From 2cd43e5cc511f183bda6582c8c3a822e4b28d806 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Thu, 13 Nov 1997 00:07:05 +0000 Subject: [PATCH] * forward.c (rd_and_store_for_creds): Don't do the chown. Avoids a security hole. [krb5-appl/494] * krshd.c (recvauth): chown the ccache explicitly, as rd_and_store_for_creds no longer does so. [krb5-appl/494] git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10277 dc483132-0cff-0310-8789-dd5450dbe970 --- src/appl/bsd/ChangeLog | 8 ++++++++ src/appl/bsd/forward.c | 20 +------------------- src/appl/bsd/krshd.c | 17 ++++++++++++++++- 3 files changed, 25 insertions(+), 20 deletions(-) diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog index af90149bd..a0972b2eb 100644 --- a/src/appl/bsd/ChangeLog +++ b/src/appl/bsd/ChangeLog @@ -1,3 +1,11 @@ +Wed Nov 12 19:03:02 1997 Tom Yu + + * forward.c (rd_and_store_for_creds): Don't do the chown. Avoids + a security hole. [krb5-appl/494] + + * krshd.c (recvauth): chown the ccache explicitly, as + rd_and_store_for_creds no longer does so. [krb5-appl/494] + Thu Nov 6 22:04:26 1997 Theodore Y. Ts'o * v4rcp.c: Use error_message(errno) instead of using diff --git a/src/appl/bsd/forward.c b/src/appl/bsd/forward.c index 54594b9b9..e22fc1d98 100644 --- a/src/appl/bsd/forward.c +++ b/src/appl/bsd/forward.c @@ -21,7 +21,6 @@ #if defined(KERBEROS) || defined(KRB5) #include -#include #include #include #include @@ -30,22 +29,18 @@ /* Decode, decrypt and store the forwarded creds in the local ccache. */ krb5_error_code -rd_and_store_for_creds(context, auth_context, inbuf, ticket, lusername, ccache) +rd_and_store_for_creds(context, auth_context, inbuf, ticket, ccache) krb5_context context; krb5_auth_context auth_context; krb5_data *inbuf; krb5_ticket *ticket; - char *lusername; krb5_ccache *ccache; { krb5_creds ** creds; krb5_error_code retval; char ccname[35]; - struct passwd *pwd; *ccache = NULL; - if (!(pwd = (struct passwd *) getpwnam(lusername))) - return ENOENT; if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)) return(retval); @@ -67,19 +62,6 @@ rd_and_store_for_creds(context, auth_context, inbuf, ticket, lusername, ccache) if (retval = krb5_cc_store_cred(context, *ccache, *creds)) goto cleanup; - if (retval = chown(ccname+5, pwd->pw_uid, -1)) { - /* - * If the file owner is the same as the user id then return ok. - * This is for testing only --proven - */ - struct stat statbuf; - - if (stat(ccname + 5, & statbuf) == 0) { - if (statbuf.st_uid == pwd->pw_uid) - retval = 0; - } - } - cleanup: krb5_free_creds(context, *creds); return retval; diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c index e999a2806..ef8766d0b 100644 --- a/src/appl/bsd/krshd.c +++ b/src/appl/bsd/krshd.c @@ -1720,6 +1720,9 @@ recvauth(netf, peersin, valid_checksum) krb5_authenticator *authenticator; krb5_ticket *ticket; krb5_rcache rcache; + struct passwd *pwd; + uid_t uid; + gid_t gid; *valid_checksum = 0; len = sizeof(laddr); @@ -1875,12 +1878,24 @@ recvauth(netf, peersin, valid_checksum) } if (inbuf.length) { /* Forwarding being done, read creds */ + pwd = getpwnam(locuser); + if (!pwd) { + error("Login incorrect.\n"); + exit(1); + } + uid = pwd->pw_uid; + gid = pwd->pw_gid; if ((status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf, - ticket, locuser, &ccache))) { + ticket, &ccache))) { error("Can't get forwarded credentials: %s\n", error_message(status)); exit(1); } + if (chown(krb5_cc_get_name(bsd_context, ccache), uid, gid) == -1) { + error("Can't chown forwarded credentials: %s\n", + error_message(errno)); + exit(1); + } } krb5_free_ticket(bsd_context, ticket); return 0; -- 2.26.2