ROKEN_LIB_FUNCTION char * ROKEN_LIB_CALL
pid_file_write(const char *progname)
{
const char *pidfile_dir = NULL;
char *ret = NULL;
FILE *fp;
/*
* Maybe we could have a version of this function (and pidfile())
* where we get a directory from the caller. That would allow us to
* have command-line options for the daemons for this.
*
* For now we use an environment variable.
*/
if (!issuid())
pidfile_dir = getenv("HEIM_PIDFILE_DIR");
if (pidfile_dir == NULL)
pidfile_dir = _PATH_VARRUN;
if (asprintf(&ret, "%s%s.pid", pidfile_dir, progname) < 0 || ret == NULL)
return NULL;
fp = fopen(ret, "w");
if (fp == NULL) {
free(ret);
return NULL;
}
fprintf(fp, "%lu\n", (unsigned long)getpid());
fclose(fp);
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_default_config_files(char ***pfilenames)
{
const char *files = NULL;
if (pfilenames == NULL)
return EINVAL;
if(!issuid())
files = getenv("KRB5_CONFIG");
#ifdef _WIN32
if (files == NULL) {
char * reg_files;
reg_files = _krb5_get_default_config_config_files_from_registry();
if (reg_files != NULL) {
krb5_error_code code;
code = krb5_prepend_config_files(reg_files, NULL, pfilenames);
free(reg_files);
return code;
}
}
#endif
if (files == NULL)
files = krb5_config_file;
return krb5_prepend_config_files(files, NULL, pfilenames);
}
static int
try_aix(void)
{
#ifdef STATIC_AFS_SYSCALLS
Pioctl = aix_pioctl;
Setpag = aix_setpag;
#else
void *ptr;
char path[MaxPathLen], *p;
/*
* If we are root or running setuid don't trust AFSLIBPATH!
*/
if (getuid() != 0 && !issuid() && (p = getenv("AFSLIBPATH")) != NULL)
strlcpy(path, p, sizeof(path));
else
snprintf(path, sizeof(path), "%s/afslib.so", LIBDIR);
ptr = dlopen(path, RTLD_NOW);
if(ptr == NULL) {
if(_kafs_debug) {
if(errno == ENOEXEC && (p = dlerror()) != NULL)
fprintf(stderr, "dlopen(%s): %s\n", path, p);
else if (errno != ENOENT)
fprintf(stderr, "dlopen(%s): %s\n", path, strerror(errno));
}
return 1;
}
Setpag = (int (*)(void))dlsym(ptr, "aix_setpag");
Pioctl = (int (*)(char*, int,
struct ViceIoctl*, int))dlsym(ptr, "aix_pioctl");
#endif
afs_entry_point = AIX_ENTRY_POINTS;
return 0;
}
const char *
RAND_file_name(char *filename, size_t size)
{
const char *e = NULL;
int pathp = 0, ret;
if (!issuid()) {
e = getenv("RANDFILE");
if (e == NULL)
e = getenv("HOME");
if (e)
pathp = 1;
}
#ifndef _WIN32
/*
* Here we really want to call getpwuid(getuid()) but this will
* cause recursive lookups if the nss library uses
* gssapi/krb5/hcrypto to authenticate to the ldap servers.
