/* * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "krb5_locl.h" #include "kuserok_plugin.h" #include #ifndef SYSTEM_K5LOGIN_DIR /* * System k5login location. File namess in this directory are expected * to be usernames and to contain a list of principals allowed to login * as the user named the same as the file. */ #define SYSTEM_K5LOGIN_DIR SYSCONFDIR "/k5login.d" #endif /* Plugin framework bits */ struct plctx { const char *rule; const char *k5login_dir; const char *luser; krb5_const_principal principal; unsigned int flags; krb5_boolean result; }; static krb5_error_code KRB5_LIB_CALL plcallback(krb5_context context, const void *plug, void *plugctx, void *userctx) { const krb5plugin_kuserok_ftable *locate = plug; struct plctx *plctx = userctx; return locate->kuserok(plugctx, context, plctx->rule, plctx->flags, plctx->k5login_dir, plctx->luser, plctx->principal, &plctx->result); } static krb5_error_code plugin_reg_ret; static const krb5plugin_kuserok_ftable kuserok_simple_plug; static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug; static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug; static const krb5plugin_kuserok_ftable kuserok_deny_plug; static void reg_def_plugins_once(void *ctx) { krb5_error_code ret; krb5_context context = ctx; plugin_reg_ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA, KRB5_PLUGIN_KUSEROK, &kuserok_simple_plug); ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA, KRB5_PLUGIN_KUSEROK, &kuserok_sys_k5login_plug); if (!plugin_reg_ret) plugin_reg_ret = ret; ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA, KRB5_PLUGIN_KUSEROK, &kuserok_user_k5login_plug); if (!plugin_reg_ret) plugin_reg_ret = ret; ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA, KRB5_PLUGIN_KUSEROK, &kuserok_deny_plug); if (!plugin_reg_ret) plugin_reg_ret = ret; } /** * This function is designed to be portable for Win32 and POSIX. The * design does lead to multiple getpwnam_r() calls, but this is probably * not a big deal. * * Inputs: * * @param context A krb5_context * @param filename Name of item to introspection * @param is_system_location TRUE if the dir/file are system locations or * FALSE if they are user home directory locations * @param dir Directory (optional) * @param dirlstat A pointer to struct stat for the directory (optional) * @param file File (optional) * @param owner Name of user that is expected to own the file */ static krb5_error_code check_owner_dir(krb5_context context, const char *filename, krb5_boolean is_system_location, DIR *dir, struct stat *dirlstat, const char *owner) { #ifdef _WIN32 /* * XXX Implement this! * * The thing to do is to call _get_osfhandle() on fileno(file) and * dirfd(dir) to get HANDLEs to the same, then call * GetSecurityInfo() on those HANDLEs to get the security descriptor * (SD), then check the owner and DACL. Checking the DACL sounds * like a lot of work (what, derive a mode from the ACL the way * NFSv4 servers do?). Checking the owner means doing an LSARPC * lookup at least (to get the user's SID). */ if (is_system_location || owner == NULL) return 0; krb5_set_error_message(context, EACCES, "User k5login files not supported on Windows"); return EACCES; #else struct passwd pw, *pwd = NULL; char pwbuf[2048]; struct stat st; heim_assert(owner != NULL, "no directory owner ?"); if (getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) { krb5_set_error_message(context, errno, "User unknown %s (getpwnam_r())", owner); return EACCES; } if (pwd == NULL) { krb5_set_error_message(context, EACCES, "no user %s", owner); return EACCES; } if (fstat(dirfd(dir), &st) == -1) { krb5_set_error_message(context, EACCES, "fstat(%s) of k5login.d failed", filename); return EACCES; } if (!S_ISDIR(st.st_mode)) { krb5_set_error_message(context, ENOTDIR, "%s not a directory", filename); return ENOTDIR; } if (st.st_dev != dirlstat->st_dev || st.st_ino != dirlstat->st_ino) { krb5_set_error_message(context, EACCES, "%s was renamed during kuserok " "operation", filename); return EACCES; } if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) { krb5_set_error_message(context, EACCES, "%s has world and/or group write " "permissions", filename); return EACCES; } if (pwd->pw_uid != st.st_uid && st.st_uid != 0) { krb5_set_error_message(context, EACCES, "%s not owned by the user (%s) or root", filename, owner); return EACCES; } return 0; #endif } static krb5_error_code check_owner_file(krb5_context context, const char *filename, FILE *file, const