
|
|
(unsigned int)result->major_status, (int)result->minor_status);
|
|
|
|
if (result->major_status == GSS_S_COMPLETE)
|
|
result->output_name = gssd_make_resource(output_name);
|
|
else
|
|
result->output_name = 0;
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
bool_t
|
|
gssd_export_name_1_svc(export_name_args *argp, export_name_res *result, struct svc_req *rqstp)
|
|
{
|
|
gss_name_t name = gssd_find_resource(argp->input_name);
|
|
|
|
memset(result, 0, sizeof(*result));
|
|
if (!name) {
|
|
result->major_status = GSS_S_BAD_NAME;
|
|
gssd_verbose_out("gssd_export_name: name resource not found\n");
|
|
return (TRUE);
|
|
}
|
|
|
|
result->major_status = gss_export_name(&result->minor_status,
|
|
name, &result->exported_name);
|
|
gssd_verbose_out("gssd_export_name: done major=0x%x minor=%d\n",
|
|
(unsigned int)result->major_status, (int)result->minor_status);
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
bool_t
|
|
gssd_release_name_1_svc(release_name_args *argp, release_name_res *result, struct svc_req *rqstp)
|
|
{
|
|
gss_name_t name = gssd_find_resource(argp->input_name);
|
|
|
|
if (name) {
|
|
result->major_status = gss_release_name(&result->minor_status,
|
|
&name);
|
|
gssd_delete_resource(argp->input_name);
|
|
} else {
|
|
result->major_status = GSS_S_COMPLETE;
|
|
result->minor_status = 0;
|
|
}
|
|
gssd_verbose_out("gssd_release_name: done major=0x%x minor=%d\n",
|
|
(unsigned int)result->major_status, (int)result->minor_status);
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
bool_t
|
|
gssd_pname_to_uid_1_svc(pname_to_uid_args *argp, pname_to_uid_res *result, struct svc_req *rqstp)
|
|
{
|
|
gss_name_t name = gssd_find_resource(argp->pname);
|
|
uid_t uid;
|
|
char buf[1024], *bufp;
|
|
struct passwd pwd, *pw;
|
|
size_t buflen;
|
|
int error;
|
|
static size_t buflen_hint = 1024;
|
|
|
|
memset(result, 0, sizeof(*result));
|
|
if (name) {
|
|
result->major_status =
|
|
gss_pname_to_uid(&result->minor_status,
|
|
name, argp->mech, &uid);
|
|
if (result->major_status == GSS_S_COMPLETE) {
|
|
result->uid = uid;
|
|
buflen = buflen_hint;
|
|
for (;;) {
|
|
pw = NULL;
|
|
bufp = buf;
|
|
if (buflen > sizeof(buf))
|
|
bufp = malloc(buflen);
|
|
if (bufp == NULL)
|
|
break;
|
|
error = getpwuid_r(uid, &pwd, bufp, buflen,
|
|
&pw);
|
|
if (error != ERANGE)
|
|
break;
|
|
if (buflen > sizeof(buf))
|
|
free(bufp);
|
|
buflen += 1024;
|
|
if (buflen > buflen_hint)
|
|
buflen_hint = buflen;
|
|
}
|
|
if (pw) {
|
|
int len = NGROUPS;
|
|
int groups[NGROUPS];
|
|
result->gid = pw->pw_gid;
|
|
getgrouplist(pw->pw_name, pw->pw_gid,
|
|
groups, &len);
|
|
result->gidlist.gidlist_len = len;
|
|
result->gidlist.gidlist_val =
|
|
mem_alloc(len * sizeof(int));
|
|
memcpy(result->gidlist.gidlist_val, groups,
|
|
len * sizeof(int));
|
|
gssd_verbose_out("gssd_pname_to_uid: mapped"
|
|
" to uid=%d, gid=%d\n", (int)result->uid,
|
|
(int)result->gid);
|
|
} else {
