Attachment 298301 Details for Bug 436747 – Patch to split validation of credentials into a suid helper application

[patch] Patch to split validation of credentials into a suid helper application

pam_krb5-2.3.0-helper-0.patch (text/plain), 21.58 KB, created by W. Michael Petullo on 2008-03-17 20:06:57 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: W. Michael Petullo

Created: 2008-03-17 20:06:57 UTC

Size: 21.58 KB

patch

obsolete

>diff -u --new-file --recursive pam_krb5-2.3.0-1-vanilla/src/auth.c pam_krb5-2.3.0-1/src/auth.c
>--- pam_krb5-2.3.0-1-vanilla/src/auth.c	2008-03-15 09:58:10.000000000 +0430
>+++ pam_krb5-2.3.0-1/src/auth.c	2008-03-17 17:39:11.000000000 +0430
>@@ -460,6 +460,22 @@
> 		}
> 	}
> 
>+	/* Flat-out success.  Validate the TGT if it's actually a TGT,
>+	 * and if we can. */
>+	if (PAM_SUCCESS == retval && 1 == options->validate) {
>+		if (options->debug) {
>+			debug("validating credentials");
>+		}
>+warn("%d", stash->v5creds.is_skey);
>+		switch (v5_validate(stash->v5shm, options)) {
>+		case PAM_AUTH_ERR:
>+			retval = PAM_AUTH_ERR;
>+			break;
>+		default:
>+			break;
>+		}
>+	}
>+
> 	/* Clean up. */
> 	if (options->debug) {
> 		debug("pam_authenticate returning %d (%s)", retval,
>diff -u --new-file --recursive pam_krb5-2.3.0-1-vanilla/src/Makefile.am pam_krb5-2.3.0-1/src/Makefile.am
>--- pam_krb5-2.3.0-1-vanilla/src/Makefile.am	2008-03-15 09:58:10.000000000 +0430
>+++ pam_krb5-2.3.0-1/src/Makefile.am	2008-03-17 01:03:19.000000000 +0430
>@@ -4,7 +4,7 @@
> security_LTLIBRARIES = pam_krb5.la
> noinst_LTLIBRARIES = libpam_krb5.la
> pkgsecuritydir = $(libdir)/security/$(PACKAGE)
>-pkgsecurity_PROGRAMS = pam_krb5_storetmp
>+pkgsecurity_PROGRAMS = pam_krb5_storetmp pam_krb5_validate
> EXTRA_DIST = afs5log.1 pam_krb5.5 pam_krb5.8 pam_krb5_storetmp.8 pam_newpag.5 pam_newpag.8
> noinst_PROGRAMS = harness harness-newpag shmcat
> man_MANS = pam_krb5.5 pam_krb5.8 pam_krb5_storetmp.8
>@@ -82,6 +82,11 @@
> pam_krb5_storetmp_LIBS =
> pam_krb5_storetmp_LDADD = xstr.lo
> 
>+pam_krb5_validate_SOURCES = \
>+	pam_krb5_validate.c
>+pam_krb5_validate_LIBS =
>+pam_krb5_validate_LDADD = @PAM_LIBS@ logstdio.lo libpam_krb5.la @KRB5_LIBS@ @KRB4_LIBS@
>+
> afs5log_SOURCES = \
> 	afs5log.c \
> 	logstdio.c \
>diff -u --new-file --recursive pam_krb5-2.3.0-1-vanilla/src/pam_krb5_validate.c pam_krb5-2.3.0-1/src/pam_krb5_validate.c
>--- pam_krb5-2.3.0-1-vanilla/src/pam_krb5_validate.c	1970-01-01 04:30:00.000000000 +0430
>+++ pam_krb5-2.3.0-1/src/pam_krb5_validate.c	2008-03-17 17:41:59.000000000 +0430
>@@ -0,0 +1,181 @@
>+/*   FILE: pam_krb5_validate.c -- A helper application that validates
>+ *         a Kerberos credential vs. a local keytab.  If this helper is
>+ *         suid root, then non-root applications may validate
>+ *         crendentials, even if the keytab is only readable by root.