*
* So at least return the unix /dev/random if we have one
*/
if (e == NULL) {
int fd;
fd = _hc_unix_device_fd(O_RDONLY, &e);
if (fd >= 0)
close(fd);
}
#else /* Win32 */
if (e == NULL) {
char profile[MAX_PATH];
if (SHGetFolderPath(NULL, CSIDL_LOCAL_APPDATA, NULL,
SHGFP_TYPE_CURRENT, profile) == S_OK) {
ret = snprintf(filename, size, "%s\\.rnd", profile);
if (ret > 0 && ret < size)
return filename;
}
}
#endif
if (e == NULL)
return NULL;
if (pathp)
ret = snprintf(filename, size, "%s/.rnd", e);
else
ret = snprintf(filename, size, "%s", e);
if (ret <= 0 || ret >= size)
return NULL;
return filename;
}
/*
* Default ktname from context with possible environment
* override
*/
static const char *default_ktname(krb5_context context)
{
const char *tmp = NULL;
if(!issuid())
tmp = getenv("KRB5_KTNAME");
if(tmp != NULL)
return tmp;
return context->default_keytab;
}
static int
_expand_temp_folder(krb5_context context, PTYPE param, const char *postfix, char **ret)
{
const char *p = NULL;
if (issuid())
p = getenv("TEMP");
if (p)
*ret = strdup(p);
else
*ret = strdup("/tmp");
if (*ret == NULL)
return ENOMEM;
return 0;
}
static krb5_error_code
_expand_temp_folder(krb5_context context, PTYPE param, const char *postfix, char **ret)
{
const char *p = NULL;
if (issuid())
p = getenv("TEMP");
if (p)
*ret = strdup(p);
else
*ret = strdup("/tmp");
if (*ret == NULL)
return krb5_enomem(context);
return 0;
}
static int
get_user_file(const ntlm_name target_name,
char **username, struct ntlm_buf *key)
{
const char *fn;
if (issuid())
return ENOENT;
fn = getenv("NTLM_USER_FILE");
if (fn == NULL)
return ENOENT;
if (from_file(fn, target_name->domain, username, key) == 0)
return 0;
return ENOENT;
}
static krb5_error_code
get_krb4_cc_name(const char *tkfile, char **cc)
{
*cc = NULL;
if(tkfile == NULL) {
char *path;
if(!issuid()) {
path = getenv("KRBTKFILE");
if (path)
*cc = strdup(path);
}
if(*cc == NULL)
if (asprintf(cc, "%s%u", TKT_ROOT, (unsigned)getuid()) < 0)
return errno;
} else {
*cc = strdup(tkfile);
if (*cc == NULL)
return ENOMEM;
}
return 0;
}
static int
get_user_file(const ntlm_name target_name,
char **domainp, char **usernamep, struct ntlm_buf *key)
{
const char *domain;
const char *fn;
*domainp = NULL;
if (issuid())
return ENOENT;
domain = target_name != NULL ? target_name->domain : NULL;
fn = getenv("NTLM_USER_FILE");
if (fn == NULL)
return ENOENT;
if (from_file(fn, domain, domainp, usernamep, key) == 0)
return 0;
return ENOENT;
}
int
main(int argc, char **argv)
{
int i, optidx = 0;
char *su_user;
struct passwd *su_info;
struct passwd *login_info;
struct passwd *pwd;
char *shell;
int ok = 0;
setprogname (argv[0]);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
for (i=0; i < optidx; i++)
if (strcmp(argv[i], "-") == 0) {
full_login = 1;
break;
}
if(help_flag)
usage(0);
if(version_flag) {
print_version(NULL);
exit(0);
}
if(optidx >= argc)
su_user = "******";
else
su_user = argv[optidx++];
if (!issuid() && getuid() != 0)
warnx("Not setuid and you are not root, expect this to fail");
pwd = k_getpwnam(su_user);
if(pwd == NULL)
errx (1, "unknown login %s", su_user);
if (pwd->pw_uid == 0 && strcmp ("root", su_user) != 0) {
syslog (LOG_ALERT, "NIS attack, user %s has uid 0", su_user);
errx (1, "unknown login %s", su_user);
}
su_info = dup_info(pwd);
if (su_info == NULL)
errx (1, "malloc: out of memory");
pwd = getpwuid(getuid());
if(pwd == NULL)
errx(1, "who are you?");
login_info = dup_info(pwd);