char *owner) { #ifdef _WIN32 /* * XXX Implement this! * * The thing to do is to call _get_osfhandle() on fileno(file) and * dirfd(dir) to get HANDLEs to the same, then call * GetSecurityInfo() on those HANDLEs to get the security descriptor * (SD), then check the owner and DACL. Checking the DACL sounds * like a lot of work (what, derive a mode from the ACL the way * NFSv4 servers do?). Checking the owner means doing an LSARPC * lookup at least (to get the user's SID). */ if (owner == NULL) return 0; krb5_set_error_message(context, EACCES, "User k5login files not supported on Windows"); return EACCES; #else struct passwd pw, *pwd = NULL; char pwbuf[2048]; struct stat st; if (owner == NULL) return 0; if (getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) { krb5_set_error_message(context, errno, "User unknown %s (getpwnam_r())", owner); return EACCES; } if (pwd == NULL) { krb5_set_error_message(context, EACCES, "no user %s", owner); return EACCES; } if (fstat(fileno(file), &st) == -1) { krb5_set_error_message(context, EACCES, "fstat(%s) of k5login failed", filename); return EACCES; } if (S_ISDIR(st.st_mode)) { krb5_set_error_message(context, EISDIR, "k5login: %s is a directory", filename); return EISDIR; } if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) { krb5_set_error_message(context, EISDIR, "k5login %s has world and/or group write " "permissions", filename); return EACCES; } if (pwd->pw_uid != st.st_uid && st.st_uid != 0) { krb5_set_error_message(context, EACCES, "k5login %s not owned by the user or root", filename); return EACCES; } return 0; #endif } /* see if principal is mentioned in the filename access file, return TRUE (in result) if so, FALSE otherwise */ static krb5_error_code check_one_file(krb5_context context, const char *filename, const char *owner, krb5_boolean is_system_location, krb5_const_principal principal, krb5_boolean *result) { FILE *f; char buf[BUFSIZ]; krb5_error_code ret; *result = FALSE; f = fopen(filename, "r"); if (f == NULL) return errno; rk_cloexec_file(f); ret = check_owner_file(context, filename, f, owner); if (ret) goto out; while (fgets(buf, sizeof(buf), f) != NULL) { krb5_principal tmp; char *newline = buf + strcspn(buf, "\n"); if (*newline != '\n') { int c; c = fgetc(f); if (c != EOF) { while (c != EOF && c != '\n') c = fgetc(f); /* line was too long, so ignore it */ continue; } } *newline = '\0'; ret = krb5_parse_name(context, buf, &tmp); if (ret) continue; *result = krb5_principal_compare(context, principal, tmp); krb5_free_principal(context, tmp); if (*result) { fclose (f); return 0; } } out: fclose(f); return 0; } static krb5_error_code check_directory(krb5_context context, const char *dirname, const char *owner, krb5_boolean is_system_location, krb5_const_principal principal, krb5_boolean *result) { DIR *d; struct dirent *dent; char filename[MAXPATHLEN]; size_t len; krb5_error_code ret = 0; struct stat st; *result = FALSE; if (lstat(dirname, &st) < 0) return errno; if (!S_ISDIR(st.st_mode)) { krb5_set_error_message(context, ENOTDIR, "k5login.d not a directory"); return ENOTDIR; } if ((d = opendir(dirname)) == NULL) { krb5_set_error_message(context, ENOTDIR, "Could not open k5login.d"); return errno; } ret = check_owner_dir(context, dirname, is_system_location, d, &st, owner); if (ret) goto out; while ((dent = readdir(d)) != NULL) { /* * XXX: Should we also skip files whose names start with "."? * Vim ".filename.swp" files are also good candidates to skip. * Once we ignore "#*" and "*~", it is not clear what other * heuristics to apply. */ if (strcmp(dent->d_name, ".") == 0 || strcmp(dent->d_name, "..") == 0 || dent->d_name[0] == '#' || /* emacs autosave */ dent->d_name[strlen(dent->d_name) - 1] == '~') /* emacs backup */ continue; len = snprintf(filename, sizeof(filename), "%s/%s", dirname, dent->d_name); /* Skip too-long filenames that got truncated by snprintf() */ if (len < sizeof(filename)) { ret = check_one_file(context, filename, owner, is_system_location, principal, result); if (ret == 0 && *result == TRUE) break; } ret = 0; /* don't propagate errors upstream */ } out: closedir(d); return ret; } static krb5_error_code check_an2ln(krb5_context context, krb5_const_principal principal, const char *luser, krb5_boolean *result) { krb5_error_code ret; char *lname; #if 0 /* XXX Should we make this an option? */ /* multi-component principals can never match */ if (krb5_principal_get_comp_string(context, principal, 1) != NULL) { *result = FALSE; return 0; } #endif lname = malloc(strlen(luser) + 1); if (lname == NULL) return krb5_enomem(context); ret = krb5_aname_to_localname(context, principal, strlen(luser)+1, lname); if (ret) goto out; if (strcmp(lname, luser) == 0) *result = TRUE; else *result = FALSE; out: free(lname); return 0; } /** * This function takes the name of a local user and checks if * principal is allowed to log in as that user. * * The user may have a ~/.k5login file listing principals that are * allowed to login as that user. If that file does not exist, all * principals with a only one component that is identical to the * username, and a realm considered local, are allowed access. * * The .k5login file must contain one principal per line, be owned by * user and not be writable by group or other (but must be readable by * anyone). * * Note that if the file exists, no implicit access rights are given * to user@@LOCALREALM. * * Optionally, a set of files may be put in ~/.k5login.d (a * directory), in which case they will all be checked in the same * manner as .k5login. The files may be called anything, but files * starting with a hash (#) , or ending with a tilde (~) are * ignored. Subdirectories are not traversed. Note that this directory * may not be checked by other Kerberos implementations. * * If no configuration file exists, match user against local domains, * ie luser@@LOCAL-REALMS-IN-CONFIGURATION-FILES. * * @param context Kerberos 5 context. * @param principal principal to check if allowed to login * @param luser local user id * * @return returns TRUE if access should be granted, FALSE otherwise. * * @ingroup krb5_support */ KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser) { return _krb5_kuserok(context, principal, luser, TRUE); } static const char *const kuserok_plugin_deps[] = { "krb5", NULL }; static const struct heim_plugin_data kuserok_plugin_data = { "krb5", KRB5_PLUGIN_KUSEROK, KRB5_PLUGIN_KUSEROK_VERSION_0, kuserok_plugin_deps, krb5_get_instance }; KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL _krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser, krb5_boolean an2ln_ok) { static heim_base_once_t reg_def_plugins = HEIM_BASE_ONCE_INIT; krb5_error_code ret; struct plctx ctx; char **rules; /* * XXX we should have a struct with a krb5_context field and a * krb5_error_code fied and pass the address of that as the ctx * argument of heim_base_once_f(). For now we use a static to * communicate failures. Actually, we ignore failures anyways, * since we can't return them. */ heim_base_once_f(®_def_plugins, context, reg_def_plugins_once); ctx.flags = 0; ctx.luser = luser; ctx.principal = principal; ctx.result = FALSE; ctx.k5login_dir = krb5_config_get_string(context, NULL, "libdefaults", "k5login_directory", NULL); if (an2ln_ok) ctx.flags |= KUSEROK_ANAME_TO_LNAME_OK; if (krb5_config_get_bool_default(context, NULL, FALSE, "libdefaults", "k5login_authoritative", NULL)) ctx.flags |= KUSEROK_K5LOGIN_IS_AUTHORITATIVE; if ((ctx.flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE) && plugin_reg_ret) return plugin_reg_ret; /* fail safe */ rules = krb5_config_get_strings(context, NULL, "libdefaults", "kuserok", NULL); if (rules == NULL) { /* Default: check ~/.k5login */ ctx.rule = "USER-K5LOGIN"; ret = plcallback(context, &kuserok_user_k5login_plug, NULL, &ctx); if (ret == 0) goto out; ctx.rule = "SIMPLE"; ret = plcallback(context, &kuserok_simple_plug, NULL, &ctx); if (ret == 0) goto out; ctx.result = FALSE; } else { size_t n; for (n = 0; rules[n]; n++) { ctx.rule = rules[n]; ret = _krb5_plugin_run_f(context, &kuserok_plugin_data, 0, &ctx, plcallback); if (ret != KRB5_PLUGIN_NO_HANDLE) goto out; } } out: krb5_config_free_strings(rules); return ctx.result; } /* * Simple kuserok: check that the lname for the aname matches luser. */ static krb5_error_code KRB5_LIB_CALL kuserok_simple_plug_f(void *plug_ctx, krb5_context context, const char *rule, unsigned int flags, const char *k5login_dir, const char *luser, krb5_const_principal principal, krb5_boolean *result) { krb5_error_code ret; if (strcmp(rule, "SIMPLE") != 0 || (flags & KUSEROK_ANAME_TO_LNAME_OK) == 0) return KRB5_PLUGIN_NO_HANDLE; ret = check_an2ln(context, principal, luser, result); if (ret == 0 && *result == FALSE) return KRB5_PLUGIN_NO_HANDLE; return 0; } /* * Check k5login files in a system location, rather than in home * directories. */ static krb5_error_code KRB5_LIB_CALL kuserok_sys_k5login_plug_f(void *plug_ctx, krb5_context