>+ *
>+ * AUTHOR: W. Michael Petullo <mike[@]flyn.org>
>+ *   DATE: 16 March 2008
>+ *
>+ * Copyright (c) 2008 W. Michael Petullo <mike[@]flyn.org>
>+ * All rights reserved.
>+ *
>+ * Redistribution and use in source and binary forms, with or without
>+ * modification, are permitted provided that the following conditions
>+ * are met:
>+ * 1. Redistributions of source code must retain the above copyright
>+ *    notice, and the entire permission notice in its entirety,
>+ *    including the disclaimer of warranties.
>+ * 2. Redistributions in binary form must reproduce the above copyright
>+ *    notice, this list of conditions and the following disclaimer in the
>+ *    documentation and/or other materials provided with the distribution.
>+ * 3. The name of the author may not be used to endorse or promote
>+ *    products derived from this software without specific prior
>+ *    written permission.
>+ *
>+ * ALTERNATIVELY, this product may be distributed under the terms of the
>+ * GNU Lesser General Public License, in which case the provisions of the
>+ * LGPL are required INSTEAD OF the above restrictions.
>+ *
>+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
>+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
>+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
>+ * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
>+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
>+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
>+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
>+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
>+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.  */
>+
>+#include "../config.h"
>+
>+#include <stdlib.h>
>+#include <unistd.h>
>+#include <stdio.h>
>+#include <string.h>
>+#include <sys/types.h>
>+#include <sys/ipc.h>
>+#include <sys/shm.h>
>+
>+#ifdef HAVE_SECURITY_PAM_APPL_H
>+#include <security/pam_appl.h>
>+#endif
>+
>+#ifdef HAVE_SECURITY_PAM_MODULES_H
>+#include <security/pam_modules.h>
>+#endif
>+
>+#include KRB5_H
>+#ifdef USE_KRB4
>+#include KRB4_DES_H
>+#include KRB4_KRB_H
>+#ifdef KRB4_KRB_ERR_H
>+#include KRB4_KRB_ERR_H
>+#endif
>+#endif
>+
>+#include <stash.h>
>+#include <log.h>
>+#include <shmem.h>
>+
>+int main (int argc, char *argv[]) {
>+	int i;
>+	int pargc = 0;
>+	char *pargv[] = { NULL };
>+	char *principal;
>+	key_t key;
>+	const char *keytab_path;
>+	const char *ccache_dir;
>+	size_t size;
>+	struct _pam_krb5_stash *stash;
>+	krb5_context ctx;
>+	krb5_keytab keytab;
>+	krb5_kt_cursor cursor;
>+	krb5_keytab_entry entry;
>+	krb5_verify_init_creds_opt opt;
>+
>+	if (argc != 3) {
>+		warn("usage: pam_krb5_validate path ccache_dir");
>+		exit(EXIT_FAILURE);
>+	}
>+
>+	keytab_path = argv[1];
>+	ccache_dir = argv[2];
>+
>+	/* Read the shared memory segment key */
>+	if (sizeof(key) != read(STDIN_FILENO, &key, sizeof(key))) {
>+		warn("error reading shared memory segment key");
