1 /*- 2 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ 3 * Authors: Doug Rabson <dfr@rabson.org> 4 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org> 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include <sys/param.h> 32 #include <sys/stat.h> 33 #include <sys/linker.h> 34 #include <sys/module.h> 35 #include <sys/queue.h> 36 #include <sys/syslog.h> 37 #include <ctype.h> 38 #include <dirent.h> 39 #include <err.h> 40 #include <errno.h> 41 #ifndef WITHOUT_KERBEROS 42 #include <krb5.h> 43 #endif 44 #include <pwd.h> 45 #include <signal.h> 46 #include <stdarg.h> 47 #include <stdio.h> 48 #include <stdlib.h> 49 #include <string.h> 50 #include <unistd.h> 51 #include <gssapi/gssapi.h> 52 #include <rpc/rpc.h> 53 #include <rpc/rpc_com.h> 54 55 #include "gssd.h" 56 57 #ifndef _PATH_GSS_MECH 58 #define _PATH_GSS_MECH "/etc/gss/mech" 59 #endif 60 #ifndef _PATH_GSSDSOCK 61 #define _PATH_GSSDSOCK "/var/run/gssd.sock" 62 #endif 63 #define GSSD_CREDENTIAL_CACHE_FILE "/tmp/krb5cc_gssd" 64 65 struct gss_resource { 66 LIST_ENTRY(gss_resource) gr_link; 67 uint64_t gr_id; /* indentifier exported to kernel */ 68 void* gr_res; /* GSS-API resource pointer */ 69 }; 70 LIST_HEAD(gss_resource_list, gss_resource) gss_resources; 71 int gss_resource_count; 72 uint32_t gss_next_id; 73 uint32_t gss_start_time; 74 int debug_level; 75 static char ccfile_dirlist[PATH_MAX + 1], ccfile_substring[NAME_MAX + 1]; 76 static char pref_realm[1024]; 77 static int verbose; 78 static int use_old_des; 79 static int hostbased_initiator_cred; 80 #ifndef WITHOUT_KERBEROS 81 /* 1.2.752.43.13.14 */ 82 static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc = 83 {6, (void *) "\x2a\x85\x70\x2b\x0d\x0e"}; 84 static gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = 85 &gss_krb5_set_allowable_enctypes_x_desc; 86 static gss_OID_desc gss_krb5_mech_oid_x_desc = 87 {9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }; 88 static gss_OID GSS_KRB5_MECH_OID_X = 89 &gss_krb5_mech_oid_x_desc; 90 #endif 91 92 static void gssd_load_mech(void); 93 static int find_ccache_file(const char *, uid_t, char *); 94 static int is_a_valid_tgt_cache(const char *, uid_t, int *, time_t *); 95 static void gssd_verbose_out(const char *, ...); 96 #ifndef WITHOUT_KERBEROS 97 static krb5_error_code gssd_get_cc_from_keytab(const char *); 98 static OM_uint32 gssd_get_user_cred(OM_uint32 *, uid_t, gss_cred_id_t *); 99 #endif 100 void gssd_terminate(int); 101 102 extern void gssd_1(struct svc_req *rqstp, SVCXPRT *transp); 103 extern int gssd_syscall(char *path); 104 105 int 106 main(int argc, char **argv) 107 { 108 /* 109 * We provide an RPC service on a local-domain socket. The 110 * kernel's GSS-API code will pass what it can't handle 111 * directly to us. 112 */ 113 struct sockaddr_un sun; 114 int fd, oldmask, ch, debug; 115 SVCXPRT *xprt; 116 117 /* 118 * Initialize the credential cache file name substring and the 119 * search directory list. 120 */ 121 strlcpy(ccfile_substring, "krb5cc_", sizeof(ccfile_substring)); 122 ccfile_dirlist[0] = '\0'; 123 pref_realm[0] = '\0'; 124 debug = 0; 125 verbose = 0; 126 while ((ch = getopt(argc, argv, "dhovs:c:r:")) != -1) { 127 switch (ch) { 128 case 'd': 129 debug_level++; 130 break; 131 case 'h': 132 #ifndef WITHOUT_KERBEROS 133 /* 134 * Enable use of a host based initiator credential 135 * in the default keytab file. 136 */ 137 hostbased_initiator_cred = 1; 138 #else 139 errx(1, "This option not available when built" 140 " without MK_KERBEROS\n"); 141 #endif 142 break; 143 case 'o': 144 #ifndef WITHOUT_KERBEROS 145 /* 146 * Force use of DES and the old type of GSSAPI token. 147 */ 148 use_old_des = 1; 149 #else 150 errx(1, "This option not available when built" 151 " without MK_KERBEROS\n"); 152 #endif 153 break; 154 case 'v': 155 verbose = 1; 156 break; 157 case 's': 158 #ifndef WITHOUT_KERBEROS 159 /* 160 * Set the directory search list. This enables use of 161 * find_ccache_file() to search the directories for a 162 * suitable credentials cache file. 163 */ 164 strlcpy(ccfile_dirlist, optarg, sizeof(ccfile_dirlist)); 165 #else 166 errx(1, "This option not available when built" 167 " without MK_KERBEROS\n"); 168 #endif 169 break; 170 case 'c': 171 /* 172 * Specify a non-default credential cache file 173 * substring. 