-/*
+/*
* Copyright (c) 1994 by the University of Southern California
*
* EXPORT OF THIS SOFTWARE from the United States of America may
* this software and its documentation in source and binary forms is
* hereby granted, provided that any documentation or other materials
* related to such distribution or use acknowledge that the software
- * was developed by the University of Southern California.
+ * was developed by the University of Southern California.
*
* DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The
* University of Southern California MAKES NO REPRESENTATIONS OR
FILE *fp;
int uid;
{
-struct stat sbuf;
+ struct stat sbuf;
/*
* For security reasons, file must be owned either by
return(FALSE);
}
-return(TRUE);
+ return(TRUE);
}
/*
{
struct passwd *pwd;
char *princname;
- int k5login_flag =0;
- int k5users_flag =0;
- krb5_boolean retbool =FALSE;
- FILE * login_fp, * users_fp;
- krb5_error_code retval = 0;
+ int k5login_flag =0;
+ int k5users_flag =0;
+ krb5_boolean retbool =FALSE;
+ FILE * login_fp, * users_fp;
+ krb5_error_code retval = 0;
struct stat statbuf;
struct stat st_temp;
- *ok =FALSE;
+ *ok =FALSE;
/* no account => no access */
- if ((pwd = getpwnam(luser)) == NULL) {
+ if ((pwd = getpwnam(luser)) == NULL)
return 0;
- }
-
- if (retval = krb5_unparse_name(context, principal, &princname)){
- return retval;
- }
+ if (retval = krb5_unparse_name(context, principal, &princname))
+ return retval;
#ifdef DEBUG
- printf("principal to be authorized %s\n", princname);
- printf("login file: %s\n", k5login_path);
- printf("users file: %s\n", k5users_path);
+ printf("principal to be authorized %s\n", princname);
+ printf("login file: %s\n", k5login_path);
+ printf("users file: %s\n", k5users_path);
#endif
-
k5login_flag = stat(k5login_path, &st_temp);
k5users_flag = stat(k5users_path, &st_temp);
- /* k5login and k5users must be owned by target user or root */
- if (!k5login_flag){
- if ((login_fp = fopen(k5login_path, "r")) == NULL) {
- return 0;
- }
- if ( fowner(login_fp, pwd->pw_uid) == FALSE){
- return 0;
- }
- }
+ /* k5login and k5users must be owned by target user or root */
+ if (!k5login_flag){
+ if ((login_fp = fopen(k5login_path, "r")) == NULL)
+ return 0;
+ if ( fowner(login_fp, pwd->pw_uid) == FALSE)
+ return 0;
+ }
- if (!k5users_flag){
+ if (!k5users_flag){
if ((users_fp = fopen(k5users_path, "r")) == NULL) {
- return 0;
+ return 0;
}
- if ( fowner(users_fp, pwd->pw_uid) == FALSE){
- return 0;
+ if ( fowner(users_fp, pwd->pw_uid) == FALSE){
+ return 0;
}
- }
+ }
- if (auth_debug){
- fprintf(stderr,
- "In krb5_authorization: if auth files exist -> can access\n");
- }
+ if (auth_debug){
+ fprintf(stderr,
+ "In krb5_authorization: if auth files exist -> can access\n");
+ }
- if (cmd){
+#if 0
+ if (cmd){
if(k5users_flag){
- return 0; /* if kusers does not exist -> done */
+ return 0; /* if kusers does not exist -> done */
}else{
- if(retval = k5users_lookup(users_fp,princname,
- cmd,&retbool,out_fcmd)){
- auth_cleanup(k5users_flag,users_fp,
- k5login_flag,login_fp, princname);
- return retval;
- }else{
- *ok =retbool;
- return retval;
- }
- }
- }
-
- /* if either file exists,
- first see if the principal is in the login in file,
- if it's not there check the k5users file */
-
- if (!k5login_flag){
-
-
- if (auth_debug){
- fprintf(stderr,
- "In krb5_authorization: principal to be authorized %s\n",
- princname);
- }
- if (retval = k5login_lookup( login_fp, princname, &retbool)){
+ if(retval = k5users_lookup(users_fp,princname,
+ cmd,&retbool,out_fcmd)){
auth_cleanup(k5users_flag,users_fp,
- k5login_flag,login_fp, princname);
+ k5login_flag,login_fp, princname);
+ return retval;
+ }else{
+ *ok =retbool;
return retval;
+ }
}
+ }
+#endif
+ /* if either file exists,
+ first see if the principal is in the login in file,
+ if it's not there check the k5users file */
+
+ if (!k5login_flag){
+ if (auth_debug)
+ fprintf(stderr,
+ "In krb5_authorization: principal to be authorized %s\n",
+ princname);
+ if (retval = k5login_lookup( login_fp, princname, &retbool)){
+ auth_cleanup(k5users_flag,users_fp,
+ k5login_flag,login_fp, princname);
+ return retval;
+ }
+ if (retbool) {
+ if (cmd)
+ *out_fcmd = strdup(cmd);
+ }
+ }
- }
-
- if ((!k5users_flag) && (retbool == FALSE) ){
- if(retval = k5users_lookup (users_fp,princname,
- cmd, &retbool,out_fcmd)){
- auth_cleanup(k5users_flag,users_fp,
- k5login_flag,login_fp, princname);
- return retval;
+ if ((!k5users_flag) && (retbool == FALSE) ){
+ if(retval = k5users_lookup (users_fp, princname,
+ cmd, &retbool, out_fcmd)){
+ auth_cleanup(k5users_flag,users_fp,
+ k5login_flag,login_fp, princname);
+ return retval;
}
- }
+ }
- if ( k5login_flag && k5users_flag){
+ if (k5login_flag && k5users_flag){
char * kuser = (char *) calloc (strlen(princname), sizeof(char));
if (!(krb5_aname_to_localname(context, principal,
}
free(kuser);
- }
-
- *ok =retbool;
- auth_cleanup(k5users_flag,users_fp, k5login_flag,login_fp, princname);
- return 0;
+ }
+
+ *ok =retbool;
+ auth_cleanup(k5users_flag,users_fp, k5login_flag,login_fp, princname);
+ return 0;
}
/***********************************************************
-k5login_lookup looks for princname in file fp. Spaces
+k5login_lookup looks for princname in file fp. Spaces
before the princaname (in the file ) are not ignored
spaces after the princname are ignored. If there are
-any tokens after the principal name FALSE is returned.
+any tokens after the principal name FALSE is returned.
***********************************************************/
FILE *fp;
char *princname;
krb5_boolean *found;
-{
+{
-krb5_error_code retval;
-char * line;
-char * fprinc;
-char * lp;
-krb5_boolean loc_found = FALSE;
+ krb5_error_code retval;
+ char * line;
+ char * fprinc;
+ char * lp;
+ krb5_boolean loc_found = FALSE;
- if (retval = get_line(fp, &line )){
- return retval;
- }
+ if (retval = get_line(fp, &line )){
+ return retval;
+ }
- while (line){
- fprinc = get_first_token (line, &lp);
-
- if (fprinc && (!strcmp(princname, fprinc))){
- if( get_next_token (&lp) ){
- free (line);
- break; /* nothing should follow princname*/
- }
- else{
- loc_found = TRUE;
- free (line);
- break;
- }
- }
+ while (line){
+ fprinc = get_first_token (line, &lp);
+ if (fprinc && (!strcmp(princname, fprinc))){
+ if( get_next_token (&lp) ){
+ free (line);
+ break; /* nothing should follow princname*/
+ }
+ else{
+ loc_found = TRUE;
free (line);
- if (retval = get_line(fp, &line )){ return retval;}
+ break;
+ }
}
+ free (line);
+ if (retval = get_line(fp, &line )){ return retval;}
+ }
+
-*found = loc_found;
-return 0;
+ *found = loc_found;
+ return 0;
}
/***********************************************************
-k5users_lookup looks for princname in file fp. Spaces
+k5users_lookup looks for princname in file fp. Spaces
before the princaname (in the file ) are not ignored
-spaces after the princname are ignored.