if (login_info == NULL)
errx (1, "malloc: out of memory");
if(env_flag)
shell = login_info->pw_shell;
else
shell = su_info->pw_shell;
if(shell == NULL || *shell == '\0')
shell = _PATH_BSHELL;
#ifdef KRB5
if(kerberos_flag && ok == 0 &&
krb5_verify(login_info, su_info, kerberos_instance) == 0)
ok = 5;
#endif
if(ok == 0 && login_info->pw_uid && verify_unix(login_info, su_info) != 0) {
printf("Sorry!\n");
exit(1);
}
#ifdef HAVE_GETSPNAM
{ struct spwd *sp;
long today;
sp = getspnam(su_info->pw_name);
if (sp != NULL) {
today = time(0)/(24L * 60 * 60);
if (sp->sp_expire > 0) {
if (today >= sp->sp_expire) {
if (login_info->pw_uid)
errx(1,"Your account has expired.");
else
printf("Your account has expired.");
}
else if (sp->sp_expire - today < 14)
printf("Your account will expire in %d days.\n",
(int)(sp->sp_expire - today));
}
if (sp->sp_max > 0) {
if (today >= sp->sp_lstchg + sp->sp_max) {
if (login_info->pw_uid)
errx(1,"Your password has expired. Choose a new one.");
else
printf("Your password has expired. Choose a new one.");
}
else if (today >= sp->sp_lstchg + sp->sp_max - sp->sp_warn)
printf("Your account will expire in %d days.\n",
(int)(sp->sp_lstchg + sp->sp_max -today));
}
}
}
#endif
{
char *tty = ttyname (STDERR_FILENO);
if (tty)
syslog (LOG_NOTICE | LOG_AUTH, "%s to %s on %s",
login_info->pw_name, su_info->pw_name, tty);
else
syslog (LOG_NOTICE | LOG_AUTH, "%s to %s",
login_info->pw_name, su_info->pw_name);
}
if(!env_flag) {
if(full_login) {
char *t = getenv ("TERM");
char **newenv = NULL;
int j;
i = read_environment(_PATH_ETC_ENVIRONMENT, &newenv);
environ = malloc ((10 + i) * sizeof (char *));
if (environ == NULL)
err (1, "malloc");
environ[0] = NULL;
for (j = 0; j < i; j++) {
char *p = strchr(newenv[j], '=');
if (p == NULL)
errx(1, "environment '%s' missing '='", newenv[j]);
*p++ = 0;
esetenv (newenv[j], p, 1);
}
free(newenv);
esetenv ("PATH", _PATH_DEFPATH, 1);
if (t)
esetenv ("TERM", t, 1);
if (chdir (su_info->pw_dir) < 0)
errx (1, "no directory");
}
if (full_login || su_info->pw_uid)
esetenv ("USER", su_info->pw_name, 1);
esetenv("HOME", su_info->pw_dir, 1);
esetenv("SHELL", shell, 1);
}
{
char **new_argv;
char *p;
p = strrchr(shell, '/');
if(p)
p++;
else
p = shell;
if (strcmp(p, "csh") != 0)
csh_f_flag = 0;
new_argv = malloc(((cmd ? 2 : 0) + 1 + argc - optidx + 1 + csh_f_flag)
* sizeof(*new_argv));
if (new_argv == NULL)
err (1, "malloc");
i = 0;
if(full_login) {
if (asprintf(&new_argv[i++], "-%s", p) == -1)
errx (1, "malloc");
} else
new_argv[i++] = p;
if (cmd) {
new_argv[i++] = "-c";
new_argv[i++] = cmd;
}
if (csh_f_flag)
new_argv[i++] = "-f";
for (argv += optidx; *argv; ++argv)
new_argv[i++] = *argv;
new_argv[i] = NULL;
if(setgid(su_info->pw_gid) < 0)
err(1, "setgid");
if (initgroups (su_info->pw_name, su_info->pw_gid) < 0)
err (1, "initgroups");
if(setuid(su_info->pw_uid) < 0
|| (su_info->pw_uid != 0 && setuid(0) == 0))
err(1, "setuid");
#ifdef KRB5
if (ok == 5)
krb5_start_session();
#endif
execve(shell, new_argv, environ);
}
exit(1);
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_config_parse_file_multi (krb5_context context,
const char *fname,
krb5_config_section **res)
{
const char *str;
char *newfname = NULL;
unsigned lineno = 0;
krb5_error_code ret;
struct fileptr f;
/**
* If the fname starts with "~/" parse configuration file in the
* current users home directory. The behavior can be disabled and
* enabled by calling krb5_set_home_dir_access().