|
|
result->gid = 65534;
|
|
result->gidlist.gidlist_len = 0;
|
|
result->gidlist.gidlist_val = NULL;
|
|
gssd_verbose_out("gssd_pname_to_uid: mapped"
|
|
" to uid=%d, but no groups\n",
|
|
(int)result->uid);
|
|
}
|
|
if (bufp != NULL && buflen > sizeof(buf))
|
|
free(bufp);
|
|
} else
|
|
gssd_verbose_out("gssd_pname_to_uid: failed major=0x%x"
|
|
" minor=%d\n", (unsigned int)result->major_status,
|
|
(int)result->minor_status);
|
|
} else {
|
|
result->major_status = GSS_S_BAD_NAME;
|
|
result->minor_status = 0;
|
|
gssd_verbose_out("gssd_pname_to_uid: no name\n");
|
|
}
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
bool_t
|
|
gssd_acquire_cred_1_svc(acquire_cred_args *argp, acquire_cred_res *result, struct svc_req *rqstp)
|
|
{
|
|
gss_name_t desired_name = GSS_C_NO_NAME;
|
|
gss_cred_id_t cred;
|
|
char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
|
|
int gotone;
|
|
#ifndef WITHOUT_KERBEROS
|
|
gss_buffer_desc namebuf;
|
|
uint32_t minstat;
|
|
krb5_error_code kret;
|
|
#endif
|
|
|
|
memset(result, 0, sizeof(*result));
|
|
if (argp->desired_name) {
|
|
desired_name = gssd_find_resource(argp->desired_name);
|
|
if (!desired_name) {
|
|
result->major_status = GSS_S_BAD_NAME;
|
|
gssd_verbose_out("gssd_acquire_cred: no desired name"
|
|
" found\n");
|
|
return (TRUE);
|
|
}
|
|
}
|
|
|
|
#ifndef WITHOUT_KERBEROS
|
|
if (hostbased_initiator_cred != 0 && argp->desired_name != 0 &&
|
|
argp->uid == 0 && argp->cred_usage == GSS_C_INITIATE) {
|
|
/* This is a host based initiator name in the keytab file. */
|
|
snprintf(ccname, sizeof(ccname), "FILE:%s",
|
|
GSSD_CREDENTIAL_CACHE_FILE);
|
|
setenv("KRB5CCNAME", ccname, TRUE);
|
|
result->major_status = gss_display_name(&result->minor_status,
|
|
desired_name, &namebuf, NULL);
|
|
gssd_verbose_out("gssd_acquire_cred: desired name for host "
|
|
"based initiator cred major=0x%x minor=%d\n",
|
|
(unsigned int)result->major_status,
|
|
(int)result->minor_status);
|
|
if (result->major_status != GSS_S_COMPLETE)
|
|
return (TRUE);
|
|
if (namebuf.length > PATH_MAX + 5) {
|
|
result->minor_status = 0;
|
|
result->major_status = GSS_S_FAILURE;
|
|
return (TRUE);
|
|
}
|
|
memcpy(ccname, namebuf.value, namebuf.length);
|
|
ccname[namebuf.length] = '\0';
|
|
if ((cp = strchr(ccname, '@')) != NULL)
|
|
*cp = '/';
|
|
kret = gssd_get_cc_from_keytab(ccname);
|
|
gssd_verbose_out("gssd_acquire_cred: using keytab entry for "
|
|
"%s, kerberos ret=%d\n", ccname, (int)kret);
|
|
gss_release_buffer(&minstat, &namebuf);
|
|
if (kret != 0) {
|
|
result->minor_status = kret;
|
|
result->major_status = GSS_S_FAILURE;
|
|
return (TRUE);
|
|
}
|
|
} else
|
|
#endif /* !WITHOUT_KERBEROS */
|
|
if (ccfile_dirlist[0] != '\0' && argp->desired_name == 0) {
|
|
/*
|
|
* For the "-s" case and no name provided as an
|
|
* argument, search the directory list for an appropriate
|
|
* credential cache file. If the search fails, return failure.