+spaces after the princname are ignored.
-authorization alg:
+authorization alg:
-if princname is not found return false.
+if princname is not found return false.
-if princname is found{
- if cmd == NULL then the file entry after principal
- name must be nothing or *
-
- if cmd !=NULL then entry must be matched (* is ok)
+if princname is found{
+ if cmd == NULL then the file entry after principal
+ name must be nothing or *
+
+ if cmd !=NULL then entry must be matched (* is ok)
}
krb5_boolean *found;
char **out_fcmd;
{
-krb5_error_code retval;
-char * line;
-char * fprinc, *fcmd;
-char * lp;
-char * loc_fcmd = NULL;
-krb5_boolean loc_found = FALSE;
-
- if (retval = get_line(fp, &line )){
- return retval;
- }
-
- while (line){
- fprinc = get_first_token (line, &lp);
-
- if (fprinc && (!strcmp(princname, fprinc))){
- fcmd = get_next_token (&lp);
+ krb5_error_code retval;
+ char * line;
+ char * fprinc, *fcmd;
+ char * lp;
+ char * loc_fcmd = NULL;
+ krb5_boolean loc_found = FALSE;
+
+ if (retval = get_line(fp, &line ))
+ return retval;
+
+ while (line){
+ fprinc = get_first_token (line, &lp);
+
+ if (fprinc && (!strcmp(princname, fprinc))){
+ fcmd = get_next_token (&lp);
+
+ if ((fcmd) && (!strcmp(fcmd, PERMIT_ALL_COMMANDS))){
+ if (get_next_token(&lp) == NULL){
+ loc_fcmd =cmd ? strdup(cmd): NULL;
+ loc_found = TRUE;
+ }
+ free (line);
+ break;
+ }
- if ((fcmd) && (!strcmp(fcmd, PERMIT_ALL_COMMANDS))){
- if (get_next_token(&lp) == NULL){
- loc_fcmd =cmd ? strdup(cmd): NULL;
- loc_found = TRUE;
- }
- free (line);
- break;
- }
-
- if (cmd == NULL){
- if (fcmd == NULL){
- loc_found = TRUE;
- }
- free (line);
- break;
-
+ if (cmd == NULL){
+ if (fcmd == NULL)
+ loc_found = TRUE;
+ free (line);
+ break;
+
+ }else{
+ if (fcmd != NULL) {
+ char * temp_rfcmd, *err;
+ krb5_boolean match;
+ do {
+ if(match_commands(fcmd,cmd,&match,
+ &temp_rfcmd, &err)){
+ if (auth_debug){
+ fprintf(stderr,"%s",err);
+ }
+ loc_fcmd = err;
+ break;
}else{
- if (fcmd != NULL) {
- char * temp_rfcmd, *err;
- krb5_boolean match;
- do {
- if(match_commands(fcmd,cmd,&match,
- &temp_rfcmd, &err)){
- if (auth_debug){
- fprintf(stderr,"%s",err);
- }
- loc_fcmd = err;
- break;
- }else{
- if (match == TRUE){
- loc_fcmd = temp_rfcmd;
- loc_found = TRUE;
- break;
- }
- }
-
- }while (fcmd = get_next_token( &lp));
- }
- free (line);
+ if (match == TRUE){
+ loc_fcmd = temp_rfcmd;
+ loc_found = TRUE;
break;
+ }
}
- }
+ }while (fcmd = get_next_token( &lp));
+ }
free (line);
- if (retval = get_line(fp, &line )){ return retval;}
+ break;
+ }
}
-*out_fcmd = loc_fcmd;
-*found = loc_found;
-return 0;
+ free (line);
+ if (retval = get_line(fp, &line )){ return retval;}
+ }
+
+ *out_fcmd = loc_fcmd;
+ *found = loc_found;
+ return 0;
}
/***********************************************
-fcmd_resolve -
-takes a command specified .k5users file and
-resolves it into a full path name.
+fcmd_resolve -
+takes a command specified .k5users file and
+resolves it into a full path name.
************************************************/
char ***out_fcmd;
char **out_err;
{
-char * out_path;
-char * err;
-char ** tmp_fcmd;
-char * path_ptr, *path;
-char * lp, * tc;
-int i=0;
-
- tmp_fcmd = (char **) calloc (MAX_CMD, sizeof(char *));
-
- if (*fcmd == '/'){ /* must be full path */
- tmp_fcmd[0] = strdup(fcmd);
- tmp_fcmd[1] = NULL;
- *out_fcmd = tmp_fcmd;
- return TRUE;
- }else{
- /* must be either full path or just the cmd name */
- if (strchr(fcmd, '/')){
- err = (char *) calloc((strlen(fcmd) +200) ,sizeof(char));
- sprintf(err,"Error: bad entry - %s in %s file, must be either full path or just the cmd name\n", fcmd, KRB5_USERS_NAME);
- *out_err = err;
- return FALSE;
- }
-
-#ifndef CMD_PATH
- err = (char *) calloc(2*(strlen(fcmd) +200) ,sizeof(char));
- sprintf(err,"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH must be defined \n", fcmd, KRB5_USERS_NAME, fcmd);
- *out_err = err;
- return FALSE;
+ char * out_path;
+ char * err;
+ char ** tmp_fcmd;
+ char * path_ptr, *path;
+ char * lp, * tc;
+ int i=0;
+
+ tmp_fcmd = (char **) calloc (MAX_CMD, sizeof(char *));
+
+ if (*fcmd == '/'){ /* must be full path */
+ tmp_fcmd[0] = strdup(fcmd);
+ tmp_fcmd[1] = NULL;
+ *out_fcmd = tmp_fcmd;
+ return TRUE;
+ }else{
+ /* must be either full path or just the cmd name */
+ if (strchr(fcmd, '/')){
+ err = (char *) calloc((strlen(fcmd) +200) ,sizeof(char));
+ sprintf(err,"Error: bad entry - %s in %s file, must be either full path or just the cmd name\n", fcmd, KRB5_USERS_NAME);
+ *out_err = err;
+ return FALSE;
+ }
+
+#ifndef CMD_PATH
+ err = (char *) calloc(2*(strlen(fcmd) +200) ,sizeof(char));
+ sprintf(err,"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH must be defined \n", fcmd, KRB5_USERS_NAME, fcmd);
+ *out_err = err;
+ return FALSE;
#else
- path = strdup (CMD_PATH);
+ path = strdup (CMD_PATH);
path_ptr = path;
- while ((*path_ptr == ' ') || (*path_ptr == '\t')) path_ptr ++;
+ while ((*path_ptr == ' ') || (*path_ptr == '\t')) path_ptr ++;
tc = get_first_token (path_ptr, &lp);
-
- if (! tc){
- err = (char *) calloc((strlen(fcmd) +200) ,sizeof(char));
- sprintf(err,"Error: bad entry - %s in %s file, CMD_PATH contains no paths \n", fcmd, KRB5_USERS_NAME);
- *out_err = err;
- return FALSE;
- }
+
+ if (! tc){
+ err = (char *) calloc((strlen(fcmd) +200) ,sizeof(char));
