254 lines
8.4 KiB
Diff
254 lines
8.4 KiB
Diff
Index: pam_krb5-2.3.1-1/src/Makefile.am
|
|
===================================================================
|
|
--- pam_krb5-2.3.1-1.orig/src/Makefile.am
|
|
+++ pam_krb5-2.3.1-1/src/Makefile.am
|
|
@@ -37,6 +37,8 @@ libpam_krb5_la_SOURCES = \
|
|
kuserok.c \
|
|
kuserok.h \
|
|
minikafs.h \
|
|
+ perms.c \
|
|
+ perms.h \
|
|
prompter.c \
|
|
prompter.h \
|
|
shmem.c \
|
|
@@ -112,6 +114,7 @@ harness_LDADD = \
|
|
map.lo \
|
|
initopts.lo \
|
|
options.lo \
|
|
+ perms.lo \
|
|
userinfo.lo \
|
|
sly.lo \
|
|
v4.lo \
|
|
@@ -125,6 +128,7 @@ harness_newpag_LDADD = \
|
|
pam_newpag.lo \
|
|
logstdio.lo \
|
|
options.lo \
|
|
+ perms.lo \
|
|
v4.lo \
|
|
v5.lo
|
|
harness_newpag_LDADD += libpam_krb5.la @PAM_LIBS@ @KRB5_LIBS@ @KRB4_LIBS@ @KEYUTILS_LIBS@
|
|
Index: pam_krb5-2.3.1-1/src/perms.c
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ pam_krb5-2.3.1-1/src/perms.c
|
|
@@ -0,0 +1,89 @@
|
|
+/*
|
|
+ * Copyright 2008 Red Hat, Inc.
|
|
+ *
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
+ * modification, are permitted provided that the following conditions
|
|
+ * are met:
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
+ * notice, and the entire permission notice in its entirety,
|
|
+ * including the disclaimer of warranties.
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
+ * notice, this list of conditions and the following disclaimer in the
|
|
+ * documentation and/or other materials provided with the distribution.
|
|
+ * 3. The name of the author may not be used to endorse or promote
|
|
+ * products derived from this software without specific prior
|
|
+ * written permission.
|
|
+ *
|
|
+ * ALTERNATIVELY, this product may be distributed under the terms of the
|
|
+ * GNU Lesser General Public License, in which case the provisions of the
|
|
+ * LGPL are required INSTEAD OF the above restrictions.
|
|
+ *
|
|
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
|
|
+ * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
|
|
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
|
|
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
+ */
|
|
+
|
|
+#include "../config.h"
|
|
+
|
|
+#include <sys/types.h>
|
|
+#include <stdlib.h>
|
|
+#include <unistd.h>
|
|
+#include "perms.h"
|
|
+
|
|
+struct _pam_krb5_perms {
|
|
+ uid_t ruid, euid;
|
|
+ gid_t rgid, egid;
|
|
+};
|
|
+
|
|
+struct _pam_krb5_perms *
|
|
+_pam_krb5_switch_perms(void)
|
|
+{
|
|
+ struct _pam_krb5_perms *ret;
|
|
+ ret = malloc(sizeof(*ret));
|
|
+ if (ret != NULL) {
|
|
+ ret->ruid = getuid();
|
|
+ ret->euid = geteuid();
|
|
+ ret->rgid = getgid();
|
|
+ ret->egid = getegid();
|
|
+ if (ret->ruid == ret->euid) {
|
|
+ ret->ruid = -1;
|
|
+ ret->euid = -1;
|
|
+ }
|
|
+ if (ret->rgid == ret->egid) {
|
|
+ ret->rgid = -1;
|
|
+ ret->egid = -1;
|
|
+ }
|
|
+ if (setregid(ret->egid, ret->rgid) == -1) {
|
|
+ free(ret);
|
|
+ ret = NULL;
|
|
+ } else {
|
|
+ if (setreuid(ret->euid, ret->ruid) == -1) {
|
|
+ setregid(ret->rgid, ret->egid);
|
|
+ free(ret);
|
|
+ ret = NULL;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ return ret;
|
|
+}
|
|
+
|
|
+int
|
|
+_pam_krb5_restore_perms(struct _pam_krb5_perms *saved)
|
|
+{
|
|
+ int ret = -1;
|
|
+ if (saved != NULL) {
|
|
+ if ((setreuid(saved->ruid, saved->euid) == 0) &&
|
|
+ (setregid(saved->rgid, saved->egid) == 0)) {
|
|
+ ret = 0;
|
|
+ }
|
|
+ free(saved);
|
|
+ }
|
|
+ return ret;
|
|
+}
|
|
Index: pam_krb5-2.3.1-1/src/perms.h
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ pam_krb5-2.3.1-1/src/perms.h
|
|
@@ -0,0 +1,40 @@
|
|
+/*
|
|
+ * Copyright 2008 Red Hat, Inc.
|
|
+ *
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
+ * modification, are permitted provided that the following conditions
|
|
+ * are met:
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
+ * notice, and the entire permission notice in its entirety,
|
|
+ * including the disclaimer of warranties.