|
|
*/
|
|
gotone = 0;
|
|
cp = ccfile_dirlist;
|
|
do {
|
|
cp2 = strchr(cp, ':');
|
|
if (cp2 != NULL)
|
|
*cp2 = '\0';
|
|
gotone = find_ccache_file(cp, argp->uid, ccname);
|
|
if (gotone != 0)
|
|
break;
|
|
if (cp2 != NULL)
|
|
*cp2++ = ':';
|
|
cp = cp2;
|
|
} while (cp != NULL && *cp != '\0');
|
|
if (gotone == 0) {
|
|
result->major_status = GSS_S_CREDENTIALS_EXPIRED;
|
|
gssd_verbose_out("gssd_acquire_cred: no cred cache"
|
|
" file found\n");
|
|
return (TRUE);
|
|
}
|
|
setenv("KRB5CCNAME", ccname, TRUE);
|
|
} else {
|
|
/*
|
|
* If there wasn't a "-s" option or the name has
|
|
* been provided as an argument, do it the old way.
|
|
* When a name is provided, it will normally exist in the
|
|
* default keytab file and the uid will be root.
|
|
*/
|
|
if (argp->desired_name != 0 && argp->uid != 0) {
|
|
if (debug_level == 0)
|
|
syslog(LOG_ERR, "gss_acquire_cred:"
|
|
" principal_name for non-root");
|
|
else
|
|
fprintf(stderr, "gss_acquire_cred:"
|
|
" principal_name for non-root\n");
|
|
}
|
|
snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
|
|
(int) argp->uid);
|
|
setenv("KRB5CCNAME", ccname, TRUE);
|
|
}
|
|
|
|
result->major_status = gss_acquire_cred(&result->minor_status,
|
|
desired_name, argp->time_req, argp->desired_mechs,
|
|
argp->cred_usage, &cred, &result->actual_mechs, &result->time_rec);
|
|
gssd_verbose_out("gssd_acquire_cred: done major=0x%x minor=%d\n",
|
|
(unsigned int)result->major_status, (int)result->minor_status);
|
|
|
|
if (result->major_status == GSS_S_COMPLETE)
|
|
result->output_cred = gssd_make_resource(cred);
|
|
else
|
|
result->output_cred = 0;
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
bool_t
|
|
gssd_set_cred_option_1_svc(set_cred_option_args *argp, set_cred_option_res *result, struct svc_req *rqstp)
|
|
{
|
|
gss_cred_id_t cred = gssd_find_resource(argp->cred);
|
|
|
|
memset(result, 0, sizeof(*result));
|
|
if (!cred) {
|
|
result->major_status = GSS_S_CREDENTIALS_EXPIRED;
|
|
gssd_verbose_out("gssd_set_cred: no credentials\n");
|
|
return (TRUE);
|
|
}
|
|
|
|
result->major_status = gss_set_cred_option(&result->minor_status,
|
|
&cred, argp->option_name, &argp->option_value);
|
|
gssd_verbose_out("gssd_set_cred: done major=0x%x minor=%d\n",
|
|
(unsigned int)result->major_status, (int)result->minor_status);
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
bool_t
|
|
gssd_release_cred_1_svc(release_cred_args *argp, release_cred_res *result, struct svc_req *rqstp)
|
|
{
|
|
gss_cred_id_t cred = gssd_find_resource(argp->cred);
|
|
|
|
if (cred) {
|
|
result->major_status = gss_release_cred(&result->minor_status,
|
|
&cred);
|
|
gssd_delete_resource(argp->cred);
|
|
} else {
|
|
result->major_status = GSS_S_COMPLETE;
|
|
result->minor_status = 0;
|
|
}
|
|
gssd_verbose_out("gssd_release_cred: done major=0x%x minor=%d\n",
|
|
(unsigned int)result->major_status, (int)result->minor_status);
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
bool_t
|
|
gssd_display_status_1_svc(display_status_args *argp, display_status_res *result, struct svc_req *rqstp)
|
|
{
|
|
|
|