+ sprintf(err,"Error: bad entry - %s in %s file, CMD_PATH contains no paths \n", fcmd, KRB5_USERS_NAME);
+ *out_err = err;
+ return FALSE;
+ }
i=0;
do{
- if (*tc != '/'){ /* must be full path */
- err = (char *) calloc((strlen(tc) +200) ,sizeof(char));
- sprintf(err,"Error: bad path %s in CMD_PATH for %s must start with '/' \n",tc, KRB5_USERS_NAME );
- *out_err = err;
- return FALSE;
- }
+ if (*tc != '/'){ /* must be full path */
+ err = (char *) calloc((strlen(tc) +200) ,sizeof(char));
+ sprintf(err,"Error: bad path %s in CMD_PATH for %s must start with '/' \n",tc, KRB5_USERS_NAME );
+ *out_err = err;
+ return FALSE;
+ }
- out_path = (char *) calloc( MAXPATHLEN, sizeof (char));
- sprintf(out_path,"%s/%s",tc, fcmd );
+ out_path = (char *) calloc( MAXPATHLEN, sizeof (char));
+ sprintf(out_path,"%s/%s",tc, fcmd );
- tmp_fcmd[i] = out_path;
+ tmp_fcmd[i] = out_path;
- i++;
+ i++;
} while(tc = get_next_token (&lp));
- tmp_fcmd[i] = NULL;
+ tmp_fcmd[i] = NULL;
*out_fcmd = tmp_fcmd;
return TRUE;
#endif /* CMD_PATH */
- }
+ }
}
/********************************************
cmd_single - checks if cmd consists of a path
- or a single token
+ or a single token
********************************************/
char * cmd;
{
- if ( ( strrchr( cmd, '/')) == NULL){
- return TRUE;
- }else{
- return FALSE;
- }
+ if ( ( strrchr( cmd, '/')) == NULL){
+ return TRUE;
+ }else{
+ return FALSE;
+ }
}
/********************************************
-cmd_arr_cmp_postfix - compares a command with the postfix
- of fcmd
+cmd_arr_cmp_postfix - compares a command with the postfix
+ of fcmd
********************************************/
int cmd_arr_cmp_postfix(fcmd_arr, cmd)
char **fcmd_arr;
char *cmd;
{
-char * temp_fcmd;
-char *ptr;
-int result =1;
-int i = 0;
-
- while(fcmd_arr[i]){
- if ( (ptr = strrchr( fcmd_arr[i], '/')) == NULL){
- temp_fcmd = fcmd_arr[i];
- }else {
- temp_fcmd = ptr + 1;
- }
-
- result = strcmp (temp_fcmd, cmd);
- if (result == 0){
- break;
- }
- i++;
+ char * temp_fcmd;
+ char *ptr;
+ int result =1;
+ int i = 0;
+
+ while(fcmd_arr[i]){
+ if ( (ptr = strrchr( fcmd_arr[i], '/')) == NULL){
+ temp_fcmd = fcmd_arr[i];
+ }else {
+ temp_fcmd = ptr + 1;
}
-return result;
+ result = strcmp (temp_fcmd, cmd);
+ if (result == 0){
+ break;
+ }
+ i++;
+ }
+
+ return result;
}
/**********************************************
-cmd_arr_cmp - checks if cmd matches any
- of the fcmd entries.
+cmd_arr_cmp - checks if cmd matches any
+ of the fcmd entries.
**********************************************/
char **fcmd_arr;
char *cmd;
{
-int result =1;
-int i = 0;
+ int result =1;
+ int i = 0;
- while(fcmd_arr[i]){
- result = strcmp (fcmd_arr[i], cmd);
- if (result == 0){
- break;
- }
- i++;
+ while(fcmd_arr[i]){
+ result = strcmp (fcmd_arr[i], cmd);
+ if (result == 0){
+ break;
}
-return result;
+ i++;
+ }
+ return result;
}
char **cmd_out;
char **err_out;
{
-struct stat st_temp;
-int i = 0;
-krb5_boolean retbool= FALSE;
-int j =0;
-char * err;
-int max_ln=0;
-int tln=0;
-
- while(fcmd_arr[i]){
- tln = strlen(fcmd_arr[i]);
- if ( tln > max_ln) max_ln = tln;
- if (!stat (fcmd_arr[i], &st_temp )){
- *cmd_out = strdup(fcmd_arr[i]);
- retbool = TRUE;
- break;
- }
- i++;
+ struct stat st_temp;
+ int i = 0;
+ krb5_boolean retbool= FALSE;
+ int j =0;
+ char * err;
+ int max_ln=0;
+ int tln=0;
+
+ while(fcmd_arr[i]){
+ tln = strlen(fcmd_arr[i]);
+ if ( tln > max_ln) max_ln = tln;
+ if (!stat (fcmd_arr[i], &st_temp )){
+ *cmd_out = strdup(fcmd_arr[i]);
+ retbool = TRUE;
+ break;
}
+ i++;
+ }
-if (retbool == FALSE ){
+ if (retbool == FALSE ){
err = (char *) calloc((80 +max_ln*i) ,sizeof(char));
sprintf(err,"Error: not found -> ");
- for(j= 0; j < i; j ++){
- sprintf(err,"%s %s ", err, fcmd_arr[j]);
- }
+ for(j= 0; j < i; j ++){
+ sprintf(err,"%s %s ", err, fcmd_arr[j]);
+ }
sprintf(err,"%s\n", err);
- *err_out = err;
-}
+ *err_out = err;
+ }
+
-
-return retbool;
+ return retbool;
}
/***************************************************************
char **cmd_out;
char **err_out;
{
-char ** fcmd_arr;
-char * err;
-char * cmd_temp;
+ char ** fcmd_arr;
+ char * err;
+ char * cmd_temp;
-if(fcmd_resolve(fcmd, &fcmd_arr, &err )== FALSE ){
- *err_out = err;
- return 1;
-}
+ if(fcmd_resolve(fcmd, &fcmd_arr, &err )== FALSE ){
+ *err_out = err;
+ return 1;
+ }
-if (cmd_single( cmd ) == TRUE){
+ if (cmd_single( cmd ) == TRUE){
if (!cmd_arr_cmp_postfix(fcmd_arr, cmd)){ /* found */
- if(find_first_cmd_that_exists( fcmd_arr,&cmd_temp,&err)== TRUE){
- *match = TRUE;
- *cmd_out = cmd_temp;
- return 0;
- }else{
- *err_out = err;
- return 1;
- }
- }else{
- *match = FALSE;
- return 0;
- }
-}else{
- if (!cmd_arr_cmp(fcmd_arr, cmd)){ /* found */
+ if(find_first_cmd_that_exists( fcmd_arr,&cmd_temp,&err)== TRUE){
*match = TRUE;
- *cmd_out = strdup(cmd);
+ *cmd_out = cmd_temp;
return 0;
+ }else{
+ *err_out = err;
+ return 1;
+ }
+ }else{
+ *match = FALSE;
+ return 0;
+ }
+ }else{
+ if (!cmd_arr_cmp(fcmd_arr, cmd)){ /* found */
+ *match = TRUE;
+ *cmd_out = strdup(cmd);
+ return 0;
} else{
- *match = FALSE;
- return 0;
+ *match = FALSE;
+ return 0;
}
-}
+ }
}
/*********************************************************
get_line - returns a line of any length. out_line
- is set to null if eof.
+ is set to null if eof.