174 */ 175 strlcpy(ccfile_substring, optarg, 176 sizeof(ccfile_substring)); 177 break; 178 case 'r': 179 /* 180 * Set the preferred realm for the credential cache tgt. 181 */ 182 strlcpy(pref_realm, optarg, sizeof(pref_realm)); 183 break; 184 default: 185 fprintf(stderr, 186 "usage: %s [-d] [-s dir-list] [-c file-substring]" 187 " [-r preferred-realm]\n", argv[0]); 188 exit(1); 189 break; 190 } 191 } 192 193 gssd_load_mech(); 194 195 if (!debug_level) { 196 daemon(0, 0); 197 signal(SIGINT, SIG_IGN); 198 signal(SIGQUIT, SIG_IGN); 199 signal(SIGHUP, SIG_IGN); 200 } 201 signal(SIGTERM, gssd_terminate); 202 203 memset(&sun, 0, sizeof sun); 204 sun.sun_family = AF_LOCAL; 205 unlink(_PATH_GSSDSOCK); 206 strcpy(sun.sun_path, _PATH_GSSDSOCK); 207 sun.sun_len = SUN_LEN(&sun); 208 fd = socket(AF_LOCAL, SOCK_STREAM, 0); 209 if (!fd) { 210 if (debug_level == 0) { 211 syslog(LOG_ERR, "Can't create local gssd socket"); 212 exit(1); 213 } 214 err(1, "Can't create local gssd socket"); 215 } 216 oldmask = umask(S_IXUSR|S_IRWXG|S_IRWXO); 217 if (bind(fd, (struct sockaddr *) &sun, sun.sun_len) < 0) { 218 if (debug_level == 0) { 219 syslog(LOG_ERR, "Can't bind local gssd socket"); 220 exit(1); 221 } 222 err(1, "Can't bind local gssd socket"); 223 } 224 umask(oldmask); 225 if (listen(fd, SOMAXCONN) < 0) { 226 if (debug_level == 0) { 227 syslog(LOG_ERR, "Can't listen on local gssd socket"); 228 exit(1); 229 } 230 err(1, "Can't listen on local gssd socket"); 231 } 232 xprt = svc_vc_create(fd, RPC_MAXDATASIZE, RPC_MAXDATASIZE); 233 if (!xprt) { 234 if (debug_level == 0) { 235 syslog(LOG_ERR, 236 "Can't create transport for local gssd socket"); 237 exit(1); 238 } 239 err(1, "Can't create transport for local gssd socket"); 240 } 241 if (!svc_reg(xprt, GSSD, GSSDVERS, gssd_1, NULL)) { 242 if (debug_level == 0) { 243 syslog(LOG_ERR, 244 "Can't register service for local gssd socket"); 245 exit(1); 246 } 247 err(1, "Can't register service for local gssd socket"); 248 } 249 250 LIST_INIT(&gss_resources); 251 gss_next_id = 1; 252 gss_start_time = time(0); 253 254 gssd_syscall(_PATH_GSSDSOCK); 255 svc_run(); 256 257 return (0); 258 } 259 260 static void 261 gssd_load_mech(void) 262 { 263 FILE *fp; 264 char buf[256]; 265 char *p; 266 char *name, *oid, *lib, *kobj; 267 268 fp = fopen(_PATH_GSS_MECH, "r"); 269 if (!fp) 270 return; 271 272 while (fgets(buf, sizeof(buf), fp)) { 273 if (*buf == '#') 274 continue; 275 p = buf; 276 name = strsep(&p, "\t\n "); 277 if (p) while (isspace(*p)) p++; 278 oid = strsep(&p, "\t\n "); 279 if (p) while (isspace(*p)) p++; 280 lib = strsep(&p, "\t\n "); 281 if (p) while (isspace(*p)) p++; 282 kobj = strsep(&p, "\t\n "); 283 if (!name || !oid || !lib || !kobj) 284 continue; 285 286 if (strcmp(kobj, "-")) { 287 /* 288 * Attempt to load the kernel module if its 289 * not already present. 290 */ 291 if (modfind(kobj) < 0) { 292 if (kldload(kobj) < 0) { 293 fprintf(stderr, 294 "%s: can't find or load kernel module %s for %s\n", 295 getprogname(), kobj, name); 296 } 297 } 298 } 299 } 300 fclose(fp); 301 } 302 303 static void * 304 gssd_find_resource(uint64_t id) 305 { 306 struct gss_resource *gr; 307 308 if (!id) 309 return (NULL); 310 311 LIST_FOREACH(gr, &gss_resources, gr_link) 312 if (gr->gr_id == id) 313 return (gr->gr_res); 314 315 return (NULL); 316 } 317 318 static uint64_t 319 gssd_make_resource(void *res) 320 { 321 struct gss_resource *gr; 322 323 if (!res) 324 return (0); 325 326 gr = malloc(sizeof(struct gss_resource)); 327 if (!gr) 328 return (0); 329 gr->gr_id = (gss_next_id++) + ((uint64_t) gss_start_time << 32); 330 gr->gr_res = res; 331 LIST_INSERT_HEAD(&gss_resources, gr, gr_link); 332 gss_resource_count++; 333 if (debug_level > 1) 334 printf("%d resources allocated\n", gss_resource_count); 335 336 return (gr->gr_id); 337 } 338 339 static void 340 gssd_delete_resource(uint64_t id) 341 { 342 struct gss_resource *gr; 343 344 LIST_FOREACH(gr, &gss_resources, gr_link) { 345 if (gr->gr_id == id) { 346 LIST_REMOVE(gr, gr_link); 347 free(gr); 348 gss_resource_count--; 349 if (debug_level > 1) 350 printf("%d resources allocated\n", 351 gss_resource_count); 352 return; 353 } 354 } 355 } 356 357 static void 358 gssd_verbose_out(const char *fmt, ...) 359 { 360 va_list ap; 361 362 if (verbose != 0) { 363 va_start(ap, fmt); 364 if (debug_level == 0) 365 vsyslog(LOG_INFO | LOG_DAEMON, fmt, ap); 366 else 367 vfprintf(stderr, fmt, ap); 368 va_end(ap); 369 } 370 } 371 372 bool_t 373 gssd_null_1_svc(void *argp, void *result, struct svc_req *rqstp) 374 { 375 376 gssd_verbose_out("gssd_null: done\n"); 377 return (TRUE); 378 } 379 380 bool_t 381 gssd_init_sec_context_1_svc(init_sec_context_args *argp, init_sec_context_res *result, struct svc_req *rqstp) 382 { 383 gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; 384 gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; 385 gss_name_t name = GSS_C_NO_NAME; 386 char ccname[PATH_MAX + 5 + 1], *cp, *cp2; 387 int gotone, gotcred; 388 OM_uint32 min_stat; 389 #ifndef WITHOUT_KERBEROS 390 gss_buffer_desc principal_desc; 391 char enctype[sizeof(uint32_t)]; 392 int key_enctype; 393 OM_uint32 maj_stat; 394 #endif 395 396 memset(result, 0, sizeof(*result)); 397 if (hostbased_initiator_cred != 0 && argp->cred != 0 && 398 argp->uid == 0) { 399 /* 400 * These credentials are for a host based initiator name 401 * in a keytab file, which should now have credentials 402 * in /tmp/krb5cc_gssd, because gss_acquire_cred() did 403 * the equivalent of "kinit -k". 