*/
if (_krb5_homedir_access(context) && fname[0] == '~' && fname[1] == '/') {
const char *home = NULL;
if(!issuid())
home = getenv("HOME");
if (home == NULL) {
struct passwd *pw = getpwuid(getuid());
if(pw != NULL)
home = pw->pw_dir;
}
if (home) {
asprintf(&newfname, "%s%s", home, &fname[1]);
if (newfname == NULL) {
krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
fname = newfname;
}
}
f.f = fopen(fname, "r");
f.s = NULL;
if(f.f == NULL) {
ret = errno;
krb5_set_error_message (context, ret, "open %s: %s",
fname, strerror(ret));
if (newfname)
free(newfname);
return ret;
}
ret = krb5_config_parse_debug (&f, res, &lineno, &str);
fclose(f.f);
if (ret) {
krb5_set_error_message (context, ret, "%s:%u: %s", fname, lineno, str);
if (newfname)
free(newfname);
return ret;
}
if (newfname)
free(newfname);
return 0;
}
static krb5_error_code
get_ccache(krb5_context context, int *destroy, krb5_ccache *id)
{
krb5_principal principal = NULL;
krb5_error_code ret;
krb5_keytab kt = NULL;
*id = NULL;
if (!issuid()) {
const char *cache;
cache = getenv("NTLM_ACCEPTOR_CCACHE");
if (cache) {
ret = krb5_cc_resolve(context, cache, id);
if (ret)
goto out;
return 0;
}
}
ret = krb5_sname_to_principal(context, NULL, "host",
KRB5_NT_SRV_HST, &principal);
if (ret)
goto out;
ret = krb5_cc_cache_match(context, principal, id);
if (ret == 0)
return 0;
/* did not find in default credcache, lets try default keytab */
ret = krb5_kt_default(context, &kt);
if (ret)
goto out;
/* XXX check in keytab */
{
krb5_get_init_creds_opt *opt;
krb5_creds cred;
memset(&cred, 0, sizeof(cred));
ret = krb5_cc_new_unique(context, "MEMORY", NULL, id);
if (ret)
goto out;
*destroy = 1;
ret = krb5_get_init_creds_opt_alloc(context, &opt);
if (ret)
goto out;
ret = krb5_get_init_creds_keytab (context,
&cred,
principal,
kt,
0,
NULL,
opt);
krb5_get_init_creds_opt_free(context, opt);
if (ret)
goto out;
ret = krb5_cc_initialize (context, *id, cred.client);
if (ret) {
krb5_free_cred_contents (context, &cred);
goto out;
}
ret = krb5_cc_store_cred (context, *id, &cred);
krb5_free_cred_contents (context, &cred);
if (ret)
goto out;
}
krb5_kt_close(context, kt);
return 0;
out:
if (*id) {
if (*destroy)
krb5_cc_destroy(context, *id);
else
krb5_cc_close(context, *id);
*id = NULL;
}
if (kt)
krb5_kt_close(context, kt);
if (principal)
krb5_free_principal(context, principal);
return ret;
}
static krb5_error_code
init_context_from_config_file(krb5_context context)
{
krb5_error_code ret;
const char * tmp;
char **s;
krb5_enctype *tmptypes;
INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
INIT_FIELD(context, time, kdc_timeout, 30, "kdc_timeout");
INIT_FIELD(context, time, host_timeout, 3, "host_timeout");
INIT_FIELD(context, int, max_retries, 3, "max_retries");
INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
ret = krb5_config_get_bool_default(context, NULL, FALSE,
"libdefaults",
"allow_weak_crypto", NULL);
if (ret) {
krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
}