*********************************************************/
krb5_error_code get_line (fp, out_line)
/* OUT */
char **out_line;
{
-char * line, *r, *newline , *line_ptr;
-int chunk_count = 1;
-
- line = (char *) calloc (BUFSIZ, sizeof (char ));
- line_ptr = line;
- line[0] = '\0';
-
- while (( r = fgets(line_ptr, BUFSIZ , fp)) != NULL){
- if (newline = strchr(line_ptr, '\n')){
- *newline = '\0';
- break;
- }
- else {
- chunk_count ++;
- if(!( line = (char *) realloc( line,
- chunk_count * sizeof(char) * BUFSIZ))){
- return ENOMEM;
- }
+ char * line, *r, *newline , *line_ptr;
+ int chunk_count = 1;
- line_ptr = line + (BUFSIZ -1) *( chunk_count -1) ;
- }
- }
+ line = (char *) calloc (BUFSIZ, sizeof (char ));
+ line_ptr = line;
+ line[0] = '\0';
- if ((r == NULL) && (strlen(line) == 0)) {
- *out_line = NULL;
- }
- else{
- *out_line = line;
+ while (( r = fgets(line_ptr, BUFSIZ , fp)) != NULL){
+ if (newline = strchr(line_ptr, '\n')){
+ *newline = '\0';
+ break;
}
+ else {
+ chunk_count ++;
+ if(!( line = (char *) realloc( line,
+ chunk_count * sizeof(char) * BUFSIZ))){
+ return ENOMEM;
+ }
+
+ line_ptr = line + (BUFSIZ -1) *( chunk_count -1) ;
+ }
+ }
+
+ if ((r == NULL) && (strlen(line) == 0)) {
+ *out_line = NULL;
+ }
+ else{
+ *out_line = line;
+ }
-return 0;
+ return 0;
}
-/*******************************************************
-get_first_token -
-Expects a '\0' terminated input line .
-If there are any spaces before the first token, they
-will be returned as part of the first token.
+/*******************************************************
+get_first_token -
+Expects a '\0' terminated input line .
+If there are any spaces before the first token, they
+will be returned as part of the first token.
-Note: this routine reuses the space pointed to by line
+Note: this routine reuses the space pointed to by line
******************************************************/
char * get_first_token (line, lnext)
char *line;
char **lnext;
{
-
-char * lptr, * out_ptr;
-
- out_ptr = line;
- lptr = line;
-
- while (( *lptr == ' ') || (*lptr == '\t')) lptr ++;
-
- if (strlen(lptr) == 0) return NULL;
-
- while (( *lptr != ' ') && (*lptr != '\t') && (*lptr != '\0')) lptr ++;
-
- if (*lptr == '\0'){
- *lnext = lptr;
- } else{
- *lptr = '\0';
- *lnext = lptr + 1;
- }
-
-return out_ptr;
+ char * lptr, * out_ptr;
+
+
+ out_ptr = line;
+ lptr = line;
+
+ while (( *lptr == ' ') || (*lptr == '\t')) lptr ++;
+
+ if (strlen(lptr) == 0) return NULL;
+
+ while (( *lptr != ' ') && (*lptr != '\t') && (*lptr != '\0')) lptr ++;
+
+ if (*lptr == '\0'){
+ *lnext = lptr;
+ } else{
+ *lptr = '\0';
+ *lnext = lptr + 1;
+ }
+
+ return out_ptr;
}
/**********************************************************
-get_next_token -
-returns the next token pointed to by *lnext.
-returns NULL if there is no more tokens.
-Note: that this function modifies the stream
+get_next_token -
+returns the next token pointed to by *lnext.
+returns NULL if there is no more tokens.
+Note: that this function modifies the stream
pointed to by *lnext and does not allocate
space for the returned tocken. It also advances
- lnext to the next tocken.
+ lnext to the next tocken.
**********************************************************/
char * get_next_token (lnext)
char **lnext;
{
-
-char * lptr, * out_ptr;
+ char * lptr, * out_ptr;
-
- lptr = *lnext;
-
- while (( *lptr == ' ') || (*lptr == '\t')) lptr ++;
- if (strlen(lptr) == 0) return NULL;
+ lptr = *lnext;
- out_ptr = lptr;
+ while (( *lptr == ' ') || (*lptr == '\t')) lptr ++;
- while (( *lptr != ' ') && (*lptr != '\t') && (*lptr != '\0')) lptr ++;
+ if (strlen(lptr) == 0) return NULL;
- if (*lptr == '\0'){
- *lnext = lptr;
- } else{
- *lptr = '\0';
- *lnext = lptr + 1;
- }
+ out_ptr = lptr;
+
+ while (( *lptr != ' ') && (*lptr != '\t') && (*lptr != '\0')) lptr ++;
+
+ if (*lptr == '\0'){
+ *lnext = lptr;
+ } else{
+ *lptr = '\0';
+ *lnext = lptr + 1;
+ }
-return out_ptr;
+ return out_ptr;
}
static void auth_cleanup(k5users_flag, users_fp, k5login_flag,
char *princname;
{
- free (princname);
- if (!k5users_flag) fclose(users_fp);
- if (!k5login_flag) fclose(login_fp);
-
+ free (princname);
+ if (!k5users_flag) fclose(users_fp);
+ if (!k5login_flag) fclose(login_fp);
}
void init_auth_names(pw_dir)
char *pw_dir;
{
-
- if ((strlen(pw_dir) == 1) && (*pw_dir == '/')){
- sprintf(k5login_path,"%s%s", pw_dir, KRB5_LOGIN_NAME);
- sprintf(k5users_path,"%s%s", pw_dir, KRB5_USERS_NAME);
- }else{
- sprintf(k5login_path,"%s/%s", pw_dir, KRB5_LOGIN_NAME);
- sprintf(k5users_path,"%s/%s", pw_dir, KRB5_USERS_NAME);
- }
+ if ((strlen(pw_dir) == 1) && (*pw_dir == '/')){
+ sprintf(k5login_path,"%s%s", pw_dir, KRB5_LOGIN_NAME);
+ sprintf(k5users_path,"%s%s", pw_dir, KRB5_USERS_NAME);
+ }else{
+ sprintf(k5login_path,"%s/%s", pw_dir, KRB5_LOGIN_NAME);
+ sprintf(k5users_path,"%s/%s", pw_dir, KRB5_USERS_NAME);
+ }
}
-/*
+/*
* Copyright (c) 1994 by the University of Southern California
*
* EXPORT OF THIS SOFTWARE from the United States of America may
* this software and its documentation in source and binary forms is
* hereby granted, provided that any documentation or other materials
* related to such distribution or use acknowledge that the software
- * was developed by the University of Southern California.
+ * was developed by the University of Southern California.
*
* DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The
* University of Southern California MAKES NO REPRESENTATIONS OR
* KSU was writen by: Ari Medvinsky, ari@isi.edu
*/
-#include "ksu.h"
+#include "ksu.h"
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
/*******************************************************************
get_all_princ_from_file - retrieves all principal names
- from file pointed to by fp.
+ from file pointed to by fp.