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
+ * notice, this list of conditions and the following disclaimer in the
|
|
+ * documentation and/or other materials provided with the distribution.
|
|
+ * 3. The name of the author may not be used to endorse or promote
|
|
+ * products derived from this software without specific prior
|
|
+ * written permission.
|
|
+ *
|
|
+ * ALTERNATIVELY, this product may be distributed under the terms of the
|
|
+ * GNU Lesser General Public License, in which case the provisions of the
|
|
+ * LGPL are required INSTEAD OF the above restrictions.
|
|
+ *
|
|
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
|
|
+ * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
|
|
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
|
|
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
+ */
|
|
+
|
|
+#ifndef pam_krb5_perms_h
|
|
+#define pam_krb5_perms_h
|
|
+
|
|
+struct _pam_krb5_perms;
|
|
+struct _pam_krb5_perms *_pam_krb5_switch_perms(void);
|
|
+int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved);
|
|
+
|
|
+#endif
|
|
Index: pam_krb5-2.3.1-1/src/v5.c
|
|
===================================================================
|
|
--- pam_krb5-2.3.1-1.orig/src/v5.c
|
|
+++ pam_krb5-2.3.1-1/src/v5.c
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright 2003,2004,2005,2006,2007,2008 Red Hat, Inc.
|
|
+ * Copyright 2003,2004,2005,2006,2007 Red Hat, Inc.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
@@ -66,6 +66,7 @@
|
|
|
|
#include "conv.h"
|
|
#include "log.h"
|
|
+#include "perms.h"
|
|
#include "prompter.h"
|
|
#include "stash.h"
|
|
#include "userinfo.h"
|
|
@@ -833,6 +834,7 @@ v5_get_creds(krb5_context ctx,
|
|
const char *realm;
|
|
struct pam_message message;
|
|
struct _pam_krb5_prompter_data prompter_data;
|
|
+ struct _pam_krb5_perms *saved_perms;
|
|
krb5_principal service_principal;
|
|
krb5_creds tmpcreds;
|
|
krb5_ccache ccache;
|
|
@@ -884,28 +886,46 @@ v5_get_creds(krb5_context ctx,
|
|
"from %s", krb5_cc_default_name(ctx));
|
|
}
|
|
memset(&ccache, 0, sizeof(ccache));
|
|
- if (krb5_cc_default(ctx, &ccache) == 0) {
|
|
+ /* In case we're setuid/setgid, switch to the caller's
|
|
+ * permissions. */
|
|
+ saved_perms = _pam_krb5_switch_perms();
|
|
+ if ((saved_perms != NULL) &&
|
|
+ (krb5_cc_default(ctx, &ccache) == 0)) {
|
|
tmpcreds.client = userinfo->principal_name;
|
|
tmpcreds.server = service_principal;
|
|
i = krb5_cc_retrieve_cred(ctx, ccache, 0,
|
|
&tmpcreds, creds);
|
|
+ /* FIXME: check if the creds are expired?
|
|
+ * What's the right error code if we check, and
|
|
+ * they are? */
|
|
memset(&tmpcreds, 0, sizeof(tmpcreds));
|
|
krb5_cc_close(ctx, ccache);
|
|
- switch (v5_validate(ctx, creds, options)) {
|
|
- case 0:
|
|
- /* we're fine */
|
|
- break;
|
|
- default:
|
|
- /* something (anything) went wrong --
|
|
- * discard them */
|
|
- krb5_free_cred_contents(ctx, creds);
|
|
- i = KRB5KRB_ERR_GENERIC;
|
|
- break;
|
|
+ /* In case we're setuid/setgid, restore the
|
|
+ * previous permissions. */
|
|
+ if (saved_perms != NULL) {
|
|
+ if (_pam_krb5_restore_perms(saved_perms) != 0) {
|
|
+ krb5_free_cred_contents(ctx, creds);
|
|
+ memset(creds, 0, sizeof(*creds));
|
|
+ krb5_free_principal(ctx, service_principal);
|
|
+ return PAM_SYSTEM_ERR;
|
|
+ }
|
|
+ saved_perms = NULL;
|
|
}
|
|
} else {
|
|
warn("error opening default ccache");
|
|
i = KRB5_CC_NOTFOUND;
|
|
}
|
|
+ /* In case we're setuid/setgid, switch back to the
|
|
+ * previous permissions if we didn't already. */
|
|
+ if (saved_perms != NULL) {
|
|
+ if (_pam_krb5_restore_perms(saved_perms) != 0) {
|
|
+ krb5_free_cred_contents(ctx, creds);
|
|
+ memset(creds, 0, sizeof(*creds));
|
|
+ krb5_free_principal(ctx, service_principal);
|
|
+ return PAM_SYSTEM_ERR;
|
|
+ }
|
|
+ saved_perms = NULL;
|
|
+ }
|
|
krb5_free_principal(ctx, service_principal);
|
|
} else {
|
|
warn("error parsing TGT principal name (%s) "
|