result->message_context = argp->message_context;
|
|
result->major_status = gss_display_status(&result->minor_status,
|
|
argp->status_value, argp->status_type, argp->mech_type,
|
|
&result->message_context, &result->status_string);
|
|
gssd_verbose_out("gssd_display_status: done major=0x%x minor=%d\n",
|
|
(unsigned int)result->major_status, (int)result->minor_status);
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
bool_t
|
|
gssd_ip_to_dns_1_svc(ip_to_dns_args *argp, ip_to_dns_res *result, struct svc_req *rqstp)
|
|
{
|
|
char *host;
|
|
|
|
memset(result, 0, sizeof(*result));
|
|
/* Check to see if the name is actually an IP address. */
|
|
host = gssd_conv_ip_to_dns(argp->ip_addr.ip_addr_len,
|
|
argp->ip_addr.ip_addr_val);
|
|
if (host != NULL) {
|
|
result->major_status = GSS_S_COMPLETE;
|
|
result->dns_name.dns_name_len = strlen(host);
|
|
result->dns_name.dns_name_val = host;
|
|
return (TRUE);
|
|
}
|
|
result->major_status = GSS_S_FAILURE;
|
|
return (TRUE);
|
|
}
|
|
|
|
int
|
|
gssd_1_freeresult(SVCXPRT *transp, xdrproc_t xdr_result, caddr_t result)
|
|
{
|
|
/*
|
|
* We don't use XDR to free the results - anything which was
|
|
* allocated came from GSS-API. We use xdr_result to figure
|
|
* out what to do.
|
|
*/
|
|
OM_uint32 junk;
|
|
|
|
if (xdr_result == (xdrproc_t) xdr_init_sec_context_res) {
|
|
init_sec_context_res *p = (init_sec_context_res *) result;
|
|
gss_release_buffer(&junk, &p->output_token);
|
|
} else if (xdr_result == (xdrproc_t) xdr_accept_sec_context_res) {
|
|
accept_sec_context_res *p = (accept_sec_context_res *) result;
|
|
gss_release_buffer(&junk, &p->output_token);
|
|
} else if (xdr_result == (xdrproc_t) xdr_delete_sec_context_res) {
|
|
delete_sec_context_res *p = (delete_sec_context_res *) result;
|
|
gss_release_buffer(&junk, &p->output_token);
|
|
} else if (xdr_result == (xdrproc_t) xdr_export_sec_context_res) {
|
|
export_sec_context_res *p = (export_sec_context_res *) result;
|
|
if (p->interprocess_token.length)
|
|
memset(p->interprocess_token.value, 0,
|
|
p->interprocess_token.length);
|
|
gss_release_buffer(&junk, &p->interprocess_token);
|
|
} else if (xdr_result == (xdrproc_t) xdr_export_name_res) {
|
|
export_name_res *p = (export_name_res *) result;
|
|
gss_release_buffer(&junk, &p->exported_name);
|
|
} else if (xdr_result == (xdrproc_t) xdr_acquire_cred_res) {
|
|
acquire_cred_res *p = (acquire_cred_res *) result;
|
|
gss_release_oid_set(&junk, &p->actual_mechs);
|
|
} else if (xdr_result == (xdrproc_t) xdr_pname_to_uid_res) {
|
|
pname_to_uid_res *p = (pname_to_uid_res *) result;
|
|
if (p->gidlist.gidlist_val)
|
|
free(p->gidlist.gidlist_val);
|
|
} else if (xdr_result == (xdrproc_t) xdr_display_status_res) {
|
|
display_status_res *p = (display_status_res *) result;
|
|
gss_release_buffer(&junk, &p->status_string);
|
|
}
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
/*
|
|
* Search a directory for the most likely candidate to be used as the
|
|
* credential cache for a uid. If successful, return 1 and fill the
|
|
* file's path id into "rpath". Otherwise, return 0.