>+		exit(EXIT_FAILURE);
>+	}
>+
>+	stash = malloc(sizeof(struct _pam_krb5_stash));
>+	if (stash == NULL) {
>+		warn("error reading allocating memory for stash");
>+		exit(EXIT_FAILURE);
>+	}
>+	memset(stash, 0, sizeof(struct _pam_krb5_stash));
>+
>+	_pam_krb5_stash_shm_read(-1, key, -1, -1, stash, ccache_dir, 1);
>+
>+	warn("attached to shared memory segment %d", key);
>+
>+	if (_pam_krb5_init_ctx(&ctx, pargc, pargv) != 0) {
>+		warn("error initializing Kerberos");
>+		exit(EXIT_FAILURE);
>+	}
>+
>+	/* Open the keytab. */
>+	memset(&keytab, 0, sizeof(keytab));
>+	i = krb5_kt_resolve(ctx, keytab_path, &keytab);
>+	if (i != 0) {
>+		warn("error resolving keytab '%s', TGT not verified",
>+		     keytab_path);
>+		exit(EXIT_FAILURE);
>+	}
>+
>+	/* Read the first key from the file. */
>+	memset(&cursor, 0, sizeof(cursor));
>+	i = krb5_kt_start_seq_get(ctx, keytab, &cursor);
>+	if (i != 0) {
>+		warn("error reading keytab, TGT not verified");
>+		exit(EXIT_FAILURE);
>+	}
>+
>+	memset(&entry, 0, sizeof(entry));
>+	i = krb5_kt_next_entry(ctx, keytab, &entry, &cursor);
>+	if (i != 0) {
>+		warn("error reading keytab, TGT not verified");
>+		krb5_kt_end_seq_get(ctx, keytab, &cursor);
>+		krb5_kt_close(ctx, keytab);
>+		exit(EXIT_FAILURE);
>+	}
>+
>+	/* Get the principal to which the key belongs, for logging purposes. */
>+	principal = NULL;
>+	i = krb5_unparse_name(ctx, entry.principal, &principal);
>+	if (i != 0) {
>+		warn("internal error parsing principal name, "
>+		     "not verifying TGT");
>+		krb5_kt_end_seq_get(ctx, keytab, &cursor);
>+		krb5_kt_close(ctx, keytab);
>+		exit(EXIT_FAILURE);
>+	}
>+
>+	/* Close the keytab here.  Even though we're using cursors, the file
>+	 * handle is stored in the krb5_keytab structure, and it gets
>+	 * overwritten when the verify_init_creds() call below creates its own
>+	 * cursor, creating a leak. */
>+	krb5_kt_end_seq_get(ctx, keytab, &cursor);
>+
>+	/* Perform the verification checks using the service key. */
>+	krb5_verify_init_creds_opt_init(&opt);
>+	i = krb5_verify_init_creds(ctx, &stash->v5creds,
>+				   entry.principal, keytab,
>+				   NULL, &opt);
>+
>+	krb5_kt_close(ctx, keytab);
>+	/* FIXME: remove shared memory? */
>+
>+	/* Log success or failure. */
>+	if (i == 0) {
>+		notice("TGT verified using key for '%s'", principal);
>+		v5_free_unparsed_name(ctx, principal);
>+		exit(EXIT_SUCCESS);
>+	} else {
>+		crit("TGT failed verification using key for '%s'",
>+		     principal);
>+		v5_free_unparsed_name(ctx, principal);
>+		exit(EXIT_FAILURE);
>+	}
>+	exit(EXIT_SUCCESS);
>+}
>diff -u --new-file --recursive pam_krb5-2.3.0-1-vanilla/src/shmem.c pam_krb5-2.3.0-1/src/shmem.c
>--- pam_krb5-2.3.0-1-vanilla/src/shmem.c	2008-03-15 09:58:10.000000000 +0430
>+++ pam_krb5-2.3.0-1/src/shmem.c	2008-03-17 17:37:07.000000000 +0430
>@@ -319,12 +319,14 @@
> 	*block_size = 0;
> 