ret = set_etypes (context, "default_etypes", &tmptypes);
if(ret)
return ret;
free(context->etypes);
context->etypes = tmptypes;
ret = set_etypes (context, "default_etypes_des", &tmptypes);
if(ret)
return ret;
free(context->etypes_des);
context->etypes_des = tmptypes;
ret = set_etypes (context, "default_as_etypes", &tmptypes);
if(ret)
return ret;
free(context->as_etypes);
context->as_etypes = tmptypes;
ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
if(ret)
return ret;
free(context->tgs_etypes);
context->tgs_etypes = tmptypes;
ret = set_etypes (context, "permitted_enctypes", &tmptypes);
if(ret)
return ret;
free(context->permitted_enctypes);
context->permitted_enctypes = tmptypes;
/* default keytab name */
tmp = NULL;
if(!issuid())
tmp = getenv("KRB5_KTNAME");
if(tmp != NULL)
context->default_keytab = tmp;
else
INIT_FIELD(context, string, default_keytab,
KEYTAB_DEFAULT, "default_keytab_name");
INIT_FIELD(context, string, default_keytab_modify,
NULL, "default_keytab_modify_name");
INIT_FIELD(context, string, time_fmt,
"%Y-%m-%dT%H:%M:%S", "time_format");
INIT_FIELD(context, string, date_fmt,
"%Y-%m-%d", "date_format");
INIT_FIELD(context, bool, log_utc,
FALSE, "log_utc");
/* init dns-proxy slime */
tmp = krb5_config_get_string(context, NULL, "libdefaults",
"dns_proxy", NULL);
if(tmp)
roken_gethostby_setup(context->http_proxy, tmp);
krb5_free_host_realm (context, context->default_realms);
context->default_realms = NULL;
{
krb5_addresses addresses;
char **adr, **a;
krb5_set_extra_addresses(context, NULL);
adr = krb5_config_get_strings(context, NULL,
"libdefaults",
"extra_addresses",
NULL);
memset(&addresses, 0, sizeof(addresses));
for(a = adr; a && *a; a++) {
ret = krb5_parse_address(context, *a, &addresses);
if (ret == 0) {
krb5_add_extra_addresses(context, &addresses);
krb5_free_addresses(context, &addresses);
}
}
krb5_config_free_strings(adr);
krb5_set_ignore_addresses(context, NULL);
adr = krb5_config_get_strings(context, NULL,
"libdefaults",
"ignore_addresses",
NULL);
memset(&addresses, 0, sizeof(addresses));
for(a = adr; a && *a; a++) {
ret = krb5_parse_address(context, *a, &addresses);
if (ret == 0) {
krb5_add_ignore_addresses(context, &addresses);
krb5_free_addresses(context, &addresses);
}
}
krb5_config_free_strings(adr);
}
INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
/* prefer dns_lookup_kdc over srv_lookup. */
INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
INIT_FIELD(context, int, max_msg_size, 1000 * 1024, "maximum_message_size");
INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
if (context->default_cc_name)
free(context->default_cc_name);
context->default_cc_name = NULL;
context->default_cc_name_set = 0;
s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
if(s) {
char **p;
if (context->debug_dest)
krb5_closelog(context, context->debug_dest);
krb5_initlog(context, "libkrb5", &context->debug_dest);
for(p = s; *p; p++)
krb5_addlog_dest(context, context->debug_dest, *p);
krb5_config_free_strings(s);
}