404 */ 405 snprintf(ccname, sizeof(ccname), "FILE:%s", 406 GSSD_CREDENTIAL_CACHE_FILE); 407 } else if (ccfile_dirlist[0] != '\0' && argp->cred == 0) { 408 /* 409 * For the "-s" case and no credentials provided as an 410 * argument, search the directory list for an appropriate 411 * credential cache file. If the search fails, return failure. 412 */ 413 gotone = 0; 414 cp = ccfile_dirlist; 415 do { 416 cp2 = strchr(cp, ':'); 417 if (cp2 != NULL) 418 *cp2 = '\0'; 419 gotone = find_ccache_file(cp, argp->uid, ccname); 420 if (gotone != 0) 421 break; 422 if (cp2 != NULL) 423 *cp2++ = ':'; 424 cp = cp2; 425 } while (cp != NULL && *cp != '\0'); 426 if (gotone == 0) { 427 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 428 gssd_verbose_out("gssd_init_sec_context: -s no" 429 " credential cache file found for uid=%d\n", 430 (int)argp->uid); 431 return (TRUE); 432 } 433 } else { 434 /* 435 * If there wasn't a "-s" option or the credentials have 436 * been provided as an argument, do it the old way. 437 * When credentials are provided, the uid should be root. 438 */ 439 if (argp->cred != 0 && argp->uid != 0) { 440 if (debug_level == 0) 441 syslog(LOG_ERR, "gss_init_sec_context:" 442 " cred for non-root"); 443 else 444 fprintf(stderr, "gss_init_sec_context:" 445 " cred for non-root\n"); 446 } 447 snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d", 448 (int) argp->uid); 449 } 450 setenv("KRB5CCNAME", ccname, TRUE); 451 452 if (argp->cred) { 453 cred = gssd_find_resource(argp->cred); 454 if (!cred) { 455 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 456 gssd_verbose_out("gssd_init_sec_context: cred" 457 " resource not found\n"); 458 return (TRUE); 459 } 460 } 461 if (argp->ctx) { 462 ctx = gssd_find_resource(argp->ctx); 463 if (!ctx) { 464 result->major_status = GSS_S_CONTEXT_EXPIRED; 465 gssd_verbose_out("gssd_init_sec_context: context" 466 " resource not found\n"); 467 return (TRUE); 468 } 469 } 470 if (argp->name) { 471 name = gssd_find_resource(argp->name); 472 if (!name) { 473 result->major_status = GSS_S_BAD_NAME; 474 gssd_verbose_out("gssd_init_sec_context: name" 475 " resource not found\n"); 476 return (TRUE); 477 } 478 } 479 gotcred = 0; 480 481 #ifndef WITHOUT_KERBEROS 482 if (use_old_des != 0) { 483 if (cred == GSS_C_NO_CREDENTIAL) { 484 /* Acquire a credential for the uid. */ 485 maj_stat = gssd_get_user_cred(&min_stat, argp->uid, 486 &cred); 487 if (maj_stat == GSS_S_COMPLETE) 488 gotcred = 1; 489 else 490 gssd_verbose_out("gssd_init_sec_context: " 491 "get user cred failed uid=%d major=0x%x " 492 "minor=%d\n", (int)argp->uid, 493 (unsigned int)maj_stat, (int)min_stat); 494 } 495 if (cred != GSS_C_NO_CREDENTIAL) { 496 key_enctype = ETYPE_DES_CBC_CRC; 497 enctype[0] = (key_enctype >> 24) & 0xff; 498 enctype[1] = (key_enctype >> 16) & 0xff; 499 enctype[2] = (key_enctype >> 8) & 0xff; 500 enctype[3] = key_enctype & 0xff; 501 principal_desc.length = sizeof(enctype); 502 principal_desc.value = enctype; 503 result->major_status = gss_set_cred_option( 504 &result->minor_status, &cred, 505 GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X, 506 &principal_desc); 507 gssd_verbose_out("gssd_init_sec_context: set allowable " 508 "enctype major=0x%x minor=%d\n", 509 (unsigned int)result->major_status, 510 (int)result->minor_status); 511 if (result->major_status != GSS_S_COMPLETE) { 512 if (gotcred != 0) 513 gss_release_cred(&min_stat, &cred); 514 return (TRUE); 515 } 516 } 517 } 518 #endif 519 result->major_status = gss_init_sec_context(&result->minor_status, 520 cred, &ctx, name, argp->mech_type, 521 argp->req_flags, argp->time_req, argp->input_chan_bindings, 522 &argp->input_token, &result->actual_mech_type, 523 &result->output_token, &result->ret_flags, &result->time_rec); 524 gssd_verbose_out("gssd_init_sec_context: done major=0x%x minor=%d" 525 " uid=%d\n", (unsigned int)result->major_status, 526 (int)result->minor_status, (int)argp->uid); 527 if (gotcred != 0) 528 gss_release_cred(&min_stat, &cred); 529 530 if (result->major_status == GSS_S_COMPLETE 531 || result->major_status == GSS_S_CONTINUE_NEEDED) { 532 if (argp->ctx) 533 result->ctx = argp->ctx; 534 else 535 result->ctx = gssd_make_resource(ctx); 536 } 537 538 return (TRUE); 539 } 540 541 bool_t 542 gssd_accept_sec_context_1_svc(accept_sec_context_args *argp, accept_sec_context_res *result, struct svc_req *rqstp) 