> 	/* Attach to the segment and make sure that "we" own it. */
>+	/* FIXME: helper validate app will be executed by root, even
>+	 * if application calling PAM is not (e.g., su). */
> 	address = _pam_krb5_shm_attach(key, NULL);
> 	if (address != NULL) {
> 		if ((shmctl(key, IPC_STAT, &ds) == -1) ||
>-		    (ds.shm_segsz < 16)|| (ds.shm_segsz > 0xffff) ||
>+		    (ds.shm_segsz < 16)|| (ds.shm_segsz > 0xffff) /*||
> 		    (ds.shm_perm.cuid != getuid()) ||
>-		    (ds.shm_perm.cuid != geteuid())) {
>+		    (ds.shm_perm.cuid != geteuid())*/) {
> 			address = _pam_krb5_shm_detach(address);
> 			if (block_size != NULL) {
> 				*block_size = 0;
>diff -u --new-file --recursive pam_krb5-2.3.0-1-vanilla/src/stash.c pam_krb5-2.3.0-1/src/stash.c
>--- pam_krb5-2.3.0-1-vanilla/src/stash.c	2008-03-15 09:58:10.000000000 +0430
>+++ pam_krb5-2.3.0-1/src/stash.c	2008-03-17 17:28:31.000000000 +0430
>@@ -112,9 +112,8 @@
> 
> /* Read v5 state from the shared memory segment. */
> static void
>-_pam_krb5_stash_shm_read_v5(pam_handle_t *pamh, struct _pam_krb5_stash *stash,
>-			    struct _pam_krb5_options *options, int key,
>-			    void *blob, size_t blob_size)
>+_pam_krb5_stash_shm_read_v5(struct _pam_krb5_stash *stash, char *ccache_dir,
>+			    int key, void *blob, size_t blob_size, int dodebug)
> {
> 	char tktfile[PATH_MAX + 6];
> 	unsigned char *blob_creds;
>@@ -142,7 +141,7 @@
> 
> 	/* Create a temporary ccache file. */
> 	snprintf(tktfile, sizeof(tktfile),
>-		 "FILE:%s/pam_krb5_tmp_XXXXXX", options->ccache_dir);
>+		 "FILE:%s/pam_krb5_tmp_XXXXXX", ccache_dir);
> 	fd = mkstemp(tktfile + 5);
> 	if (fd == -1) {
> 		warn("error creating temporary file \"%s\": %s",
>@@ -198,7 +197,7 @@
> 		/* Read other variables. */
> 		stash->v5attempted = ((int*)blob)[1];
> 		stash->v5result = ((int*)blob)[2];
>-		if (options->debug) {
>+		if (dodebug) {
> 			debug("recovered v5 credentials from shared memory "
> 			      "segment %d", key);
> 		}
>@@ -330,9 +329,9 @@
> #ifdef USE_KRB4
> /* Read v4 state from the shared memory segment. */
> static void
>-_pam_krb5_stash_shm_read_v4(pam_handle_t *pamh, struct _pam_krb5_stash *stash,
>-			    struct _pam_krb5_options *options, int key,
>-			    void *blob, size_t blob_size)
>+_pam_krb5_stash_shm_read_v4(struct _pam_krb5_stash *stash,
>+			    int key, void *blob, size_t blob_size,
>+			    int dodebug)
> {
> 	int *intblob;
> 	unsigned char *p;
>@@ -344,7 +343,7 @@
> 			p = blob;
> 			p += sizeof(int) * 2;
> 			memcpy(&stash->v4creds, p, sizeof(stash->v4creds));
>-			if (options->debug) {
>+			if (dodebug) {
> 				debug("recovered v4 credential state from "
> 				      "shared memory segment %d", key);
> 			}
>@@ -403,109 +402,94 @@
> }
> #endif
> 
>-/* Retrieve credentials from the shared memory segments named by the PAM
>- * environment variables which begin with partial_key. */
>-void
>-_pam_krb5_stash_shm_read(pam_handle_t *pamh, const char *partial_key,