*******************************************************************/
static void close_time PROTOTYPE((int, FILE *, int, FILE *));
char ***plist;
{
- krb5_error_code retval;
- char * line, * fprinc, * lp, ** temp_list = NULL;
- int count = 0, chunk_count = 1;
-
- if (!(temp_list = (char **) malloc( CHUNK * sizeof(char *)))){
- return errno;
- }
+ krb5_error_code retval;
+ char * line, * fprinc, * lp, ** temp_list = NULL;
+ int count = 0, chunk_count = 1;
- if (retval = get_line(fp, &line )){
- return retval;
- }
+ if (!(temp_list = (char **) malloc( CHUNK * sizeof(char *))))
+ return errno;
+ if (retval = get_line(fp, &line ))
+ return retval;
- while (line){
- fprinc = get_first_token (line, &lp);
-
+ while (line){
+ fprinc = get_first_token (line, &lp);
- if (fprinc ){
- temp_list[count] = strdup(fprinc);
- count ++;
- }
-
- if(count == (chunk_count * CHUNK -1)){
- chunk_count ++;
- if (!(temp_list = (char **) realloc(temp_list,
- chunk_count * CHUNK * sizeof(char *)))){
- return errno;
- }
- }
-
+ if (fprinc ){
+ temp_list[count] = strdup(fprinc);
+ count ++;
+ }
- free (line);
- if (retval = get_line(fp, &line )){ return retval;}
+ if(count == (chunk_count * CHUNK -1)){
+ chunk_count ++;
+ if (!(temp_list = (char **) realloc(temp_list,
+ chunk_count * CHUNK * sizeof(char *)))){
+ return errno;
+ }
}
- temp_list[count] = NULL;
+ free (line);
+ if (retval = get_line(fp, &line )){ return retval;}
+ }
- *plist = temp_list;
- return 0;
+ temp_list[count] = NULL;
+
+ *plist = temp_list;
+ return 0;
}
/*************************************************************
-list_union - combines list1 and list2 into combined_list.
- the space for list1 and list2 is either freed
- or used by combined_list.
+list_union - combines list1 and list2 into combined_list.
+ the space for list1 and list2 is either freed
+ or used by combined_list.
**************************************************************/
krb5_error_code list_union(list1, list2, combined_list)
char ***combined_list;
{
-int c1 =0, c2 = 0, i=0, j=0;
-char ** tlist;
+ int c1 =0, c2 = 0, i=0, j=0;
+ char ** tlist;
- if (! list1){
- *combined_list = list2;
- return 0;
- }
+ if (! list1){
+ *combined_list = list2;
+ return 0;
+ }
- if (! list2){
- *combined_list = list1;
- return 0;
- }
+ if (! list2){
+ *combined_list = list1;
+ return 0;
+ }
- while (list1[c1]) c1++;
- while (list2[c2]) c2++;
+ while (list1[c1]) c1++;
+ while (list2[c2]) c2++;
- if (!(tlist = (char **) calloc( c1 + c2 + 1, sizeof ( char *)))){
- return errno;
- }
+ if (!(tlist = (char **) calloc( c1 + c2 + 1, sizeof ( char *))))
+ return errno;
- i = 0;
- while(list1[i]){
- tlist[i] = list1[i];
- i++;
- }
- j = 0;
- while(list2[j]){
- if(find_str_in_list(list1, list2[j])==FALSE){
- tlist[i] = list2[j];
- i++;
- }
- j++;
+ i = 0;
+ while(list1[i]) {
+ tlist[i] = list1[i];
+ i++;
+ }
+ j = 0;
+ while(list2[j]){
+ if(find_str_in_list(list1, list2[j])==FALSE){
+ tlist[i] = list2[j];
+ i++;
}
+ j++;
+ }
- free (list1);
- free (list2);
+ free (list1);
+ free (list2);
- tlist[i]= NULL;
-
+ tlist[i]= NULL;
- *combined_list = tlist;
- return 0;
+ *combined_list = tlist;
+ return 0;
}
-krb5_error_code
+krb5_error_code
filter(fp, cmd, k5users_list, k5users_filt_list)
FILE *fp;
char *cmd;
char ***k5users_filt_list;
{
-krb5_error_code retval =0;
-krb5_boolean found = FALSE;
-char * out_cmd = NULL;
-int i=0, j=0, found_count = 0, k=0;
-char ** temp_filt_list;
+ krb5_error_code retval =0;
+ krb5_boolean found = FALSE;
+ char * out_cmd = NULL;
+ int i=0, j=0, found_count = 0, k=0;
+ char ** temp_filt_list;
- *k5users_filt_list = NULL;
+ *k5users_filt_list = NULL;
- if (! k5users_list){
- return 0;
- }
+ if (! k5users_list){
+ return 0;
+ }
- while(k5users_list[i]){
+ while(k5users_list[i]){
- if (retval= k5users_lookup(fp, k5users_list[i],
- cmd, &found, &out_cmd)){
- return retval;
- }
+ if (retval= k5users_lookup(fp, k5users_list[i], cmd, &found, &out_cmd))
+ return retval;
- if (found == FALSE){
- free (k5users_list[i]);
- k5users_list[i] = NULL;
- if (out_cmd) gb_err = out_cmd;
- }else{
- found_count ++;
- }
- i++;
- }
+ if (found == FALSE){
+ free (k5users_list[i]);
+ k5users_list[i] = NULL;
+ if (out_cmd) gb_err = out_cmd;
+ } else
+ found_count ++;
- if (! (temp_filt_list = (char **) calloc ( found_count +1,
- sizeof (char*)))){
- return errno;
- }
+ i++;
+ }
- for(j= 0, k=0; j < i; j ++ ){
- if (k5users_list[j]){
- temp_filt_list[k] = k5users_list[j];
- k++;
- }
+ if (! (temp_filt_list = (char **) calloc(found_count +1, sizeof (char*))))
+ return errno;
+
+ for(j= 0, k=0; j < i; j++ ) {
+ if (k5users_list[j]){
+ temp_filt_list[k] = k5users_list[j];
+ k++;
}
+ }
- temp_filt_list[k] = NULL;
+ temp_filt_list[k] = NULL;
- free (k5users_list);
+ free (k5users_list);
- *k5users_filt_list = temp_filt_list;
- return 0;
+ *k5users_filt_list = temp_filt_list;
+ return 0;
}
krb5_error_code
int k5users_flag =0;
FILE * login_fp, * users_fp;
char ** k5login_list = NULL, ** k5users_list = NULL;
- char ** k5users_filt_list = NULL;
+ char ** k5users_filt_list = NULL;
char ** combined_list = NULL;
struct stat tb;
krb5_error_code retval;
/* no account => no access */
- if ((pwd = getpwnam(luser)) == NULL) {
+ if ((pwd = getpwnam(luser)) == NULL)
return 0;
- }
k5login_flag = stat(k5login_path, &tb);
k5users_flag = stat(k5users_path, &tb);
- if (!k5login_flag){
- if ((login_fp = fopen(k5login_path, "r")) == NULL) {
- return 0;
- }
+ if (!k5login_flag){
+ if ((login_fp = fopen(k5login_path, "r")) == NULL)
+ return 0;
if ( fowner(login_fp, pwd->pw_uid) == FALSE){
- close_time(k5users_flag,users_fp, k5login_flag,login_fp);
- return 0;
+ close_time(k5users_flag,users_fp, k5login_flag,login_fp);
+ return 0;
}
}
if (!k5users_flag){
- if ((users_fp = fopen(k5users_path, "r")) == NULL) {
- return 0;
- }
+ if ((users_fp = fopen(k5users_path, "r")) == NULL)
+ return 0;
+
if ( fowner(users_fp, pwd->pw_uid) == FALSE){
- close_time(k5users_flag,users_fp, k5login_flag,login_fp);
- return 0;
+ close_time(k5users_flag,users_fp, k5login_flag,login_fp);
+ return 0;
}
- if(retval = get_all_princ_from_file (users_fp, &k5users_list)){
- close_time(k5users_flag,users_fp, k5login_flag,login_fp);
- return retval;
+ if(retval = get_all_princ_from_file (users_fp, &k5users_list)){
+ close_time(k5users_flag,users_fp, k5login_flag,login_fp);
+ return retval;
}
rewind(users_fp);
if(retval = filter(users_fp,cmd, k5users_list, &k5users_filt_list)){
- close_time(k5users_flag,users_fp, k5login_flag, login_fp);
- return retval;
+ close_time(k5users_flag,users_fp, k5login_flag, login_fp);
+ return retval;
}
-
}
- if (cmd){
- *princ_list = k5users_filt_list;
- close_time(k5users_flag,users_fp, k5login_flag, login_fp);
- return 0;
- }
-
- if (!k5login_flag){
- if(retval = get_all_princ_from_file (login_fp, &k5login_list)){
- close_time(k5users_flag,users_fp, k5login_flag,login_fp);
- return retval;
+ if (!k5login_flag){
+ if(retval = get_all_princ_from_file (login_fp, &k5login_list)){
+ close_time(k5users_flag,users_fp, k5login_flag,login_fp);
+ return retval;
}
}
-
- if(retval = list_union(k5login_list, k5users_filt_list, & combined_list)){