543 { 544 gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; 545 gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; 546 gss_name_t src_name; 547 gss_cred_id_t delegated_cred_handle; 548 549 memset(result, 0, sizeof(*result)); 550 if (argp->ctx) { 551 ctx = gssd_find_resource(argp->ctx); 552 if (!ctx) { 553 result->major_status = GSS_S_CONTEXT_EXPIRED; 554 gssd_verbose_out("gssd_accept_sec_context: ctx" 555 " resource not found\n"); 556 return (TRUE); 557 } 558 } 559 if (argp->cred) { 560 cred = gssd_find_resource(argp->cred); 561 if (!cred) { 562 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 563 gssd_verbose_out("gssd_accept_sec_context: cred" 564 " resource not found\n"); 565 return (TRUE); 566 } 567 } 568 569 memset(result, 0, sizeof(*result)); 570 result->major_status = gss_accept_sec_context(&result->minor_status, 571 &ctx, cred, &argp->input_token, argp->input_chan_bindings, 572 &src_name, &result->mech_type, &result->output_token, 573 &result->ret_flags, &result->time_rec, 574 &delegated_cred_handle); 575 gssd_verbose_out("gssd_accept_sec_context: done major=0x%x minor=%d\n", 576 (unsigned int)result->major_status, (int)result->minor_status); 577 578 if (result->major_status == GSS_S_COMPLETE 579 || result->major_status == GSS_S_CONTINUE_NEEDED) { 580 if (argp->ctx) 581 result->ctx = argp->ctx; 582 else 583 result->ctx = gssd_make_resource(ctx); 584 result->src_name = gssd_make_resource(src_name); 585 result->delegated_cred_handle = 586 gssd_make_resource(delegated_cred_handle); 587 } 588 589 return (TRUE); 590 } 591 592 bool_t 593 gssd_delete_sec_context_1_svc(delete_sec_context_args *argp, delete_sec_context_res *result, struct svc_req *rqstp) 594 { 595 gss_ctx_id_t ctx = gssd_find_resource(argp->ctx); 596 597 if (ctx) { 598 result->major_status = gss_delete_sec_context( 599 &result->minor_status, &ctx, &result->output_token); 600 gssd_delete_resource(argp->ctx); 601 } else { 602 result->major_status = GSS_S_COMPLETE; 603 result->minor_status = 0; 604 } 605 gssd_verbose_out("gssd_delete_sec_context: done major=0x%x minor=%d\n", 606 (unsigned int)result->major_status, (int)result->minor_status); 607 608 return (TRUE); 609 } 610 611 bool_t 612 gssd_export_sec_context_1_svc(export_sec_context_args *argp, export_sec_context_res *result, struct svc_req *rqstp) 613 { 614 gss_ctx_id_t ctx = gssd_find_resource(argp->ctx); 615 616 if (ctx) { 617 result->major_status = gss_export_sec_context( 618 &result->minor_status, &ctx, 619 &result->interprocess_token); 620 result->format = KGSS_HEIMDAL_1_1; 621 gssd_delete_resource(argp->ctx); 622 } else { 623 result->major_status = GSS_S_FAILURE; 624 result->minor_status = 0; 625 result->interprocess_token.length = 0; 626 result->interprocess_token.value = NULL; 627 } 628 gssd_verbose_out("gssd_export_sec_context: done major=0x%x minor=%d\n", 629 (unsigned int)result->major_status, (int)result->minor_status); 630 631 return (TRUE); 632 } 633 634 bool_t 635 gssd_import_name_1_svc(import_name_args *argp, import_name_res *result, struct svc_req *rqstp) 636 { 637 gss_name_t name; 638 639 result->major_status = gss_import_name(&result->minor_status, 640 &argp->input_name_buffer, argp->input_name_type, &name); 641 gssd_verbose_out("gssd_import_name: done major=0x%x minor=%d\n", 642 (unsigned int)result->major_status, (int)result->minor_status); 643 644 if (result->major_status == GSS_S_COMPLETE) 645 result->output_name = gssd_make_resource(name); 646 else 647 result->output_name = 0; 648 649 return (TRUE); 650 } 651 652 bool_t 653 gssd_canonicalize_name_1_svc(canonicalize_name_args *argp, canonicalize_name_res *result, struct svc_req *rqstp) 654 { 655 gss_name_t name = gssd_find_resource(argp->input_name); 656 gss_name_t output_name; 657 658 memset(result, 0, sizeof(*result)); 659 if (!name) { 660 result->major_status = GSS_S_BAD_NAME; 661 return (TRUE); 662 } 663 664 result->major_status = gss_canonicalize_name(&result->minor_status, 665 name, argp->mech_type, &output_name); 666 gssd_verbose_out("gssd_canonicalize_name: done major=0x%x minor=%d\n", 667 (unsigned int)result->major_status, (int)result->minor_status); 668 669 if (result->major_status == GSS_S_COMPLETE) 670 result->output_name = gssd_make_resource(output_name); 671 else 672 result->output_name = 0; 673 674 return (TRUE); 675 } 676 677 bool_t 678 gssd_export_name_1_svc(export_name_args *argp, export_name_res *result, struct svc_req *rqstp) 679 { 680 gss_name_t name = gssd_find_resource(argp->input_name); 681 682 memset(result, 0, sizeof(*result)); 683 if (!name) { 684 result->major_status = GSS_S_BAD_NAME; 685 gssd_verbose_out("gssd_export_name: name resource not found\n"); 686 return (TRUE); 687 } 688 689 