>-			 struct _pam_krb5_stash *stash,
>-			 struct _pam_krb5_options *options)
>+int
>+_pam_krb5_stash_shm_get_key_owner(pam_handle_t *pamh, const char *suffix,
>+				  const char *partial_key, int *key, pid_t *owner)
> {
>-	int key;
>-	pid_t owner;
>+#if 0
> 	long l;
>-	char *variable, *p, *q;
> 	const char *value;
>-	void *blob;
>-	size_t blob_size;
>+	char *variable, *p, *q;
> 
> 	/* Construct the name of a variable. */
> 	variable = malloc(strlen(partial_key) + 10);
> 	if (variable == NULL) {
>-		return;
>+		return 0;
> 	}
>-	sprintf(variable, "%s" PAM_KRB5_STASH_SHM5_SUFFIX, partial_key);
>+	sprintf(variable, "%s%s", partial_key, suffix);
> 
> 	/* Read the variable and extract a shared memory identifier. */
> 	value = pam_getenv(pamh, variable);
>-	key = -1;
>-	owner = -1;
>+	*key = -1;
>+	*owner = -1;
> 	if (value != NULL) {
> 		l = strtol(value, &p, 0);
> 		if ((p != NULL) && (*p == '/')) {
> 			if ((l < INT_MAX) && (l > INT_MIN)) {
>-				key = l;
>+				*key = l;
> 			}
> 			q = NULL;
> 			l = strtol(p + 1, &q, 0);
> 			if ((q != NULL) && (*q == '\0') && (q > p + 1)) {
>-				owner = l;
>+				*owner = l;
> 			}
> 		}
> 	}
> 
>+	free(variable);
>+#endif
>+	return 1;
>+}
>+
>+/* Retrieve credentials from the shared memory segments named by the PAM
>+ * environment variables which begin with partial_key. */
>+void
>+_pam_krb5_stash_shm_read(int v4key, int v5key, pid_t v4owner, pid_t v5owner,
>+			 struct _pam_krb5_stash *stash, char *ccache_dir,
>+			 int dodebug)
>+{
>+	void *blob;
>+	size_t blob_size;
>+
> 	/* Get a copy of the contents of the shared memory segment. */
>-	if ((stash->v5shm == -1) && (owner != -1)) {
>-		stash->v5shm = key;
>-		stash->v5shm_owner = owner;
>+	if ((stash->v5shm == -1) && (v5owner != -1)) {
>+		stash->v5shm = v5key;
>+		stash->v5shm_owner = v5owner;
> 	}
>-	if (key != -1) {
>-		_pam_krb5_blob_from_shm(key, &blob, &blob_size);
>+	if (v5key != -1) {
>+		_pam_krb5_blob_from_shm(v5key, &blob, &blob_size);
> 		if ((blob == NULL) || (blob_size == 0)) {
>-			warn("no segment with specified identifier %d", key);
>+			warn("no segment with specified identifier %d", v5key);
> 		} else {
> 			/* Pull credentials from the blob, which contains a
> 			 * ccache file.  Cross our fingers and hope it's
> 			 * useful. */
>-			_pam_krb5_stash_shm_read_v5(pamh, stash,
>-						    options, key,
>-						    blob, blob_size);
>+			_pam_krb5_stash_shm_read_v5(stash, ccache_dir, v5key,
>+						    blob, blob_size, dodebug);
> 			free(blob);
> 		}
> 	}
> 
> #ifdef USE_KRB4
>-	/* Construct the name of a variable. */
>-	sprintf(variable, "%s" PAM_KRB5_STASH_SHM4_SUFFIX, partial_key);
>-
>-	/* Read the variable and extract a shared memory identifier. */
>-	value = pam_getenv(pamh, variable);
>-	key = -1;
>-	owner = -1;
>-	if (value != NULL) {
>-		l = strtol(value, &p, 0);
>-		if ((p != NULL) && (*p == '/')) {