- close_time(k5users_flag,users_fp, k5login_flag,login_fp);
- return retval;
+
+ if(retval = list_union(k5login_list, k5users_filt_list, &combined_list)){
+ close_time(k5users_flag,users_fp, k5login_flag,login_fp);
+ return retval;
}
- *princ_list = combined_list ;
- close_time(k5users_flag,users_fp, k5login_flag,login_fp);
- return 0;
+ close_time(k5users_flag,users_fp, k5login_flag, login_fp);
+
+ if (cmd) {
+ *princ_list = combined_list;
+ return 0;
+ } else {
+ *princ_list = k5login_list;
+ return 0;
+ }
}
static void close_time(k5users_flag, users_fp, k5login_flag, login_fp)
FILE *login_fp;
{
- if (!k5users_flag) fclose(users_fp);
- if (!k5login_flag) fclose(login_fp);
+ if (!k5users_flag) fclose(users_fp);
+ if (!k5login_flag) fclose(login_fp);
}
char *elm;
{
-int i=0;
-krb5_boolean found = FALSE;
+ int i=0;
+ krb5_boolean found = FALSE;
-if (!list) return found;
+ if (!list) return found;
-while (list[i] ){
+ while (list[i] ){
if (!strcmp(list[i], elm)){
- found = TRUE;
- break;
+ found = TRUE;
+ break;
}
i++;
-}
-
-return found;
+ }
+ return found;
}
/**********************************************************************
-returns the principal that is closes to client (can be the the client
+returns the principal that is closes to client (can be the the client
himself). plist contains
-a principal list obtained from .k5login and .k5users file.
-A principal is picked that has the best chance of getting in.
+a principal list obtained from .k5login and .k5users file.
+A principal is picked that has the best chance of getting in.
**********************************************************************/
krb5_principal *client;
krb5_boolean *found;
{
-krb5_error_code retval =0;
-krb5_principal temp_client, best_client = NULL;
-int i = 0, j=0, cnelem, pnelem;
-krb5_boolean got_one;
+ krb5_error_code retval =0;
+ krb5_principal temp_client, best_client = NULL;
+ int i = 0, j=0, cnelem, pnelem;
+ krb5_boolean got_one;
- *found = FALSE;
+ *found = FALSE;
- if (! plist ) return 0;
+ if (! plist ) return 0;
- cnelem = krb5_princ_size(context, *client);
+ cnelem = krb5_princ_size(context, *client);
+ while(plist[i]){
- while(plist[i]){
+ if (retval = krb5_parse_name(context, plist[i], &temp_client))
+ return retval;
- if (retval = krb5_parse_name(context, plist[i], &temp_client)){
- return retval;
- }
+ pnelem = krb5_princ_size(context, temp_client);
- pnelem = krb5_princ_size(context, temp_client);
+ if ( cnelem > pnelem){
+ i++;
+ continue;
+ }
- if ( cnelem > pnelem){
- i++;
- continue;
+ if (krb5_princ_realm(context, *client)->length ==
+ krb5_princ_realm(context, temp_client)->length
+ && (!memcmp (krb5_princ_realm(context, *client)->data,
+ krb5_princ_realm(context, temp_client)->data,
+ krb5_princ_realm(context, temp_client)->length))){
+
+ got_one = TRUE;
+ for(j =0; j < cnelem; j ++){
+ krb5_data *p1 =
+ krb5_princ_component(context, *client, j);
+ krb5_data *p2 =
+ krb5_princ_component(context, temp_client, j);
+
+ if ((p1->length != p2->length) ||
+ memcmp(p1->data,p2->data,p1->length)){
+ got_one = FALSE;
+ break;
}
+ }
+ if (got_one == TRUE){
+ if(best_client){
+ if(krb5_princ_size(context, best_client) >
+ krb5_princ_size(context, temp_client)){
+ best_client = temp_client;
+ }
+ }else
+ best_client = temp_client;
+ }
+ }
+ i++;
+ }
- if (krb5_princ_realm(context, *client)->length ==
- krb5_princ_realm(context, temp_client)->length
- && (!memcmp (krb5_princ_realm(context, *client)->data,
- krb5_princ_realm(context, temp_client)->data,
- krb5_princ_realm(context, temp_client)->length))){
-
- got_one = TRUE;
- for(j =0; j < cnelem; j ++){
-
- krb5_data *p1 =
- krb5_princ_component(context, *client, j);
- krb5_data *p2 =
- krb5_princ_component(context, temp_client, j);
-
- if ((p1->length != p2->length) ||
- memcmp(p1->data,p2->data,p1->length)){
- got_one = FALSE;
- break;
- }
- }
- if (got_one == TRUE){
- if(best_client){
- if(krb5_princ_size(context, best_client) >
- krb5_princ_size(context, temp_client)){
- best_client = temp_client;
- }
- }else{
- best_client = temp_client;
- }
- }
- }
- i++;
- }
-
- if (best_client) {
- *found = TRUE;
- *client = best_client;
- }
-
- return 0;
+ if (best_client) {
+ *found = TRUE;
+ *client = best_client;
+ }
+
+ return 0;
}
-/****************************************************************
+/****************************************************************
find_either_ticket checks to see whether there is a ticket for the
end server or tgt, if neither is there the return FALSE,
-*****************************************************************/
+*****************************************************************/
krb5_error_code find_either_ticket (context, cc, client, end_server, found)
krb5_context context;
krb5_boolean *found;
{
-krb5_principal kdc_server;
-krb5_error_code retval;
-krb5_boolean temp_found = FALSE;
-char * cc_source_name;
-struct stat st_temp;
+ krb5_principal kdc_server;
+ krb5_error_code retval;
+ krb5_boolean temp_found = FALSE;
+ char * cc_source_name;
+ struct stat st_temp;
-cc_source_name = krb5_cc_get_name(context, cc);
+ cc_source_name = krb5_cc_get_name(context, cc);
-if ( ! stat(cc_source_name, &st_temp)){
+ if ( ! stat(cc_source_name, &st_temp)){
- if (retval = find_ticket (context, cc, client, end_server, &temp_found)) {
- return retval;
- }
+ if (retval = find_ticket(context, cc, client, end_server, &temp_found))
+ return retval;
if (temp_found == FALSE){
-
- if (retval = krb5_tgtname(context,
- krb5_princ_realm(context, client),
- krb5_princ_realm(context, client),
- &kdc_server)){
- return retval ;
- }
-
- if(retval = find_ticket (context, cc,client, kdc_server, &temp_found)) {
- return retval;
- }
- }
- else {
- if (auth_debug)
- printf("find_either_ticket: found end server ticket\n");
+ if (retval = krb5_tgtname(context,
+ krb5_princ_realm(context, client),
+ krb5_princ_realm(context, client),
+ &kdc_server)){
+ return retval ;
+ }
+
+ if(retval = find_ticket(context, cc,client, kdc_server, &temp_found))
+ return retval;
}
+ else if (auth_debug)
+ printf("find_either_ticket: found end server ticket\n");
+ }
-}
-
- *found = temp_found;
+ *found = temp_found;
- return 0;
+ return 0;
}
krb5_boolean *found;
{
-krb5_creds tgt, tgtq;
-krb5_error_code retval;
+ krb5_creds tgt, tgtq;
+ krb5_error_code retval;
- *found = FALSE;
+ *found = FALSE;
- memset((char *) &tgtq, 0, sizeof(tgtq));
- memset((char *) &tgt, 0, sizeof(tgt));
+ memset((char *) &tgtq, 0, sizeof(tgtq));
+ memset((char *) &tgt, 0, sizeof(tgt));
- if (retval= krb5_copy_principal(context, client, &tgtq.client)){
- return retval;
- }
+ if (retval= krb5_copy_principal(context, client, &tgtq.client))
+ return retval;
- if (retval= krb5_copy_principal(context, server, &tgtq.server)){
- return retval ;
- }
+ if (retval= krb5_copy_principal(context, server, &tgtq.server))
+ return retval ;
- retval = krb5_cc_retrieve_cred(context, cc, KRB5_TC_MATCH_SRV_NAMEONLY,
- &tgtq, &tgt);
+ retval = krb5_cc_retrieve_cred(context, cc, KRB5_TC_MATCH_SRV_NAMEONLY,
+ &tgtq, &tgt);
- if (! retval) retval = krb5_check_exp(context, tgt.times);