result->major_status = gss_export_name(&result->minor_status, 690 name, &result->exported_name); 691 gssd_verbose_out("gssd_export_name: done major=0x%x minor=%d\n", 692 (unsigned int)result->major_status, (int)result->minor_status); 693 694 return (TRUE); 695 } 696 697 bool_t 698 gssd_release_name_1_svc(release_name_args *argp, release_name_res *result, struct svc_req *rqstp) 699 { 700 gss_name_t name = gssd_find_resource(argp->input_name); 701 702 if (name) { 703 result->major_status = gss_release_name(&result->minor_status, 704 &name); 705 gssd_delete_resource(argp->input_name); 706 } else { 707 result->major_status = GSS_S_COMPLETE; 708 result->minor_status = 0; 709 } 710 gssd_verbose_out("gssd_release_name: done major=0x%x minor=%d\n", 711 (unsigned int)result->major_status, (int)result->minor_status); 712 713 return (TRUE); 714 } 715 716 bool_t 717 gssd_pname_to_uid_1_svc(pname_to_uid_args *argp, pname_to_uid_res *result, struct svc_req *rqstp) 718 { 719 gss_name_t name = gssd_find_resource(argp->pname); 720 uid_t uid; 721 char buf[1024], *bufp; 722 struct passwd pwd, *pw; 723 size_t buflen; 724 int error; 725 static size_t buflen_hint = 1024; 726 727 memset(result, 0, sizeof(*result)); 728 if (name) { 729 result->major_status = 730 gss_pname_to_uid(&result->minor_status, 731 name, argp->mech, &uid); 732 if (result->major_status == GSS_S_COMPLETE) { 733 result->uid = uid; 734 buflen = buflen_hint; 735 for (;;) { 736 pw = NULL; 737 bufp = buf; 738 if (buflen > sizeof(buf)) 739 bufp = malloc(buflen); 740 if (bufp == NULL) 741 break; 742 error = getpwuid_r(uid, &pwd, bufp, buflen, 743 &pw); 744 if (error != ERANGE) 745 break; 746 if (buflen > sizeof(buf)) 747 free(bufp); 748 buflen += 1024; 749 if (buflen > buflen_hint) 750 buflen_hint = buflen; 751 } 752 if (pw) { 753 int len = NGRPS; 754 int groups[NGRPS]; 755 result->gid = pw->pw_gid; 756 getgrouplist(pw->pw_name, pw->pw_gid, 757 groups, &len); 758 result->gidlist.gidlist_len = len; 759 result->gidlist.gidlist_val = 760 mem_alloc(len * sizeof(int)); 761 memcpy(result->gidlist.gidlist_val, groups, 762 len * sizeof(int)); 763 gssd_verbose_out("gssd_pname_to_uid: mapped" 764 " to uid=%d, gid=%d\n", (int)result->uid, 765 (int)result->gid); 766 } else { 767 result->gid = 65534; 768 result->gidlist.gidlist_len = 0; 769 result->gidlist.gidlist_val = NULL; 770 gssd_verbose_out("gssd_pname_to_uid: mapped" 771 " to uid=%d, but no groups\n", 772 (int)result->uid); 773 } 774 if (bufp != NULL && buflen > sizeof(buf)) 775 free(bufp); 776 } else 777 gssd_verbose_out("gssd_pname_to_uid: failed major=0x%x" 778 " minor=%d\n", (unsigned int)result->major_status, 779 (int)result->minor_status); 780 } else { 781 result->major_status = GSS_S_BAD_NAME; 782 result->minor_status = 0; 783 gssd_verbose_out("gssd_pname_to_uid: no name\n"); 784 } 785 786 return (TRUE); 787 } 788 789 bool_t 790 gssd_acquire_cred_1_svc(acquire_cred_args *argp, acquire_cred_res *result, struct svc_req *rqstp) 791 { 792 gss_name_t desired_name = GSS_C_NO_NAME; 793 gss_cred_id_t cred; 794 char ccname[PATH_MAX + 5 + 1], *cp, *cp2; 795 int gotone; 796 #ifndef WITHOUT_KERBEROS 797 gss_buffer_desc namebuf; 798 uint32_t minstat; 799 krb5_error_code kret; 800 #endif 801 802 memset(result, 0, sizeof(*result)); 803 if (argp->desired_name) { 804 desired_name = gssd_find_resource(argp->desired_name); 805 if (!desired_name) { 806 result->major_status = GSS_S_BAD_NAME; 807 gssd_verbose_out("gssd_acquire_cred: no desired name" 808 " found\n"); 809 return (TRUE); 810 } 811 } 812 813 #ifndef WITHOUT_KERBEROS 814 if (hostbased_initiator_cred != 0 && argp->desired_name != 0 && 815 argp->uid == 0 && argp->cred_usage == GSS_C_INITIATE) { 816 /* This is a host based initiator name in the keytab file. */ 817 snprintf(ccname, sizeof(ccname), "FILE:%s", 818 GSSD_CREDENTIAL_CACHE_FILE); 819 setenv("KRB5CCNAME", ccname, TRUE); 820 result->major_status = gss_display_name(&result->minor_status, 821 desired_name, &namebuf, NULL); 822 gssd_verbose_out("gssd_acquire_cred: desired name for host " 823 "based initiator cred major=0x%x minor=%d\n", 824 (unsigned int)result->major_status, 825 (int)result->minor_status); 826 if (result->major_status != GSS_S_COMPLETE) 827 return (TRUE); 828 if (namebuf.length > PATH_MAX + 5) { 829 result->minor_status = 0; 830 result->major_status = GSS_S_FAILURE; 831 return (TRUE); 832 } 833 memcpy(ccname, namebuf.value, namebuf.length); 834 ccname[namebuf.length] = '\0'; 835 if ((cp = strchr(ccname, '@')) != NULL) 836 *cp = '/'; 837 kret = gssd_get_cc_from_keytab(ccname); 838 gssd_verbose_out("gssd_acquire_cred: using keytab entry for " 839 "%s, kerberos ret=%d\n", ccname, (int)kret); 840 gss_release_buffer(&minstat, &namebuf); 841 if (kret != 0) { 842 result->minor_status = kret; 843 result->major_status = GSS_S_FAILURE; 844 return (TRUE); 845 } 846 } else 847 #endif /* !WITHOUT_KERBEROS */ 848 if (ccfile_dirlist[0] != '\0' && argp->desired_name == 0) { 849 /* 850 * For the "-s" case and no name provided as an 851 * argument, search the directory list for an appropriate 852 * credential cache file. If the search fails, return failure. 