* forward.c (rd_and_store_for_creds): Don't do the chown. Avoids

	a security hole. [krb5-appl/494]

	* krshd.c (recvauth): chown the ccache explicitly, as
	rd_and_store_for_creds no longer does so. [krb5-appl/494]

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10277 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog
index af90149bd56c85400b5d81906c796566a1aca190..a0972b2eb119bb25c4202a3c5398ccbfd1eb83ea 100644 (file)
--- a/src/appl/bsd/ChangeLog
+++ b/src/appl/bsd/ChangeLog
@@ -1,3 +1,11 @@
+Wed Nov 12 19:03:02 1997  Tom Yu  <tlyu@mit.edu>
+
+       * forward.c (rd_and_store_for_creds): Don't do the chown.  Avoids
+       a security hole. [krb5-appl/494]
+
+       * krshd.c (recvauth): chown the ccache explicitly, as
+       rd_and_store_for_creds no longer does so. [krb5-appl/494]
+
 Thu Nov  6 22:04:26 1997  Theodore Y. Ts'o  <tytso@mit.edu>
 
        * v4rcp.c: Use error_message(errno) instead of using

diff --git a/src/appl/bsd/forward.c b/src/appl/bsd/forward.c
index 54594b9b9783a75bbcb88a4f95a9302e120ddca5..e22fc1d98392735a0d36417625a491a7720ee3e3 100644 (file)
--- a/src/appl/bsd/forward.c
+++ b/src/appl/bsd/forward.c
@@ -21,7 +21,6 @@
 
 #if defined(KERBEROS) || defined(KRB5)
 #include <stdio.h>
-#include <pwd.h>
 #include <netdb.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -30,22 +29,18 @@
 
 /* Decode, decrypt and store the forwarded creds in the local ccache. */
 krb5_error_code
-rd_and_store_for_creds(context, auth_context, inbuf, ticket, lusername, ccache)
+rd_and_store_for_creds(context, auth_context, inbuf, ticket, ccache)
     krb5_context context;
     krb5_auth_context auth_context;
     krb5_data *inbuf;
     krb5_ticket *ticket;
-    char *lusername;
     krb5_ccache *ccache;
 {
     krb5_creds ** creds;
     krb5_error_code retval;
     char ccname[35];
-    struct passwd *pwd;
 
     *ccache  = NULL;
-    if (!(pwd = (struct passwd *) getpwnam(lusername)))
-       return ENOENT;
 
     if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)) 
        return(retval);
@@ -67,19 +62,6 @@ rd_and_store_for_creds(context, auth_context, inbuf, ticket, lusername, ccache)
     if (retval = krb5_cc_store_cred(context, *ccache, *creds)) 
        goto cleanup;
 
-    if (retval = chown(ccname+5, pwd->pw_uid, -1)) {
-       /* 
-        * If the file owner is the same as the user id then return ok.
-        * This is for testing only --proven
-        */
-       struct stat statbuf;
-
-       if (stat(ccname + 5, & statbuf) == 0) {
-           if (statbuf.st_uid == pwd->pw_uid)
-               retval = 0;
-       }
-    }
-    
 cleanup:
     krb5_free_creds(context, *creds);
     return retval;

diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c
index e999a280694126860a02564d707744800f55e9dc..ef8766d0bc8e95a38ec1f8b941f8b25ba37069bb 100644 (file)
--- a/src/appl/bsd/krshd.c
+++ b/src/appl/bsd/krshd.c
@@ -1720,6 +1720,9 @@ recvauth(netf, peersin, valid_checksum)
     krb5_authenticator *authenticator;
     krb5_ticket        *ticket;
     krb5_rcache                rcache;
+    struct passwd *pwd;
+    uid_t uid;
+    gid_t gid;
 
     *valid_checksum = 0;
     len = sizeof(laddr);
@@ -1875,12 +1878,24 @@ recvauth(netf, peersin, valid_checksum)
     }
 
     if (inbuf.length) { /* Forwarding being done, read creds */
+       pwd = getpwnam(locuser);
+       if (!pwd) {
+           error("Login incorrect.\n");
+           exit(1);
+       }
+       uid = pwd->pw_uid;
+       gid = pwd->pw_gid;
        if ((status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf,
-                                            ticket, locuser, &ccache))) {
+                                            ticket, &ccache))) {
            error("Can't get forwarded credentials: %s\n",
                  error_message(status));
            exit(1);
        }
+       if (chown(krb5_cc_get_name(bsd_context, ccache), uid, gid) == -1) {
+           error("Can't chown forwarded credentials: %s\n",
+                 error_message(errno));
+           exit(1);
+       }
     }
     krb5_free_ticket(bsd_context, ticket);
     return 0;