1 /* 2 * Copyright (c) 1998 - 2001 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "ftpd_locl.h" 35 #include <gssapi.h> 36 #include <krb5.h> 37 38 RCSID("$Id: gss_userok.c,v 1.10 2003/03/18 13:56:35 lha Exp $"); 39 40 /* XXX a bit too much of krb5 dependency here... 41 What is the correct way to do this? 42 */ 43 44 extern krb5_context gssapi_krb5_context; 45 46 /* XXX sync with gssapi.c */ 47 struct gss_data { 48 gss_ctx_id_t context_hdl; 49 char *client_name; 50 gss_cred_id_t delegated_cred_handle; 51 }; 52 53 int gss_userok(void*, char*); /* to keep gcc happy */ 54 55 int 56 gss_userok(void *app_data, char *username) 57 { 58 struct gss_data *data = app_data; 59 if(gssapi_krb5_context) { 60 krb5_principal client; 61 krb5_error_code ret; 62 63 ret = krb5_parse_name(gssapi_krb5_context, data->client_name, &client); 64 if(ret) 65 return 1; 66 ret = krb5_kuserok(gssapi_krb5_context, client, username); 67 if (!ret) { 68 krb5_free_principal(gssapi_krb5_context, client); 69 return 1; 70 } 71 72 ret = 0; 73 74 /* more of krb-depend stuff :-( */ 75 /* gss_add_cred() ? */ 76 if (data->delegated_cred_handle && 77 data->delegated_cred_handle->ccache ) { 78 79 krb5_ccache ccache = NULL; 80 char* ticketfile; 81 struct passwd *pw; 82 OM_uint32 minor_status; 83 84 pw = getpwnam(username); 85 86 if (pw == NULL) { 87 ret = 1; 88 goto fail; 89 } 90 91 asprintf (&ticketfile, "%s%u", KRB5_DEFAULT_CCROOT, 92 (unsigned)pw->pw_uid); 93 94 ret = krb5_cc_resolve(gssapi_krb5_context, ticketfile, &ccache); 95 if (ret) 96 goto fail; 97 98 ret = gss_krb5_copy_ccache(&minor_status, 99 data->delegated_cred_handle, 100 ccache); 101 if (ret) 102 goto fail; 103 104 chown (ticketfile+5, pw->pw_uid, pw->pw_gid); 105 106 if (k_hasafs()) { 107 krb5_afslog(gssapi_krb5_context, ccache, 0, 0); 108 } 109 esetenv ("KRB5CCNAME", ticketfile, 1); 110 111 fail: 112 if (ccache) 113 krb5_cc_close(gssapi_krb5_context, ccache); 114 krb5_cc_destroy(gssapi_krb5_context, 115 data->delegated_cred_handle->ccache); 116 data->delegated_cred_handle->ccache = NULL; 117 free(ticketfile); 118 } 119 120 krb5_free_principal(gssapi_krb5_context, client); 121 return ret; 122 } 123 return 1; 124 } 125