853 */ 854 gotone = 0; 855 cp = ccfile_dirlist; 856 do { 857 cp2 = strchr(cp, ':'); 858 if (cp2 != NULL) 859 *cp2 = '\0'; 860 gotone = find_ccache_file(cp, argp->uid, ccname); 861 if (gotone != 0) 862 break; 863 if (cp2 != NULL) 864 *cp2++ = ':'; 865 cp = cp2; 866 } while (cp != NULL && *cp != '\0'); 867 if (gotone == 0) { 868 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 869 gssd_verbose_out("gssd_acquire_cred: no cred cache" 870 " file found\n"); 871 return (TRUE); 872 } 873 setenv("KRB5CCNAME", ccname, TRUE); 874 } else { 875 /* 876 * If there wasn't a "-s" option or the name has 877 * been provided as an argument, do it the old way. 878 * When a name is provided, it will normally exist in the 879 * default keytab file and the uid will be root. 880 */ 881 if (argp->desired_name != 0 && argp->uid != 0) { 882 if (debug_level == 0) 883 syslog(LOG_ERR, "gss_acquire_cred:" 884 " principal_name for non-root"); 885 else 886 fprintf(stderr, "gss_acquire_cred:" 887 " principal_name for non-root\n"); 888 } 889 snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d", 890 (int) argp->uid); 891 setenv("KRB5CCNAME", ccname, TRUE); 892 } 893 894 result->major_status = gss_acquire_cred(&result->minor_status, 895 desired_name, argp->time_req, argp->desired_mechs, 896 argp->cred_usage, &cred, &result->actual_mechs, &result->time_rec); 897 gssd_verbose_out("gssd_acquire_cred: done major=0x%x minor=%d\n", 898 (unsigned int)result->major_status, (int)result->minor_status); 899 900 if (result->major_status == GSS_S_COMPLETE) 901 result->output_cred = gssd_make_resource(cred); 902 else 903 result->output_cred = 0; 904 905 return (TRUE); 906 } 907 908 bool_t 909 gssd_set_cred_option_1_svc(set_cred_option_args *argp, set_cred_option_res *result, struct svc_req *rqstp) 910 { 911 gss_cred_id_t cred = gssd_find_resource(argp->cred); 912 913 memset(result, 0, sizeof(*result)); 914 if (!cred) { 915 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 916 gssd_verbose_out("gssd_set_cred: no credentials\n"); 917 return (TRUE); 918 } 919 920 result->major_status = gss_set_cred_option(&result->minor_status, 921 &cred, argp->option_name, &argp->option_value); 922 gssd_verbose_out("gssd_set_cred: done major=0x%x minor=%d\n", 923 (unsigned int)result->major_status, (int)result->minor_status); 924 925 return (TRUE); 926 } 927 928 bool_t 929 gssd_release_cred_1_svc(release_cred_args *argp, release_cred_res *result, struct svc_req *rqstp) 930 { 931 gss_cred_id_t cred = gssd_find_resource(argp->cred); 932 933 if (cred) { 934 result->major_status = gss_release_cred(&result->minor_status, 935 &cred); 936 gssd_delete_resource(argp->cred); 937 } else { 938 result->major_status = GSS_S_COMPLETE; 939 result->minor_status = 0; 940 } 941 gssd_verbose_out("gssd_release_cred: done major=0x%x minor=%d\n", 942 (unsigned int)result->major_status, (int)result->minor_status); 943 944 return (TRUE); 945 } 946 947 bool_t 948 gssd_display_status_1_svc(display_status_args *argp, display_status_res *result, struct svc_req *rqstp) 949 { 950 951 result->message_context = argp->message_context; 952 result->major_status = gss_display_status(&result->minor_status, 953 argp->status_value, argp->status_type, argp->mech_type, 954 &result->message_context, &result->status_string); 955 gssd_verbose_out("gssd_display_status: done major=0x%x minor=%d\n", 956 (unsigned int)result->major_status, (int)result->minor_status); 957 958 return (TRUE); 959 } 960 961 int 962 gssd_1_freeresult(SVCXPRT *transp, xdrproc_t xdr_result, caddr_t result) 963 { 964 /* 965 * We don't use XDR to free the results - anything which was 966 * allocated came from GSS-API. We use xdr_result to figure 967 * out what to do. 968 */ 969 OM_uint32 junk; 970 971 if (xdr_result == (xdrproc_t) xdr_init_sec_context_res) { 972 init_sec_context_res *p = (init_sec_context_res *) result; 973 gss_release_buffer(&junk, &p->output_token); 974 } else if (xdr_result == (xdrproc_t) xdr_accept_sec_context_res) { 975 accept_sec_context_res *p = (accept_sec_context_res *) result; 976 gss_release_buffer(&junk, &p->output_token); 977 } else if (xdr_result == (xdrproc_t) xdr_delete_sec_context_res) { 978 delete_sec_context_res *p = (delete_sec_context_res *) result; 979 gss_release_buffer(&junk, &p->output_token); 980 } else if (xdr_result == (xdrproc_t) xdr_export_sec_context_res) { 981 export_sec_context_res *p = (export_sec_context_res *) result; 982 if (p->interprocess_token.length) 983 memset(p->interprocess_token.value, 0, 984 p->interprocess_token.length); 985 gss_release_buffer(&junk, &p->interprocess_token); 986 } else if (xdr_result == (xdrproc_t) xdr_export_name_res) { 987 export_name_res *p = (export_name_res *) result; 988 gss_release_buffer(&junk, &p->exported_name); 989 } else if (xdr_result == (xdrproc_t) xdr_acquire_cred_res) { 990 acquire_cred_res *p = (acquire_cred_res *) result; 991 gss_release_oid_set(&junk, &p->actual_mechs); 992 } else if (xdr_result == (xdrproc_t) xdr_pname_to_uid_res) { 993 pname_to_uid_res *p = (pname_to_uid_res *) result; 994 if (p->gidlist.gidlist_val) 995 free(p->gidlist.gidlist_val); 996 } else if (xdr_result == (xdrproc_t) xdr_display_status_res) { 997 display_status_res *p = (display_status_res *) result; 998 gss_release_buffer(&junk, &p->status_string); 999 } 1000 1001 return (TRUE); 1002 } 1003 1004 /* 1005 * Search a directory for the most likely candidate to be used as the 1006 * credential cache for a uid. If successful, return 1 and fill the 1007 * file's path id into "rpath". Otherwise, return 0. 1008 */ 1009 static int 1010 find_ccache_file(const char *dirpath, uid_t uid, char *rpath) 1011 { 1012 DIR *dirp; 1013 struct dirent *dp; 1014 struct stat sb; 1015 time_t exptime, oexptime; 1016 int gotone, len, rating, orating; 1017 char namepath[PATH_MAX + 5 + 1]; 1018 char retpath[PATH_MAX + 5 + 1]; 1019 1020 dirp = opendir(dirpath); 1021 if (dirp == NULL) 1022 return (0); 1023 gotone = 0; 1024 orating = 0; 1025 oexptime = 0; 1026 while ((dp = readdir(dirp)) != NULL) { 1027 len = snprintf(namepath, sizeof(namepath), "%s/%s", dirpath, 1028 dp->d_name); 1029 if (len < sizeof(namepath) && 1030 (hostbased_initiator_cred == 0 || strcmp(namepath, 1031 GSSD_CREDENTIAL_CACHE_FILE) != 0) && 1032 strstr(dp->d_name, ccfile_substring) != NULL && 1033 lstat(namepath, &sb) >= 0 && 1034 sb.st_uid == uid && 1035 S_ISREG(sb.st_mode)) { 1036 len = snprintf(namepath, sizeof(namepath), "FILE:%s/%s", 1037 dirpath, dp->d_name); 1038 if (len < sizeof(namepath) && 1039 is_a_valid_tgt_cache(namepath, uid, &rating, 1040 &exptime) != 0) { 1041 if (gotone == 0 || rating > orating || 1042 (rating == orating && exptime > oexptime)) { 1043 orating = rating; 1044 oexptime = exptime; 1045 strcpy(retpath, namepath); 1046 gotone = 1; 1047 } 1048 } 1049 } 1050 } 1051 closedir(dirp); 1052 if (gotone != 0) { 1053 strcpy(rpath, retpath); 1054 return (1); 1055 } 1056 return (0); 1057 } 1058 1059 /* 1060 * Try to determine if the file is a valid tgt cache file. 1061 * Check that the file has a valid tgt for a principal. 1062 * If it does, return 1, otherwise return 0. 1063 * It also returns a "rating" and the expiry time for the TGT, when found. 1064 * This "rating" is higher based on heuristics that make it more 1065 * likely to be the correct credential cache file to use. It can 1066 * be used by the caller, along with expiry time, to select from 1067 * multiple credential cache files. 1068 */ 1069 static int 1070 is_a_valid_tgt_cache(const char *filepath, uid_t uid, int *retrating, 1071 time_t *retexptime) 1072 { 1073 #ifndef WITHOUT_KERBEROS 1074 krb5_context context; 1075 krb5_principal princ; 1076 krb5_ccache ccache; 1077 krb5_error_code retval; 1078 krb5_cc_cursor curse; 1079 krb5_creds krbcred; 1080 int gotone, orating, rating, ret; 1081 struct passwd *pw; 1082 char *cp, *cp2, *pname; 1083 time_t exptime; 1084 1085 /* Find a likely name for the uid principal. */ 1086 pw = getpwuid(uid); 1087 1088 /* 1089 * Do a bunch of krb5 library stuff to try and determine if 1090 * this file is a credentials cache with an appropriate TGT 1091 * in it. 1092 */ 1093 retval = krb5_init_context(&context); 1094 if (retval != 0) 1095 return (0); 1096 retval = krb5_cc_resolve(context, filepath, &ccache); 1097 if (retval != 0) { 1098 krb5_free_context(context); 1099 return (0); 1100 } 1101 ret = 0; 1102 orating = 0; 1103 exptime = 0; 1104 retval = krb5_cc_start_seq_get(context, ccache, &curse); 1105 if (retval == 0) { 1106 while ((retval = krb5_cc_next_cred(context, ccache, &curse, 1107 &krbcred)) == 0) { 1108 gotone = 0; 1109 rating = 0; 1110 retval = krb5_unparse_name(context, krbcred.server, 1111 &pname); 1112 if (retval == 0) { 1113 cp = strchr(pname, '/'); 1114 if (cp != NULL) { 1115 *cp++ = '\0'; 1116 if (strcmp(pname, "krbtgt") == 0 && 1117 krbcred.times.endtime > time(NULL) 1118 ) { 1119 gotone = 1; 1120 /* 1121 * Test to see if this is a 1122 * tgt for cross-realm auth. 1123 * Rate it higher, if it is not. 1124 */ 1125 cp2 = strchr(cp, '@'); 