tmp = krb5_config_get_string(context, NULL, "libdefaults",
"check-rd-req-server", NULL);
if (tmp == NULL && !issuid())
tmp = getenv("KRB5_CHECK_RD_REQ_SERVER");
if(tmp) {
if (strcasecmp(tmp, "ignore") == 0)
context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
}
ret = krb5_config_get_bool_default(context, NULL, TRUE,
"libdefaults",
"fcache_strict_checking", NULL);
if (ret)
context->flags |= KRB5_CTX_F_FCACHE_STRICT_CHECKING;
return 0;
}
int
main(void)
{
char buf[MAX_PATH * 2];
#ifndef WIN32
char buf2[MAX_PATH * 2];
int ret = 0;
if (!issuid() && getuid() != 0) {
if (getenv("USER") != NULL && strlen(getenv("USER")) != 0 &&
strcmp(getenv("USER"),
roken_get_username(buf, sizeof(buf))) != 0) {
warnx("roken_get_username() != getenv(\"USER\")");
ret++;
}
if (getenv("HOME") != NULL && strlen(getenv("HOME")) != 0 &&
strcmp(getenv("HOME"), roken_get_homedir(buf, sizeof(buf))) != 0) {
warnx("roken_get_homedir() != getenv(\"HOME\")");
ret++;
}
if (getenv("HOME") != NULL && strlen(getenv("HOME")) != 0 &&
strcmp(roken_get_appdatadir(buf, sizeof(buf)),
roken_get_homedir(buf2, sizeof(buf2))) != 0) {
warnx("roken_get_homedir() != roken_get_appdatadir()");
ret++;
}
if (getenv("SHELL") != NULL && strlen(getenv("SHELL")) != 0 &&
strcmp(getenv("SHELL"), roken_get_shell(buf, sizeof(buf))) != 0) {
warnx("roken_get_shell() != getenv(\"SHELL\")");
ret++;
}
}
#endif
printf("Username:\t%s\n", roken_get_username(buf, sizeof(buf)));
printf("Home:\t\t%s\n", roken_get_homedir(buf, sizeof(buf)));
printf("Appdatadir:\t%s\n", roken_get_appdatadir(buf, sizeof(buf)));
printf("Shell:\t\t%s\n", roken_get_shell(buf, sizeof(buf)));
#ifndef WIN32
if (!issuid() && getuid() != 0) {
putenv("USER=h5lfoouser");
putenv("HOME=/no/such/dir/h5lfoouser");
putenv("SHELL=/no/such/shell");
if (strcmp("h5lfoouser", roken_get_username(buf, sizeof(buf))) != 0) {
warnx("roken_get_username() (%s) did not honor $USER",
roken_get_username(buf, sizeof(buf)));
ret++;
}
if (strcmp("/no/such/dir/h5lfoouser",
roken_get_homedir(buf, sizeof(buf))) != 0) {
warnx("roken_get_homedir() (%s) did not honor $HOME",
roken_get_homedir(buf, sizeof(buf)));
ret++;
}
if (strcmp(roken_get_appdatadir(buf, sizeof(buf)),
roken_get_homedir(buf2, sizeof(buf2))) != 0) {
warnx("roken_get_homedir() != roken_get_appdatadir() (%s)",
roken_get_appdatadir(buf, sizeof(buf)));
ret++;
}
if (strcmp("/no/such/shell", roken_get_shell(buf, sizeof(buf))) != 0) {
warnx("roken_get_shell() (%s) did not honor $SHELL",
roken_get_shell(buf, sizeof(buf)));
ret++;
}
}
return ret;
#endif
return 0;
}
int
k_hasafs(void)
{
#if !defined(NO_AFS) && defined(SIGSYS)
RETSIGTYPE (*saved_func)(int);
#endif
int saved_errno, ret;
char *env = NULL;
if (!issuid())
env = getenv ("AFS_SYSCALL");
/*
* Already checked presence of AFS syscalls?
*/
if (afs_entry_point != UNKNOWN_ENTRY_POINT)
return afs_entry_point != NO_ENTRY_POINT;
/*
* Probe kernel for AFS specific syscalls,
* they (currently) come in two flavors.
* If the syscall is absent we recive a SIGSYS.
