krb5_error_code
kcm_ccache_new_client(krb5_context context,
kcm_client *client,
const char *name,
kcm_ccache *ccache_p)
{
krb5_error_code ret;
kcm_ccache ccache;
/* We insist the ccache name starts with UID or UID: */
if (name_constraints != 0) {
char prefix[64];
size_t prefix_len;
int bad = 1;
snprintf(prefix, sizeof(prefix), "%ld:", (long)client->uid);
prefix_len = strlen(prefix);
if (strncmp(name, prefix, prefix_len) == 0)
bad = 0;
else {
prefix[prefix_len - 1] = '\0';
if (strcmp(name, prefix) == 0)
bad = 0;
}
/* Allow root to create badly-named ccaches */
if (bad && !CLIENT_IS_ROOT(client))
return KRB5_CC_BADNAME;
}
ret = kcm_ccache_resolve(context, name, &ccache);
if (ret == 0) {
if ((ccache->uid != client->uid ||
ccache->gid != client->gid) && !CLIENT_IS_ROOT(client))
return KRB5_FCC_PERM;
} else if (ret != KRB5_FCC_NOFILE && !(CLIENT_IS_ROOT(client) && ret == KRB5_FCC_PERM)) {
return ret;
}
if (ret == KRB5_FCC_NOFILE) {
ret = kcm_ccache_new(context, name, &ccache);
if (ret) {
kcm_log(1, "Failed to initialize cache %s: %s",
name, krb5_get_err_text(context, ret));
return ret;
}
/* bind to current client */
ccache->uid = client->uid;
ccache->gid = client->gid;
ccache->session = client->session;
} else {
ret = kcm_zero_ccache_data(context, ccache);
if (ret) {
kcm_log(1, "Failed to empty cache %s: %s",
name, krb5_get_err_text(context, ret));
kcm_release_ccache(context, ccache);
return ret;
}
kcm_cleanup_events(context, ccache);
}
ret = kcm_access(context, client, KCM_OP_INITIALIZE, ccache);
if (ret) {
kcm_release_ccache(context, ccache);
kcm_ccache_destroy(context, name);
return ret;
}
/*
* Finally, if the user is root and the cache was created under
* another user's name, chown the cache to that user and their
* default gid.
*/
if (CLIENT_IS_ROOT(client)) {
unsigned long uid;
int matches = sscanf(name,"%ld:",&uid);
if (matches == 0)
matches = sscanf(name,"%ld",&uid);
if (matches == 1) {
struct passwd *pwd = getpwuid(uid);
if (pwd != NULL) {
gid_t gid = pwd->pw_gid;
kcm_chown(context, client, ccache, uid, gid);
}
}
}
*ccache_p = ccache;
return 0;
}
krb5_error_code
kcm_access(krb5_context context,
kcm_client *client,
kcm_operation opcode,
kcm_ccache ccache)
{
int read_p = 0;
int write_p = 0;
uint16_t mask;
krb5_error_code ret;
KCM_ASSERT_VALID(ccache);
switch (opcode) {
case KCM_OP_INITIALIZE:
case KCM_OP_DESTROY:
case KCM_OP_STORE:
case KCM_OP_REMOVE_CRED:
case KCM_OP_SET_FLAGS:
case KCM_OP_CHOWN:
case KCM_OP_CHMOD:
case KCM_OP_GET_INITIAL_TICKET:
case KCM_OP_GET_TICKET:
write_p = 1;
read_p = 0;
break;
case KCM_OP_NOOP:
case KCM_OP_GET_NAME:
case KCM_OP_RESOLVE:
case KCM_OP_GEN_NEW:
case KCM_OP_RETRIEVE:
case KCM_OP_GET_PRINCIPAL:
case KCM_OP_GET_FIRST:
case KCM_OP_GET_NEXT:
case KCM_OP_END_GET:
case KCM_OP_MAX:
write_p = 0;
read_p = 1;
break;
}
if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM) {
/* System caches cannot be reinitialized or destroyed by users */
if (opcode == KCM_OP_INITIALIZE ||
opcode == KCM_OP_DESTROY ||
opcode == KCM_OP_REMOVE_CRED) {
ret = KRB5_FCC_PERM;
goto out;
}
/* Let root always read system caches */
if (client->uid == 0) {
ret = 0;
goto out;
}
}
mask = 0;
/* Root may do whatever they like */
if (client->uid == ccache->uid || CLIENT_IS_ROOT(client)) {
if (read_p)
mask |= S_IRUSR;
if (write_p)
mask |= S_IWUSR;
} else if (client->gid == ccache->gid || CLIENT_IS_ROOT(client)) {
if (read_p)
mask |= S_IRGRP;
if (write_p)
mask |= S_IWGRP;
} else {
if (read_p)
mask |= S_IROTH;
if (write_p)
mask |= S_IWOTH;
}
ret = ((ccache->mode & mask) == mask) ? 0 : KRB5_FCC_PERM;
out:
if (ret) {
kcm_log(2, "Process %d is not permitted to call %s on cache %s",
client->pid, kcm_op2string(opcode), ccache->name);