context, const char *rule, unsigned int flags, const char *k5login_dir, const char *luser, krb5_const_principal principal, krb5_boolean *result) { char filename[MAXPATHLEN]; size_t len; const char *profile_dir = NULL; krb5_error_code ret; *result = FALSE; if (strcmp(rule, "SYSTEM-K5LOGIN") != 0 && strncmp(rule, "SYSTEM-K5LOGIN:", strlen("SYSTEM-K5LOGIN:")) != 0) return KRB5_PLUGIN_NO_HANDLE; profile_dir = strchr(rule, ':'); if (profile_dir == NULL) profile_dir = k5login_dir ? k5login_dir : SYSTEM_K5LOGIN_DIR; else profile_dir++; len = snprintf(filename, sizeof(filename), "%s/%s", profile_dir, luser); if (len < sizeof(filename)) { ret = check_one_file(context, filename, NULL, TRUE, principal, result); if (ret == 0 && ((flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE) || *result == TRUE)) return 0; } *result = FALSE; return KRB5_PLUGIN_NO_HANDLE; } /* * Check ~luser/.k5login and/or ~/luser/.k5login.d */ static krb5_error_code KRB5_LIB_CALL kuserok_user_k5login_plug_f(void *plug_ctx, krb5_context context, const char *rule, unsigned int flags, const char *k5login_dir, const char *luser, krb5_const_principal principal, krb5_boolean *result) { #ifdef _WIN32 return KRB5_PLUGIN_NO_HANDLE; #else char *path; char *path_exp; const char *profile_dir = NULL; krb5_error_code ret; krb5_boolean found_file = FALSE; struct passwd pw, *pwd = NULL; char pwbuf[2048]; if (strcmp(rule, "USER-K5LOGIN") != 0) return KRB5_PLUGIN_NO_HANDLE; profile_dir = k5login_dir; if (profile_dir == NULL) { /* Don't deadlock with gssd or anything of the sort */ if (!_krb5_homedir_access(context)) return KRB5_PLUGIN_NO_HANDLE; if (getpwnam_r(luser, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) { krb5_set_error_message(context, errno, "User unknown (getpwnam_r())"); return KRB5_PLUGIN_NO_HANDLE; } if (pwd == NULL) { krb5_set_error_message(context, errno, "User unknown (getpwnam())"); return KRB5_PLUGIN_NO_HANDLE; } profile_dir = pwd->pw_dir; } #define KLOGIN "/.k5login" if (asprintf(&path, "%s/.k5login.d", profile_dir) == -1) return krb5_enomem(context); ret = _krb5_expand_path_tokensv(context, path, 1, &path_exp, "luser", luser, NULL); free(path); if (ret) return ret; path = path_exp; /* check user's ~/.k5login */ path[strlen(path) - strlen(".d")] = '\0'; ret = check_one_file(context, path, luser, FALSE, principal, result); /* * A match in ~/.k5login is sufficient. A non-match, falls through to the * .k5login.d code below. */ if (ret == 0 && *result == TRUE) { free(path); return 0; } if (ret != ENOENT) found_file = TRUE; /* * A match in ~/.k5login.d/somefile is sufficient. A non-match, falls * through to the code below that handles negative results. * * XXX: put back the .d; clever|hackish? you decide */ path[strlen(path)] = '.'; ret = check_directory(context, path, luser, FALSE, principal, result); free(path); if (ret == 0 && *result == TRUE) return 0; if (ret != ENOENT && ret != ENOTDIR) found_file = TRUE; /* * When either ~/.k5login or ~/.k5login.d/ exists, but neither matches * and we're authoritative, we're done. Otherwise, give other plugins * a chance. */ *result = FALSE; if (found_file && (flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE)) return 0; return KRB5_PLUGIN_NO_HANDLE; #endif } static krb5_error_code KRB5_LIB_CALL kuserok_deny_plug_f(void *plug_ctx, krb5_context context, const char *rule, unsigned int flags, const char *k5login_dir, const char *luser, krb5_const_principal principal, krb5_boolean *result) { if (strcmp(rule, "DENY") != 0) return KRB5_PLUGIN_NO_HANDLE; *result = FALSE; return 0; } static krb5_error_code KRB5_LIB_CALL kuser_ok_null_plugin_init(krb5_context context, void **ctx) { *ctx = NULL; return 0; } static void KRB5_LIB_CALL kuser_ok_null_plugin_fini(void *ctx) { return; } static const krb5plugin_kuserok_ftable kuserok_simple_plug = { KRB5_PLUGIN_KUSEROK_VERSION_0, kuser_ok_null_plugin_init, kuser_ok_null_plugin_fini, kuserok_simple_plug_f, }; static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug = { KRB5_PLUGIN_KUSEROK_VERSION_0, kuser_ok_null_plugin_init, kuser_ok_null_plugin_fini, kuserok_sys_k5login_plug_f, }; static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug = { KRB5_PLUGIN_KUSEROK_VERSION_0, kuser_ok_null_plugin_init, kuser_ok_null_plugin_fini, kuserok_user_k5login_plug_f, }; static const krb5plugin_kuserok_ftable kuserok_deny_plug = { KRB5_PLUGIN_KUSEROK_VERSION_0, kuser_ok_null_plugin_init, kuser_ok_null_plugin_fini, kuserok_deny_plug_f, };