+ if (! retval) retval = krb5_check_exp(context, tgt.times);
- if (retval){
- if ((retval != KRB5_CC_NOTFOUND) &&
- (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){
- return retval ;
- }
- } else{
- *found = TRUE;
- return 0;
- }
+ if (retval){
+ if ((retval != KRB5_CC_NOTFOUND) &&
+ (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){
+ return retval ;
+ }
+ } else{
+ *found = TRUE;
+ return 0;
+ }
- free(tgtq.server);
- free(tgtq.client);
+ free(tgtq.server);
+ free(tgtq.client);
- return 0;
+ return 0;
}
krb5_boolean *found;
{
-int i=0;
-char * princname;
-krb5_error_code retval;
+ int i=0;
+ char * princname;
+ krb5_error_code retval;
-*found = FALSE;
+ *found = FALSE;
-if (!plist) return 0;
+ if (!plist) return 0;
-if (retval = krb5_unparse_name(context, princ, &princname)){
+ if (retval = krb5_unparse_name(context, princ, &princname))
return retval;
-}
-while (plist[i] ){
+ while (plist[i] ){
if (!strcmp(plist[i], princname)){
- *found = TRUE;
- break;
+ *found = TRUE;
+ break;
}
i++;
-}
-
-return 0;
+ }
+
+ return 0;
}
typedef struct princ_info {
- krb5_principal p;
- krb5_boolean found;
+ krb5_principal p;
+ krb5_boolean found;
}princ_info;
/**********************************************************************
get_best_princ_for_target -
-sets the client name, path_out gets set, if authorization is not possible
-path_out gets set to ...
+sets the client name, path_out gets set, if authorization is not possible
+path_out gets set to ...
***********************************************************************/
int *path_out;
{
-princ_info princ_trials[10];
-char * cc_source_name;
-krb5_principal cc_def_princ = NULL;
-krb5_principal temp_client;
-krb5_principal target_client;
-krb5_principal source_client;
-krb5_principal end_server;
-krb5_error_code retval;
-char ** aplist =NULL;
-krb5_boolean found = FALSE;
-struct stat tb;
-int count =0;
-int i;
-struct stat st_temp;
-
-*path_out = 0;
-
-/* -n option was specified client is set we are done */
-if (options->princ){
- return 0;
-}
-
-cc_source_name = krb5_cc_get_name(context, cc_source);
-
-if ( ! stat(cc_source_name, &st_temp)){
- if (retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ)){
- return retval;
- }
-}
+ princ_info princ_trials[10];
+ char * cc_source_name;
+ krb5_principal cc_def_princ = NULL;
+ krb5_principal temp_client;
+ krb5_principal target_client;
+ krb5_principal source_client;
+ krb5_principal end_server;
+ krb5_error_code retval;
+ char ** aplist =NULL;
+ krb5_boolean found = FALSE;
+ struct stat tb;
+ int count =0;
+ int i;
+ struct stat st_temp;
-if (retval=krb5_parse_name(context, target_user, &target_client)){
- return retval;
-}
+ *path_out = 0;
-if (retval=krb5_parse_name(context, source_user, &source_client)){
- return retval;
-}
+ /* -n option was specified client is set we are done */
+ if (options->princ)
+ return 0;
+ cc_source_name = krb5_cc_get_name(context, cc_source);
+ /* Reset the euid while we open the source ccache */
+#if defined(_POSIX_SAVED_IDS) && defined(HAVE_SETEUID)
+ if (seteuid(source_uid)) {
+ com_err(prog_name, errno, "while setting the effective uid");
+ exit(1);
+ }
+#else
+# if defined(HAVE_SETRESUID)
+ if (setresuid(-1, source_uid, -1)) {
+ com_err(prog_name, errno, "while setting the effective uid");
+ exit(1);
+ }
+# else
+# if defined(HAVE_SETREUID)
+ if (setreuid(0, source_uid)) {
+ com_err(prog_name, errno, "while setting the real/effective uid");
+ exit(1);
+ }
+# endif /* HAVE_SETREUID */
+# endif /* HAVE_SETRESUID */
+#endif /* _POSIX_SAVED_IDS */
+
+ if (! stat(cc_source_name, &st_temp))
+ if (retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ))
+ return retval;
+
+#if defined(_POSIX_SAVED_IDS) && defined(HAVE_SETEUID)
+ if (seteuid(0)) {
+ com_err(prog_name, errno, "while setting the effective uid");
+ exit(1);
+ }
+#else
+# if defined(HAVE_SETRESUID)
+ if (setresuid(-1, 0, -1)) {
+ com_err(prog_name, errno, "while setting the effective uid");
+ exit(1);
+ }
+# else
+# if defined(HAVE_SETREUID)
+ if (setreuid(source_uid, 0)) {
+ com_err(prog_name, errno, "while setting the real/effective uid");
+ exit(1);
+ }
+# endif /* HAVE_SETREUID */
+# endif /* HAVE_SETRESUID */
+#endif /* _POSIX_SAVED_IDS */
+
+ if (retval=krb5_parse_name(context, target_user, &target_client))
+ return retval;
+ if (retval=krb5_parse_name(context, source_user, &source_client))
+ return retval;
-if (source_uid == 0){
- if (target_uid != 0){
- *client = target_client; /* this will be used to restrict
- the cache copty */
- }else{
- if(cc_def_princ){
- *client = cc_def_princ;
- }else{
- *client = target_client;
- }
+ if (source_uid == 0){
+ if (target_uid != 0)
+ *client = target_client; /* this will be used to restrict
+ the cache copty */
+ else {
+ if(cc_def_princ)
+ *client = cc_def_princ;
+ else
+ *client = target_client;
}
- if (auth_debug){
- printf(" GET_best_princ_for_target: via source_uid == 0\n");
- }
+ if (auth_debug)
+ printf(" GET_best_princ_for_target: via source_uid == 0\n");
return 0;
-}
+ }
-/* from here on, the code is for source_uid != 0 */
+ /* from here on, the code is for source_uid != 0 */
-if (source_uid && (source_uid == target_uid)){
- if(cc_def_princ){
- *client = cc_def_princ;
- }else{
- *client = target_client;
- }
- if (auth_debug){
+ if (source_uid && (source_uid == target_uid)){
+ if(cc_def_princ)
+ *client = cc_def_princ;
+ else
+ *client = target_client;
+ if (auth_debug)
printf("GET_best_princ_for_target: via source_uid == target_uid\n");
- }
-
return 0;
-}
+ }
- /* if .k5users and .k5login do not exist */
-if ( stat(k5login_path, &tb) && stat(k5users_path, &tb) ){
+ /* if .k5users and .k5login do not exist */
+ if (stat(k5login_path, &tb) && stat(k5users_path, &tb) ){
*client = target_client;
- if ( cmd){
- *path_out = NOT_AUTHORIZED;
- }
+ if (cmd)
+ *path_out = NOT_AUTHORIZED;
- if (auth_debug){
- printf(" GET_best_princ_for_target: via no auth files path\n");
- }
+ if (auth_debug)
+ printf(" GET_best_princ_for_target: via no auth files path\n");
return 0;
-}else{
- if (retval = get_authorized_princ_names(target_user, cmd, & aplist)){
- return retval;
+ }else{
+ if (retval = get_authorized_princ_names(target_user, cmd, &aplist))
+ return retval;
+
+ /* .k5users or .k5login exist, but no authorization */
+ if ((!aplist) || (!aplist[0])) {
+ *path_out = NOT_AUTHORIZED;
+ if (auth_debug)
+ printf("GET_best_princ_for_target: via empty auth files path\n");
+ return 0;
}
+ }
- /* .k5users or .k5login exist, but no authorization */
- if ((!aplist) || (!aplist[0])){
- *path_out = NOT_AUTHORIZED;
- if (auth_debug){
- printf(
- "GET_best_princ_for_target: via empty auth files path\n");
- }
- return 0;
- }
-}
-
-if (retval = krb5_sname_to_principal(context, hostname, NULL,
- KRB5_NT_SRV_HST, &end_server)){
+ if (retval = krb5_sname_to_principal(context, hostname, NULL,
+ KRB5_NT_SRV_HST, &end_server))
return retval;
-}
-/* first see if default principal of the source cache
- can get us in, then the target_user@realm, then the
- source_user@realm. If all of them fail, try any
- other ticket in the cache.