}
return ret;
}
krb5_error_code
kcm_access(krb5_context context,
kcm_client *client,
kcm_operation opcode,
kcm_ccache ccache)
{
int read_p = 0;
int write_p = 0;
uint16_t mask;
krb5_error_code ret;
KCM_ASSERT_VALID(ccache);
switch (opcode) {
case KCM_OP_INITIALIZE:
case KCM_OP_DESTROY:
case KCM_OP_STORE:
case KCM_OP_REMOVE_CRED:
case KCM_OP_SET_FLAGS:
case KCM_OP_CHOWN:
case KCM_OP_CHMOD:
case KCM_OP_GET_INITIAL_TICKET:
case KCM_OP_GET_TICKET:
case KCM_OP_MOVE_CACHE:
case KCM_OP_SET_DEFAULT_CACHE:
case KCM_OP_SET_KDC_OFFSET:
write_p = 1;
read_p = 0;
break;
case KCM_OP_NOOP:
case KCM_OP_GET_NAME:
case KCM_OP_RESOLVE:
case KCM_OP_GEN_NEW:
case KCM_OP_RETRIEVE:
case KCM_OP_GET_PRINCIPAL:
case KCM_OP_GET_CRED_UUID_LIST:
case KCM_OP_GET_CRED_BY_UUID:
case KCM_OP_GET_CACHE_UUID_LIST:
case KCM_OP_GET_CACHE_BY_UUID:
case KCM_OP_GET_DEFAULT_CACHE:
case KCM_OP_GET_KDC_OFFSET:
write_p = 0;
read_p = 1;
break;
default:
ret = KRB5_FCC_PERM;
goto out;
}
if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM) {
/* System caches cannot be reinitialized or destroyed by users */
if (opcode == KCM_OP_INITIALIZE ||
opcode == KCM_OP_DESTROY ||
opcode == KCM_OP_REMOVE_CRED ||
opcode == KCM_OP_MOVE_CACHE) {
ret = KRB5_FCC_PERM;
goto out;
}
/* Let root always read system caches */
if (CLIENT_IS_ROOT(client)) {
ret = 0;
goto out;
}
}
/* start out with "other" mask */
mask = S_IROTH|S_IWOTH;
/* root can do anything */
if (CLIENT_IS_ROOT(client)) {
if (read_p)
mask |= S_IRUSR|S_IRGRP|S_IROTH;
if (write_p)
mask |= S_IWUSR|S_IWGRP|S_IWOTH;
}
/* same session same as owner */
if (kcm_is_same_session(client, ccache->uid, ccache->session)) {
if (read_p)
mask |= S_IROTH;
if (write_p)
mask |= S_IWOTH;
}
/* owner */
if (client->uid == ccache->uid) {
if (read_p)
mask |= S_IRUSR;
if (write_p)
mask |= S_IWUSR;
}
/* group */
if (client->gid == ccache->gid) {
if (read_p)
mask |= S_IRGRP;
if (write_p)
mask |= S_IWGRP;
}
ret = (ccache->mode & mask) ? 0 : KRB5_FCC_PERM;
out:
if (ret) {
kcm_log(2, "Process %d is not permitted to call %s on cache %s",
client->pid, kcm_op2string(opcode), ccache->name);
}
return ret;
}
krb5_error_code
kcm_ccache_new_client(krb5_context context,
kcm_client *client,
const char *name,
kcm_ccache *ccache_p)
{
krb5_error_code ret;
kcm_ccache ccache;
ret = kcm_ccache_resolve_by_name(context, name, &ccache);
if (ret == 0) {
if ((ccache->uid != client->uid) && !CLIENT_IS_ROOT(client))
return KRB5_FCC_PERM;
} else if (ret != KRB5_FCC_NOFILE && !(CLIENT_IS_ROOT(client) && ret == KRB5_FCC_PERM)) {
return ret;
}
if (ret == KRB5_FCC_NOFILE) {
ret = kcm_ccache_new(context, name, &ccache);
if (ret) {
kcm_log(1, "Failed to initialize cache %s", name);
return ret;
}
/* bind to current client */
ccache->uid = client->uid;
ccache->session = client->session;
/*
* add notification when the session goes away, so we can
* remove the credential
*/
kcm_session_add(client->session);
} else {
ret = kcm_zero_ccache_data(context, ccache);
if (ret) {
kcm_log(1, "Failed to empty cache %s", name);
kcm_release_ccache(context, ccache);
return ret;
}
heim_ipc_event_cancel(ccache->renew_event);
heim_ipc_event_cancel(ccache->expire_event);
}
ret = kcm_access(context, client, KCM_OP_INITIALIZE, ccache);
if (ret) {
kcm_release_ccache(context, ccache);
kcm_ccache_destroy(context, name);
return ret;
}
/*
* Finally, if the user is root and the cache was created under
* another user's name, chown the cache to that user.
*/
if (CLIENT_IS_ROOT(client)) {
unsigned long uid;
int matches = sscanf(name,"%ld:",&uid);
if (matches == 0)
matches = sscanf(name,"%ld",&uid);
if (matches == 1) {
kcm_chown(context, client, ccache, (uid_t)uid);
}
}
*ccache_p = ccache;
return 0;
}