|
|
*/
|
|
static int
|
|
find_ccache_file(const char *dirpath, uid_t uid, char *rpath)
|
|
{
|
|
DIR *dirp;
|
|
struct dirent *dp;
|
|
struct stat sb;
|
|
time_t exptime, oexptime;
|
|
int gotone, len, rating, orating;
|
|
char namepath[PATH_MAX + 5 + 1];
|
|
char retpath[PATH_MAX + 5 + 1];
|
|
|
|
dirp = opendir(dirpath);
|
|
if (dirp == NULL)
|
|
return (0);
|
|
gotone = 0;
|
|
orating = 0;
|
|
oexptime = 0;
|
|
while ((dp = readdir(dirp)) != NULL) {
|
|
len = snprintf(namepath, sizeof(namepath), "%s/%s", dirpath,
|
|
dp->d_name);
|
|
if (len < sizeof(namepath) &&
|
|
(hostbased_initiator_cred == 0 || strcmp(namepath,
|
|
GSSD_CREDENTIAL_CACHE_FILE) != 0) &&
|
|
strstr(dp->d_name, ccfile_substring) != NULL &&
|
|
lstat(namepath, &sb) >= 0 &&
|
|
sb.st_uid == uid &&
|
|
S_ISREG(sb.st_mode)) {
|
|
len = snprintf(namepath, sizeof(namepath), "FILE:%s/%s",
|
|
dirpath, dp->d_name);
|
|
if (len < sizeof(namepath) &&
|
|
is_a_valid_tgt_cache(namepath, uid, &rating,
|
|
&exptime) != 0) {
|
|
if (gotone == 0 || rating > orating ||
|
|
(rating == orating && exptime > oexptime)) {
|
|
orating = rating;
|
|
oexptime = exptime;
|
|
strcpy(retpath, namepath);
|
|
gotone = 1;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
closedir(dirp);
|
|
if (gotone != 0) {
|
|
strcpy(rpath, retpath);
|
|
return (1);
|
|
}
|
|
return (0);
|
|
}
|
|
|
|
/*
|
|
* Try to determine if the file is a valid tgt cache file.
|
|
* Check that the file has a valid tgt for a principal.
|
|
* If it does, return 1, otherwise return 0.
|
|
* It also returns a "rating" and the expiry time for the TGT, when found.
|
|
* This "rating" is higher based on heuristics that make it more
|
|
* likely to be the correct credential cache file to use. It can
|
|
* be used by the caller, along with expiry time, to select from
|
|
* multiple credential cache files.
|
|
*/
|
|
static int
|
|
is_a_valid_tgt_cache(const char *filepath, uid_t uid, int *retrating,
|
|
time_t *retexptime)
|
|
{
|
|
#ifndef WITHOUT_KERBEROS
|
|
krb5_context context;
|
|
krb5_principal princ;
|
|
krb5_ccache ccache;
|
|
krb5_error_code retval;
|
|
krb5_cc_cursor curse;
|
|
krb5_creds krbcred;
|
|
int gotone, orating, rating, ret;
|
|
struct passwd *pw;
|
|
char *cp, *cp2, *pname;
|
|
time_t exptime;
|
|
|
|
/* Find a likely name for the uid principal. */
|
|
pw = getpwuid(uid);
|
|
|
|
/*
|
|
* Do a bunch of krb5 library stuff to try and determine if
|
|
* this file is a credentials cache with an appropriate TGT
|
|
* in it.