*/
afs_entry_point = NO_ENTRY_POINT;
saved_errno = errno;
#ifndef NO_AFS
#ifdef SIGSYS
saved_func = signal(SIGSYS, SIGSYS_handler);
#endif
if (env && strstr(env, "..") == NULL) {
if (strncmp("/proc/", env, 6) == 0) {
if (try_ioctlpath(env, VIOC_SYSCALL_PROC, LINUX_PROC_POINT) == 0)
goto done;
}
if (strncmp("/dev/", env, 5) == 0) {
#ifdef VIOC_SYSCALL_DEV
if (try_ioctlpath(env, VIOC_SYSCALL_DEV, MACOS_DEV_POINT) == 0)
goto done;
#endif
#ifdef VIOC_SYSCALL_DEV_OPENAFS
if (try_ioctlpath(env,VIOC_SYSCALL_DEV_OPENAFS,MACOS_DEV_POINT) ==0)
goto done;
#endif
}
}
ret = try_ioctlpath("/proc/fs/openafs/afs_ioctl",
VIOC_SYSCALL_PROC, LINUX_PROC_POINT);
if (ret == 0)
goto done;
ret = try_ioctlpath("/proc/fs/nnpfs/afs_ioctl",
VIOC_SYSCALL_PROC, LINUX_PROC_POINT);
if (ret == 0)
goto done;
#ifdef VIOC_SYSCALL_DEV_OPENAFS
ret = try_ioctlpath("/dev/openafs_ioctl",
VIOC_SYSCALL_DEV_OPENAFS, MACOS_DEV_POINT);
if (ret == 0)
goto done;
#endif
#ifdef VIOC_SYSCALL_DEV
ret = try_ioctlpath("/dev/nnpfs_ioctl", VIOC_SYSCALL_DEV, MACOS_DEV_POINT);
if (ret == 0)
goto done;
#endif
#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3)
{
int tmp;
if (env != NULL) {
if (sscanf (env, "%d", &tmp) == 1) {
if (try_one (tmp) == 0)
goto done;
} else {
char *end = NULL;
char *p;
char *s = strdup (env);
if (s != NULL) {
for (p = strtok_r (s, ",", &end);
p != NULL;
p = strtok_r (NULL, ",", &end)) {
if (map_syscall_name_to_number (p, &tmp) == 0)
if (try_one (tmp) == 0) {
free (s);
goto done;
}
}
free (s);
}
}
}
}
#endif /* AFS_SYSCALL || AFS_SYSCALL2 || AFS_SYSCALL3 */
#ifdef AFS_SYSCALL
if (try_one (AFS_SYSCALL) == 0)
goto done;
#endif /* AFS_SYSCALL */
#ifdef AFS_PIOCTL
{
int tmp[2];
if (env != NULL && sscanf (env, "%d%d", &tmp[0], &tmp[1]) == 2)
if (try_two (tmp[0], tmp[1]) == 2)
goto done;
}
#endif /* AFS_PIOCTL */
#ifdef AFS_PIOCTL
if (try_two (AFS_PIOCTL, AFS_SETPAG) == 0)
goto done;
#endif /* AFS_PIOCTL */
#ifdef AFS_SYSCALL2
if (try_one (AFS_SYSCALL2) == 0)
goto done;
#endif /* AFS_SYSCALL2 */
#ifdef AFS_SYSCALL3
if (try_one (AFS_SYSCALL3) == 0)
goto done;
#endif /* AFS_SYSCALL3 */
#ifdef _AIX
#if 0
if (env != NULL) {
char *pos = NULL;
char *pioctl_name;
char *setpag_name;
pioctl_name = strtok_r (env, ", \t", &pos);
if (pioctl_name != NULL) {
setpag_name = strtok_r (NULL, ", \t", &pos);
if (setpag_name != NULL)
if (try_aix (pioctl_name, setpag_name) == 0)
goto done;
}
}
#endif
if(try_aix() == 0)
goto done;
#endif
done:
#ifdef SIGSYS
signal(SIGSYS, saved_func);
#endif
#endif /* NO_AFS */
errno = saved_errno;
return afs_entry_point != NO_ENTRY_POINT;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_config_parse_file_multi (krb5_context context,
const char *fname,
krb5_config_section **res)
{
const char *str;
char *newfname = NULL;
unsigned lineno = 0;
krb5_error_code ret;
struct fileptr f;
/**
* If the fname starts with "~/" parse configuration file in the
* current users home directory. The behavior can be disabled and
* enabled by calling krb5_set_home_dir_access().