1126 if (cp2 != NULL) { 1127 *cp2++ = '\0'; 1128 if (strcmp(cp, cp2) == 1129 0) 1130 rating++; 1131 } 1132 } 1133 } 1134 free(pname); 1135 } 1136 if (gotone != 0) { 1137 retval = krb5_unparse_name(context, 1138 krbcred.client, &pname); 1139 if (retval == 0) { 1140 cp = strchr(pname, '@'); 1141 if (cp != NULL) { 1142 *cp++ = '\0'; 1143 if (pw != NULL && strcmp(pname, 1144 pw->pw_name) == 0) 1145 rating++; 1146 if (strchr(pname, '/') == NULL) 1147 rating++; 1148 if (pref_realm[0] != '\0' && 1149 strcmp(cp, pref_realm) == 0) 1150 rating++; 1151 } 1152 } 1153 free(pname); 1154 if (rating > orating) { 1155 orating = rating; 1156 exptime = krbcred.times.endtime; 1157 } else if (rating == orating && 1158 krbcred.times.endtime > exptime) 1159 exptime = krbcred.times.endtime; 1160 ret = 1; 1161 } 1162 krb5_free_cred_contents(context, &krbcred); 1163 } 1164 krb5_cc_end_seq_get(context, ccache, &curse); 1165 } 1166 krb5_cc_close(context, ccache); 1167 krb5_free_context(context); 1168 if (ret != 0) { 1169 *retrating = orating; 1170 *retexptime = exptime; 1171 } 1172 return (ret); 1173 #else /* WITHOUT_KERBEROS */ 1174 return (0); 1175 #endif /* !WITHOUT_KERBEROS */ 1176 } 1177 1178 #ifndef WITHOUT_KERBEROS 1179 /* 1180 * This function attempts to do essentially a "kinit -k" for the principal 1181 * name provided as the argument, so that there will be a TGT in the 1182 * credential cache. 1183 */ 1184 static krb5_error_code 1185 gssd_get_cc_from_keytab(const char *name) 1186 { 1187 krb5_error_code ret, opt_ret, princ_ret, cc_ret, kt_ret, cred_ret; 1188 krb5_context context; 1189 krb5_principal principal; 1190 krb5_keytab kt; 1191 krb5_creds cred; 1192 krb5_get_init_creds_opt *opt; 1193 krb5_deltat start_time = 0; 1194 krb5_ccache ccache; 1195 1196 ret = krb5_init_context(&context); 1197 if (ret != 0) 1198 return (ret); 1199 opt_ret = cc_ret = kt_ret = cred_ret = 1; /* anything non-zero */ 1200 princ_ret = ret = krb5_parse_name(context, name, &principal); 1201 if (ret == 0) 1202 opt_ret = ret = krb5_get_init_creds_opt_alloc(context, &opt); 1203 if (ret == 0) 1204 cc_ret = ret = krb5_cc_default(context, &ccache); 1205 if (ret == 0) 1206 ret = krb5_cc_initialize(context, ccache, principal); 1207 if (ret == 0) { 1208 krb5_get_init_creds_opt_set_default_flags(context, "gssd", 1209 krb5_principal_get_realm(context, principal), opt); 1210 kt_ret = ret = krb5_kt_default(context, &kt); 1211 } 1212 if (ret == 0) 1213 cred_ret = ret = krb5_get_init_creds_keytab(context, &cred, 1214 principal, kt, start_time, NULL, opt); 1215 if (ret == 0) 1216 ret = krb5_cc_store_cred(context, ccache, &cred); 1217 if (kt_ret == 0) 1218 krb5_kt_close(context, kt); 1219 if (cc_ret == 0) 1220 krb5_cc_close(context, ccache); 1221 if (opt_ret == 0) 1222 krb5_get_init_creds_opt_free(context, opt); 1223 if (princ_ret == 0) 1224 krb5_free_principal(context, principal); 1225 if (cred_ret == 0) 1226 krb5_free_cred_contents(context, &cred); 1227 krb5_free_context(context); 1228 return (ret); 1229 } 1230 1231 /* 1232 * Acquire a gss credential for a uid. 1233 */ 1234 static OM_uint32 1235 gssd_get_user_cred(OM_uint32 *min_statp, uid_t uid, gss_cred_id_t *credp) 1236 { 1237 gss_buffer_desc principal_desc; 1238 gss_name_t name; 1239 OM_uint32 maj_stat, min_stat; 1240 gss_OID_set mechlist; 1241 struct passwd *pw; 1242 1243 pw = getpwuid(uid); 1244 if (pw == NULL) { 1245 *min_statp = 0; 1246 return (GSS_S_FAILURE); 1247 } 1248 1249 /* 1250 * The mechanism must be set to KerberosV for acquisition 1251 * of credentials to work reliably. 1252 */ 1253 maj_stat = gss_create_empty_oid_set(min_statp, &mechlist); 1254 if (maj_stat != GSS_S_COMPLETE) 1255 return (maj_stat); 1256 maj_stat = gss_add_oid_set_member(min_statp, GSS_KRB5_MECH_OID_X, 1257 &mechlist); 1258 if (maj_stat != GSS_S_COMPLETE) { 1259 gss_release_oid_set(&min_stat, &mechlist); 1260 return (maj_stat); 1261 } 1262 1263 principal_desc.value = (void *)pw->pw_name; 1264 principal_desc.length = strlen(pw->pw_name); 1265 maj_stat = gss_import_name(min_statp, &principal_desc, 1266 GSS_C_NT_USER_NAME, &name); 1267 if (maj_stat != GSS_S_COMPLETE) { 1268 gss_release_oid_set(&min_stat, &mechlist); 1269 return (maj_stat); 1270 } 1271 /* Acquire the credentials. */ 1272 maj_stat = gss_acquire_cred(min_statp, name, 0, mechlist, 1273 GSS_C_INITIATE, credp, NULL, NULL); 1274 gss_release_name(&min_stat, &name); 1275 gss_release_oid_set(&min_stat, &mechlist); 1276 return (maj_stat); 1277 } 1278 #endif /* !WITHOUT_KERBEROS */ 1279 1280 void gssd_terminate(int sig __unused) 1281 { 1282 1283 #ifndef WITHOUT_KERBEROS 1284 if (hostbased_initiator_cred != 0) 1285 unlink(GSSD_CREDENTIAL_CACHE_FILE); 1286 #endif 1287 exit(0); 1288 } 1289 1290