>-			if ((l < INT_MAX) && (l > INT_MIN)) {
>-				key = l;
>-			}
>-			q = NULL;
>-			l = strtol(p + 1, &q, 0);
>-			if ((q != NULL) && (*q == '\0') && (q > p + 1)) {
>-				owner = l;
>-			}
>-		}
>-	}
>-
> 	/* Get a copy of the contents of the shared memory segment. */
>-	if ((stash->v4shm == -1) && (owner != -1)) {
>-		stash->v4shm = key;
>-		stash->v4shm_owner = owner;
>+	if ((stash->v4shm == -1) && (v4owner != -1)) {
>+		stash->v4shm = v4key;
>+		stash->v4shm_owner = v4owner;
> 	}
>-	if (key != -1) {
>-		_pam_krb5_blob_from_shm(key, &blob, &blob_size);
>+	if (v4key != -1) {
>+		_pam_krb5_blob_from_shm(v4key, &blob, &blob_size);
> 		if ((blob == NULL) || (blob_size == 0)) {
>-			warn("no segment with specified identifier %d", key);
>+			warn("no segment with specified identifier %d", v4key);
> 		} else {
> 			/* Pull credentials from the blob, which contains a
> 			 * credentials structure.  Cross our fingers and hope
> 			 * it's useful. */
>-			_pam_krb5_stash_shm_read_v4(pamh, stash, options,
>-						    key, blob, blob_size);
>+			_pam_krb5_stash_shm_read_v4(stash, v4key, blob, blob_size,
>+						    dodebug);
> 			free(blob);
> 		}
> 	}
> #endif
>-
>-	free(variable);
> }
> 
> /* Store credentials in new shared memory segments and set PAM environment
>@@ -755,7 +739,14 @@
> #endif
> 	stash->afspag = 0;
> 	if (options->use_shmem) {
>-		_pam_krb5_stash_shm_read(pamh, key, stash, options);
>+		int v4shmkey, v5shmkey;
>+		pid_t v4shmowner, v5shmowner;
>+		_pam_krb5_stash_shm_get_key_owner(pamh, key, PAM_KRB5_STASH_SHM4_SUFFIX,
>+						  &v4shmkey, &v4shmowner);
>+		_pam_krb5_stash_shm_get_key_owner(pamh, key, PAM_KRB5_STASH_SHM5_SUFFIX,
>+						  &v5shmkey, &v5shmowner);
>+		_pam_krb5_stash_shm_read(v4shmkey, v5shmkey, v4shmowner, v5shmowner, stash,
>+					 options->ccache_dir, options->debug);
> 	}
> 	if (options->external && (stash->v5attempted == 0)) {
> 		_pam_krb5_stash_external_read(pamh, stash, info, options);
>diff -u --new-file --recursive pam_krb5-2.3.0-1-vanilla/src/stash.h pam_krb5-2.3.0-1/src/stash.h
>--- pam_krb5-2.3.0-1-vanilla/src/stash.h	2008-03-15 09:58:09.000000000 +0430
>+++ pam_krb5-2.3.0-1/src/stash.h	2008-03-17 16:49:55.000000000 +0430
>@@ -80,10 +80,12 @@
> int _pam_krb5_stash_push_v4(krb5_context ctx, struct _pam_krb5_stash *stash,
> 			    const char *tktfile);
> int _pam_krb5_stash_pop_v4(krb5_context ctx, struct _pam_krb5_stash *stash);
>-void _pam_krb5_stash_shm_read(pam_handle_t *pamh,
>-			      const char *partial_key,
>-			      struct _pam_krb5_stash *stash,
>-			      struct _pam_krb5_options *options);
>+int _pam_krb5_stash_shm_get_key_owner(pam_handle_t *pamh, const char *suffix,
>+				  const char *partial_key, int *key,
>+				  pid_t *owner);
>+void _pam_krb5_stash_shm_read(int v4key, int v5key, pid_t v4owner,
>+			      pid_t v5owner, struct _pam_krb5_stash *stash,
