xref: /freebsd/crypto/heimdal/appl/ftp/ftpd/gss_userok.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /*
2  * Copyright (c) 1998 - 2001 Kungliga Tekniska H�gskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "ftpd_locl.h"
35 #include <gssapi.h>
36 #include <krb5.h>
37 
38 RCSID("$Id: gss_userok.c,v 1.10 2003/03/18 13:56:35 lha Exp $");
39 
40 /* XXX a bit too much of krb5 dependency here...
41    What is the correct way to do this?
42    */
43 
44 extern krb5_context gssapi_krb5_context;
45 
46 /* XXX sync with gssapi.c */
47 struct gss_data {
48     gss_ctx_id_t context_hdl;
49     char *client_name;
50     gss_cred_id_t delegated_cred_handle;
51 };
52 
53 int gss_userok(void*, char*); /* to keep gcc happy */
54 
55 int
56 gss_userok(void *app_data, char *username)
57 {
58     struct gss_data *data = app_data;
59     if(gssapi_krb5_context) {
60 	krb5_principal client;
61 	krb5_error_code ret;
62 
63 	ret = krb5_parse_name(gssapi_krb5_context, data->client_name, &client);
64 	if(ret)
65 	    return 1;
66 	ret = krb5_kuserok(gssapi_krb5_context, client, username);
67         if (!ret) {
68            krb5_free_principal(gssapi_krb5_context, client);
69            return 1;
70         }
71 
72         ret = 0;
73 
74         /* more of krb-depend stuff :-( */
75 	/* gss_add_cred() ? */
76         if (data->delegated_cred_handle &&
77             data->delegated_cred_handle->ccache ) {
78 
79            krb5_ccache ccache = NULL;
80            char* ticketfile;
81            struct passwd *pw;
82 	   OM_uint32 minor_status;
83 
84            pw = getpwnam(username);
85 
86 	   if (pw == NULL) {
87 	       ret = 1;
88 	       goto fail;
89 	   }
90 
91            asprintf (&ticketfile, "%s%u", KRB5_DEFAULT_CCROOT,
92 		     (unsigned)pw->pw_uid);
93 
94            ret = krb5_cc_resolve(gssapi_krb5_context, ticketfile, &ccache);
95            if (ret)
96               goto fail;
97 
98            ret = gss_krb5_copy_ccache(&minor_status,
99 				      data->delegated_cred_handle,
100 				      ccache);
101            if (ret)
102               goto fail;
103 
104            chown (ticketfile+5, pw->pw_uid, pw->pw_gid);
105 
106            if (k_hasafs()) {
107 	       krb5_afslog(gssapi_krb5_context, ccache, 0, 0);
108            }
109            esetenv ("KRB5CCNAME", ticketfile, 1);
110 
111 fail:
112            if (ccache)
113               krb5_cc_close(gssapi_krb5_context, ccache);
114            krb5_cc_destroy(gssapi_krb5_context,
115                            data->delegated_cred_handle->ccache);
116            data->delegated_cred_handle->ccache = NULL;
117            free(ticketfile);
118         }
119 
120 	krb5_free_principal(gssapi_krb5_context, client);
121         return ret;
122     }
123     return 1;
124 }
125