|
|
*/
|
|
retval = krb5_init_context(&context);
|
|
if (retval != 0)
|
|
return (0);
|
|
retval = krb5_cc_resolve(context, filepath, &ccache);
|
|
if (retval != 0) {
|
|
krb5_free_context(context);
|
|
return (0);
|
|
}
|
|
ret = 0;
|
|
orating = 0;
|
|
exptime = 0;
|
|
retval = krb5_cc_start_seq_get(context, ccache, &curse);
|
|
if (retval == 0) {
|
|
while ((retval = krb5_cc_next_cred(context, ccache, &curse,
|
|
&krbcred)) == 0) {
|
|
gotone = 0;
|
|
rating = 0;
|
|
retval = krb5_unparse_name(context, krbcred.server,
|
|
&pname);
|
|
if (retval == 0) {
|
|
cp = strchr(pname, '/');
|
|
if (cp != NULL) {
|
|
*cp++ = '\0';
|
|
if (strcmp(pname, "krbtgt") == 0 &&
|
|
krbcred.times.endtime > time(NULL)
|
|
) {
|
|
gotone = 1;
|
|
/*
|
|
* Test to see if this is a
|
|
* tgt for cross-realm auth.
|
|
* Rate it higher, if it is not.
|
|
*/
|
|
cp2 = strchr(cp, '@');
|
|
if (cp2 != NULL) {
|
|
*cp2++ = '\0';
|
|
if (strcmp(cp, cp2) ==
|
|
0)
|
|
rating++;
|
|
}
|
|
}
|
|
}
|
|
free(pname);
|
|
}
|
|
if (gotone != 0) {
|
|
retval = krb5_unparse_name(context,
|
|
krbcred.client, &pname);
|
|
if (retval == 0) {
|
|
cp = strchr(pname, '@');
|
|
if (cp != NULL) {
|
|
*cp++ = '\0';
|
|
if (pw != NULL && strcmp(pname,
|
|
pw->pw_name) == 0)
|
|
rating++;
|
|
if (strchr(pname, '/') == NULL)
|
|
rating++;
|
|
if (pref_realm[0] != '\0' &&
|
|
strcmp(cp, pref_realm) == 0)
|
|
rating++;
|
|
}
|
|
}
|
|
free(pname);
|
|
if (rating > orating) {
|
|
orating = rating;
|
|
exptime = krbcred.times.endtime;
|
|
} else if (rating == orating &&
|
|
krbcred.times.endtime > exptime)
|
|
exptime = krbcred.times.endtime;
|
|
ret = 1;
|
|
}
|
|
krb5_free_cred_contents(context, &krbcred);
|
|
}
|
|
krb5_cc_end_seq_get(context, ccache, &curse);
|
|
}
|
|
krb5_cc_close(context, ccache);
|
|
krb5_free_context(context);
|
|
if (ret != 0) {
|
|
*retrating = orating;
|
|
*retexptime = exptime;
|
|
}
|
|
return (ret);
|
|
#else /* WITHOUT_KERBEROS */
|
|
return (0);
|
|
#endif /* !WITHOUT_KERBEROS */
|
|
}
|
|
|
|
#ifndef WITHOUT_KERBEROS
|
|
/*
|
|
* This function attempts to do essentially a "kinit -k" for the principal
|
|
* name provided as the argument, so that there will be a TGT in the
|
|
* credential cache.