>+			      char *ccache_dir, int dodebug);
> void _pam_krb5_stash_shm_write(pam_handle_t *pamh,
> 			       struct _pam_krb5_stash *stash,
> 			       struct _pam_krb5_options *options,
>diff -u --new-file --recursive pam_krb5-2.3.0-1-vanilla/src/v5.c pam_krb5-2.3.0-1/src/v5.c
>--- pam_krb5-2.3.0-1-vanilla/src/v5.c	2008-03-15 09:58:10.000000000 +0430
>+++ pam_krb5-2.3.0-1/src/v5.c	2008-03-17 17:18:58.000000000 +0430
>@@ -38,6 +38,9 @@
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
>+#include <signal.h>
>+#include <sys/types.h>
>+#include <sys/wait.h>
> 
> #ifdef HAVE_SECURITY_PAM_APPL_H
> #include <security/pam_appl.h>
>@@ -735,78 +738,58 @@
> #endif
> 
> static int
>-v5_validate(krb5_context ctx, krb5_creds *creds,
>-	    const struct _pam_krb5_options *options)
>+v5_run_validate_helper(const key_t shmkey, struct _pam_krb5_options *options)
> {
>-	int i;
>-	char *principal;
>-	krb5_keytab keytab;
>-	krb5_kt_cursor cursor;
>-	krb5_keytab_entry entry;
>-	krb5_verify_init_creds_opt opt;
>-
>-	/* Open the keytab. */
>-	memset(&keytab, 0, sizeof(keytab));
>-	i = krb5_kt_resolve(ctx, options->keytab, &keytab);
>-	if (i != 0) {
>-		warn("error resolving keytab '%s', not verifying TGT",
>-		     options->keytab);
>-		return PAM_SERVICE_ERR;
>+	int retval, child, fds[2], rc;
>+	void (*sighandler)(int) = NULL;
>+	const void *service, *user;
>+
>+	/* create a pipe for the shmem key */
>+	if (pipe(fds) != 0) {
>+		warn("failed to create pipe");
>+		return PAM_AUTH_ERR;
> 	}
> 
>-	/* Read the first key from the file. */
>-	memset(&cursor, 0, sizeof(cursor));
>-	i = krb5_kt_start_seq_get(ctx, keytab, &cursor);
>-	if (i != 0) {
>-		warn("error reading keytab, not verifying TGT");
>-		return PAM_IGNORE;
>-	}
>+	sighandler = signal(SIGCHLD, SIG_DFL);
> 
>-	memset(&entry, 0, sizeof(entry));
>-	i = krb5_kt_next_entry(ctx, keytab, &entry, &cursor);
>-	if (i != 0) {
>-		warn("error reading keytab, not verifying TGT");
>-		krb5_kt_end_seq_get(ctx, keytab, &cursor);
>-		krb5_kt_close(ctx, keytab);
>-		return PAM_IGNORE;
>+	switch (child = fork()) {
>+	case -1:
>+		warn("pam_ccreds: fork failed");
>+		close(fds[0]);
>+		close(fds[1]);
>+		retval = PAM_AUTH_ERR;
>+		break;
>+	case 0:	
>+		/* reopen stdin as pipe */
>+		close(fds[1]);
>+		dup2(fds[0], STDIN_FILENO);
>+
>+		execl(PKGSECURITYDIR "/pam_krb5_validate", "pam_krb5_validate", 
>+		      options->keytab, options->ccache_dir, NULL);
>+
>+		/* should not get here: exit with error */
>+		warn("helper binary %s is not available", PKGSECURITYDIR "/pam_krb5_validate");
>+		exit(PAM_AUTHINFO_UNAVAIL);
>+		break;
>+    	default:
>+		write(fds[1], &shmkey, sizeof(shmkey));
>+		close(fds[0]); /* close here to avoid possible SIGPIPE above */
>+		close(fds[1]);
>+		(void) waitpid(child, &retval, 0); /* wait for helper to complete */
>+		retval = (retval == 0) ? PAM_SUCCESS:PAM_AUTH_ERR;
>+		break;
>+    	}