-*/
+ /* first see if default principal of the source cache
+ * can get us in, then the target_user@realm, then the
+ * source_user@realm. If all of them fail, try any
+ * other ticket in the cache. */
-if (cc_def_princ){
+ if (cc_def_princ)
princ_trials[count ++].p = cc_def_princ;
-}else{
+ else
princ_trials[count ++].p = NULL;
-}
-princ_trials[count ++].p = target_client;
-princ_trials[count ++].p = source_client;
-for (i= 0; i < count; i ++){
- princ_trials[i].found = FALSE;
-}
+ princ_trials[count ++].p = target_client;
+ princ_trials[count ++].p = source_client;
+
+ for (i= 0; i < count; i ++)
+ princ_trials[i].found = FALSE;
-for (i= 0; i < count; i ++){
- if(princ_trials[i].p){
- if (retval= find_princ_in_list(context, princ_trials[i].p, aplist, &found)){
+ for (i= 0; i < count; i ++){
+ if(princ_trials[i].p) {
+ if (retval= find_princ_in_list(context, princ_trials[i].p, aplist, &found))
return retval;
- }
- if ( found == TRUE){
- princ_trials[i].found = TRUE;
+ if (found == TRUE){
+ princ_trials[i].found = TRUE;
- if (retval = find_either_ticket (context, cc_source, princ_trials[i].p,
- end_server, &found)){
- return retval;
- }
+ if (retval = find_either_ticket (context, cc_source,
+ princ_trials[i].p,
+ end_server, &found))
+ return retval;
if (found == TRUE){
- *client = princ_trials[i].p;
- if (auth_debug){
- printf("GET_best_princ_for_target: via ticket file, choice #%d\n", i);
- }
- return 0;
+ *client = princ_trials[i].p;
+ if (auth_debug)
+ printf("GET_best_princ_for_target: via ticket file, choice #%d\n", i);
+ return 0;
}
- }
- }
-}
+ }
+ }
+ }
-/* out of preferred principals, see if there is any ticket that will
- get us in */
+ /* out of preferred principals, see if there is any ticket that will
+ get us in */
-i=0;
-while (aplist[i]){
+ i=0;
+ while (aplist[i]){
- if (retval = krb5_parse_name(context, aplist[i], &temp_client)){
- return retval;
- }
+ if (retval = krb5_parse_name(context, aplist[i], &temp_client))
+ return retval;
if (retval = find_either_ticket (context, cc_source, temp_client,
- end_server, &found)){
- return retval;
- }
+ end_server, &found))
+ return retval;
+
if (found == TRUE){
- if (auth_debug){
- printf("GET_best_princ_for_target: via ticket file, choice: any ok ticket \n" );
- }
- *client = temp_client;
- return 0;
+ if (auth_debug)
+ printf("GET_best_princ_for_target: via ticket file, choice: any ok ticket \n" );
+ *client = temp_client;
+ return 0;
}
krb5_free_principal(context, temp_client);
i++;
-}
+ }
-/* no tickets qualified, select a principal, that may be used
- for password promting */
+ /* no tickets qualified, select a principal, that may be used
+ for password promting */
-for (i=0; i < count; i ++){
- if (princ_trials[i].found == TRUE){
- *client = princ_trials[i].p;
+ for (i=0; i < count; i ++){
+ if (princ_trials[i].found == TRUE){
+ *client = princ_trials[i].p;
- if (auth_debug){
- printf(
- "GET_best_princ_for_target: via prompt passwd list choice #%d \n",i);
- }
- return 0;
+ if (auth_debug)
+ printf("GET_best_princ_for_target: via prompt passwd list choice #%d \n",i);
+ return 0;
}
-}
+ }
#ifdef PRINC_LOOK_AHEAD
-
-
-for (i=0; i < count; i ++){
+ for (i=0; i < count; i ++){
if (princ_trials[i].p){
- if(retval=krb5_copy_principal(context, princ_trials[i].p,
- &temp_client)){
- return retval;
- }
+ if(retval=krb5_copy_principal(context, princ_trials[i].p,
+ &temp_client))
+ return retval;
- /* get the client name that is the closest
- to the three princ in trials */
+ /* get the client name that is the closest
+ to the three princ in trials */
- if(retval=get_closest_principal(context, aplist, &temp_client, & found)){
- return retval;
- }
+ if(retval=get_closest_principal(context, aplist, &temp_client, & found))
+ return retval;
- if (found == TRUE){
- *client = temp_client;
- if (auth_debug){
- printf(
- "GET_best_princ_for_target: via prompt passwd list choice: approximation of princ in trials # %d \n",i);
- }
- return 0;
- }
- krb5_free_principal(context, temp_client);
+ if (found == TRUE){
+ *client = temp_client;
+ if (auth_debug)
+ printf("GET_best_princ_for_target: via prompt passwd list choice: approximation of princ in trials # %d \n",i);
+ return 0;
+ }
+ krb5_free_principal(context, temp_client);
}
-}
-
-
-#endif /* PRINC_LOOK_AHEAD */
+ }
+#endif /* PRINC_LOOK_AHEAD */
-if(auth_debug){
+ if(auth_debug)
printf( "GET_best_princ_for_target: out of luck, can't get appropriate default principal\n");
-}
-
-*path_out = NOT_AUTHORIZED;
-return 0;
+ *path_out = NOT_AUTHORIZED;
+ return 0;
}
projects / krb5.git / commitdiff