*/
if (fname[0] == '~' && fname[1] == '/') {
#ifndef KRB5_USE_PATH_TOKENS
const char *home = NULL;
if (!_krb5_homedir_access(context)) {
krb5_set_error_message(context, EPERM,
"Access to home directory not allowed");
return EPERM;
}
if(!issuid())
home = getenv("HOME");
if (home == NULL) {
struct passwd *pw = getpwuid(getuid());
if(pw != NULL)
home = pw->pw_dir;
}
if (home) {
asprintf(&newfname, "%s%s", home, &fname[1]);
if (newfname == NULL) {
krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
fname = newfname;
}
#else /* KRB5_USE_PATH_TOKENS */
if (asprintf(&newfname, "%%{USERCONFIG}%s", &fname[1]) < 0 ||
newfname == NULL)
{
krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
fname = newfname;
#endif
}
if (is_plist_file(fname)) {
#ifdef __APPLE__
ret = parse_plist_config(context, fname, res);
if (ret) {
krb5_set_error_message(context, ret,
"Failed to parse plist %s", fname);
if (newfname)
free(newfname);
return ret;
}
#else
krb5_set_error_message(context, ENOENT,
"no support for plist configuration files");
return ENOENT;
#endif
} else {
#ifdef KRB5_USE_PATH_TOKENS
char * exp_fname = NULL;
ret = _krb5_expand_path_tokens(context, fname, &exp_fname);
if (ret) {
if (newfname)
free(newfname);
return ret;
}
if (newfname)
free(newfname);
fname = newfname = exp_fname;
#endif
f.f = fopen(fname, "r");
f.s = NULL;
if(f.f == NULL) {
ret = errno;
krb5_set_error_message (context, ret, "open %s: %s",
fname, strerror(ret));
if (newfname)
free(newfname);
return ret;
}
ret = krb5_config_parse_debug (&f, res, &lineno, &str);
fclose(f.f);
if (ret) {
krb5_set_error_message (context, ret, "%s:%u: %s",
fname, lineno, str);
if (newfname)
free(newfname);
return ret;
}
}
return 0;
}
static OM_uint32
select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p,
gss_OID *mech_p)
{
char mechbuf[64];
size_t mech_len;
gss_OID_desc oid;
gss_OID oidp;
gss_OID_set mechs;
int i;
OM_uint32 ret, junk;
ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1,
sizeof(mechbuf),
mechType,
&mech_len);
if (ret) {
return GSS_S_DEFECTIVE_TOKEN;
}
oid.length = mech_len;
oid.elements = mechbuf + sizeof(mechbuf) - mech_len;
if (gss_oid_equal(&oid, GSS_SPNEGO_MECHANISM)) {
return GSS_S_BAD_MECH;
}
*minor_status = 0;
/* Translate broken MS Kebreros OID */
if (gss_oid_equal(&oid, &_gss_spnego_mskrb_mechanism_oid_desc))
oidp = &_gss_spnego_krb5_mechanism_oid_desc;
else
oidp = &oid;
ret = gss_indicate_mechs(&junk, &mechs);
if (ret)
return (ret);
for (i = 0; i < mechs->count; i++)
if (gss_oid_equal(&mechs->elements[i], oidp))
break;
if (i == mechs->count) {
gss_release_oid_set(&junk, &mechs);
return GSS_S_BAD_MECH;
}
gss_release_oid_set(&junk, &mechs);
ret = gss_duplicate_oid(minor_status,
&oid, /* possibly this should be oidp */
mech_p);
if (verify_p) {
gss_name_t name = GSS_C_NO_NAME;
gss_buffer_desc namebuf;
char *str = NULL, *host, hostname[MAXHOSTNAMELEN];
host = getenv("GSSAPI_SPNEGO_NAME");
if (host == NULL || issuid()) {
if (gethostname(hostname, sizeof(hostname)) != 0) {
*minor_status = errno;
return GSS_S_FAILURE;
}
i = asprintf(&str, "host@%s", hostname);
if (i < 0 || str == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
host = str;
}
namebuf.length = strlen(host);
namebuf.value = host;
ret = gss_import_name(minor_status, &namebuf,
GSS_C_NT_HOSTBASED_SERVICE, &name);
if (str)
free(str);
if (ret != GSS_S_COMPLETE)
return ret;
ret = acceptor_approved(name, *mech_p);
gss_release_name(&junk, &name);
}
return ret;
}