|
|
*/
|
|
static krb5_error_code
|
|
gssd_get_cc_from_keytab(const char *name)
|
|
{
|
|
krb5_error_code ret, opt_ret, princ_ret, cc_ret, kt_ret, cred_ret;
|
|
krb5_context context;
|
|
krb5_principal principal;
|
|
krb5_keytab kt;
|
|
krb5_creds cred;
|
|
krb5_get_init_creds_opt *opt;
|
|
krb5_deltat start_time = 0;
|
|
krb5_ccache ccache;
|
|
|
|
ret = krb5_init_context(&context);
|
|
if (ret != 0)
|
|
return (ret);
|
|
opt_ret = cc_ret = kt_ret = cred_ret = 1; /* anything non-zero */
|
|
princ_ret = ret = krb5_parse_name(context, name, &principal);
|
|
if (ret == 0)
|
|
opt_ret = ret = krb5_get_init_creds_opt_alloc(context, &opt);
|
|
if (ret == 0)
|
|
cc_ret = ret = krb5_cc_default(context, &ccache);
|
|
if (ret == 0)
|
|
ret = krb5_cc_initialize(context, ccache, principal);
|
|
if (ret == 0) {
|
|
krb5_get_init_creds_opt_set_default_flags(context, "gssd",
|
|
krb5_principal_get_realm(context, principal), opt);
|
|
kt_ret = ret = krb5_kt_default(context, &kt);
|
|
}
|
|
if (ret == 0)
|
|
cred_ret = ret = krb5_get_init_creds_keytab(context, &cred,
|
|
principal, kt, start_time, NULL, opt);
|
|
if (ret == 0)
|
|
ret = krb5_cc_store_cred(context, ccache, &cred);
|
|
if (kt_ret == 0)
|
|
krb5_kt_close(context, kt);
|
|
if (cc_ret == 0)
|
|
krb5_cc_close(context, ccache);
|
|
if (opt_ret == 0)
|
|
krb5_get_init_creds_opt_free(context, opt);
|
|
if (princ_ret == 0)
|
|
krb5_free_principal(context, principal);
|
|
if (cred_ret == 0)
|
|
krb5_free_cred_contents(context, &cred);
|
|
krb5_free_context(context);
|
|
return (ret);
|
|
}
|
|
|
|
/*
|
|
* Acquire a gss credential for a uid.
|
|
*/
|
|
static OM_uint32
|
|
gssd_get_user_cred(OM_uint32 *min_statp, uid_t uid, gss_cred_id_t *credp)
|
|
{
|
|
gss_buffer_desc principal_desc;
|
|
gss_name_t name;
|
|
OM_uint32 maj_stat, min_stat;
|
|
gss_OID_set mechlist;
|
|
struct passwd *pw;
|
|
|
|
pw = getpwuid(uid);
|
|
if (pw == NULL) {
|
|
*min_statp = 0;
|
|
return (GSS_S_FAILURE);
|
|
}
|
|
|
|
/*
|
|
* The mechanism must be set to KerberosV for acquisition
|
|
* of credentials to work reliably.
|
|
*/
|
|
maj_stat = gss_create_empty_oid_set(min_statp, &mechlist);
|
|
if (maj_stat != GSS_S_COMPLETE)
|
|
return (maj_stat);
|
|
maj_stat = gss_add_oid_set_member(min_statp, GSS_KRB5_MECH_OID_X,
|
|
&mechlist);
|
|
if (maj_stat != GSS_S_COMPLETE) {
|
|
gss_release_oid_set(&min_stat, &mechlist);
|
|
return (maj_stat);
|
|
}
|
|
|
|
principal_desc.value = (void *)pw->pw_name;
|
|
principal_desc.length = strlen(pw->pw_name);
|
|
maj_stat = gss_import_name(min_statp, &principal_desc,
|
|
GSS_C_NT_USER_NAME, &name);
|
|
if (maj_stat != GSS_S_COMPLETE) {
|
|
gss_release_oid_set(&min_stat, &mechlist);
|
|
return (maj_stat);
|
|
}
|
|
/* Acquire the credentials. */
|
|
maj_stat = gss_acquire_cred(min_statp, name, 0, mechlist,
|
|
GSS_C_INITIATE, credp, NULL, NULL);
|
|
gss_release_name(&min_stat, &name);
|
|
gss_release_oid_set(&min_stat, &mechlist);
|
|
return (maj_stat);
|
|
}
|
|
#endif /* !WITHOUT_KERBEROS */
|
|
|
|
void gssd_terminate(int sig __unused)
|
|
{
|
|
|
|
#ifndef WITHOUT_KERBEROS
|
|
if (hostbased_initiator_cred != 0)
|
|
unlink(GSSD_CREDENTIAL_CACHE_FILE);
|
|
#endif
|
|
gssd_syscall("");
|
|
exit(0);
|
|
}
|
|
|