>+	if (sighandler != NULL) {
>+		(void) signal(SIGCHLD, sighandler);   /* restore old signal handler */
> 	}
> 
>-	/* Get the principal to which the key belongs, for logging purposes. */
>-	principal = NULL;
>-	i = krb5_unparse_name(ctx, entry.principal, &principal);
>-	if (i != 0) {
>-		warn("internal error parsing principal name, "
>-		     "not verifying TGT");
>-		krb5_kt_end_seq_get(ctx, keytab, &cursor);
>-		krb5_kt_close(ctx, keytab);
>-		return PAM_SERVICE_ERR;
>-	}
>+	return retval;
>+}
> 
>-	/* Close the keytab here.  Even though we're using cursors, the file
>-	 * handle is stored in the krb5_keytab structure, and it gets
>-	 * overwritten when the verify_init_creds() call below creates its own
>-	 * cursor, creating a leak. */
>-	krb5_kt_end_seq_get(ctx, keytab, &cursor);
>-
>-	/* Perform the verification checks using the service key. */
>-	krb5_verify_init_creds_opt_init(&opt);
>-	i = krb5_verify_init_creds(ctx, creds,
>-				   entry.principal, keytab,
>-				   NULL, &opt);
>-
>-	krb5_kt_close(ctx, keytab);
>-
>-	/* Log success or failure. */
>-	if (i == 0) {
>-		notice("TGT verified using key for '%s'", principal);
>-		v5_free_unparsed_name(ctx, principal);
>-		return PAM_SUCCESS;
>-	} else {
>-		crit("TGT failed verification using key for '%s'",
>-		     principal);
>-		v5_free_unparsed_name(ctx, principal);
>-		return PAM_AUTH_ERR;
>-	}
>+int
>+v5_validate(const key_t shmkey, struct _pam_krb5_options *options)
>+{
>+	return v5_run_validate_helper(shmkey, options);
> }
> 
> int
>@@ -1004,21 +987,7 @@
> 	/* Interpret the return code. */
> 	switch (i) {
> 	case 0:
>-		/* Flat-out success.  Validate the TGT if it's actually a TGT,
>-		 * and if we can. */
>-		if ((options->validate == 1) &&
>-		    (strcmp(service, KRB5_TGS_NAME) == 0)) {
>-			if (options->debug) {
>-				debug("validating credentials");
>-			}
>-			switch (v5_validate(ctx, creds, options)) {
>-			case PAM_AUTH_ERR:
>-				return PAM_AUTH_ERR;
>-				break;
>-			default:
>-				break;
>-			}
>-		}
>+		/* Flat-out success. */
> 		return PAM_SUCCESS;
> 		break;
> 	case KRB5KDC_ERR_CLIENT_REVOKED:
>diff -u --new-file --recursive pam_krb5-2.3.0-1-vanilla/src/v5.h pam_krb5-2.3.0-1/src/v5.h
>--- pam_krb5-2.3.0-1-vanilla/src/v5.h	2008-03-15 09:58:09.000000000 +0430
>+++ pam_krb5-2.3.0-1/src/v5.h	2008-03-17 17:20:16.000000000 +0430
>@@ -37,6 +37,9 @@
> #include "stash.h"
> #include "userinfo.h"
> 
>+#include <sys/ipc.h>
>+#include <sys/shm.h>
>+
> #define PAM_KRB5_PRINCIPAL_COMPONENT_SEPARATORS ",/@"
> 
> int v5_get_creds(krb5_context ctx,
>@@ -56,6 +59,8 @@
> 					  krb5_prompt[]),
> 		 int *result);
> 
>+int v5_validate(const key_t shmkey, struct _pam_krb5_options *options);
>+
> int v5_get_creds_etype(krb5_context ctx,
> 		       struct _pam_krb5_user_info *userinfo,
> 		       struct _pam_krb5_options *options,

Actions: View | Diff

Attachments on bug 436747: 298301