1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ 5 * Authors: Doug Rabson <dfr@rabson.org> 6 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org> 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 __FBSDID("$FreeBSD$"); 32 33 #include <sys/param.h> 34 #include <sys/stat.h> 35 #include <sys/linker.h> 36 #include <sys/module.h> 37 #include <sys/queue.h> 38 #include <sys/syslog.h> 39 #include <ctype.h> 40 #include <dirent.h> 41 #include <err.h> 42 #include <errno.h> 43 #ifndef WITHOUT_KERBEROS 44 #include <krb5.h> 45 #endif 46 #include <pwd.h> 47 #include <signal.h> 48 #include <stdarg.h> 49 #include <stdio.h> 50 #include <stdlib.h> 51 #include <string.h> 52 #include <unistd.h> 53 #include <gssapi/gssapi.h> 54 #include <rpc/rpc.h> 55 #include <rpc/rpc_com.h> 56 57 #include "gssd.h" 58 59 #ifndef _PATH_GSS_MECH 60 #define _PATH_GSS_MECH "/etc/gss/mech" 61 #endif 62 #ifndef _PATH_GSSDSOCK 63 #define _PATH_GSSDSOCK "/var/run/gssd.sock" 64 #endif 65 #define GSSD_CREDENTIAL_CACHE_FILE "/tmp/krb5cc_gssd" 66 67 struct gss_resource { 68 LIST_ENTRY(gss_resource) gr_link; 69 uint64_t gr_id; /* identifier exported to kernel */ 70 void* gr_res; /* GSS-API resource pointer */ 71 }; 72 LIST_HEAD(gss_resource_list, gss_resource) gss_resources; 73 int gss_resource_count; 74 uint32_t gss_next_id; 75 uint32_t gss_start_time; 76 int debug_level; 77 static char ccfile_dirlist[PATH_MAX + 1], ccfile_substring[NAME_MAX + 1]; 78 static char pref_realm[1024]; 79 static int verbose; 80 static int hostbased_initiator_cred; 81 #ifndef WITHOUT_KERBEROS 82 /* 1.2.752.43.13.14 */ 83 static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc = 84 {6, (void *) "\x2a\x85\x70\x2b\x0d\x0e"}; 85 static gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = 86 &gss_krb5_set_allowable_enctypes_x_desc; 87 static gss_OID_desc gss_krb5_mech_oid_x_desc = 88 {9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }; 89 static gss_OID GSS_KRB5_MECH_OID_X = 90 &gss_krb5_mech_oid_x_desc; 91 #endif 92 93 static void gssd_load_mech(void); 94 static int find_ccache_file(const char *, uid_t, char *); 95 static int is_a_valid_tgt_cache(const char *, uid_t, int *, time_t *); 96 static void gssd_verbose_out(const char *, ...); 97 #ifndef WITHOUT_KERBEROS 98 static krb5_error_code gssd_get_cc_from_keytab(const char *); 99 static OM_uint32 gssd_get_user_cred(OM_uint32 *, uid_t, gss_cred_id_t *); 100 #endif 101 void gssd_terminate(int); 102 103 extern void gssd_1(struct svc_req *rqstp, SVCXPRT *transp); 104 extern int gssd_syscall(char *path); 105 106 int 107 main(int argc, char **argv) 108 { 109 /* 110 * We provide an RPC service on a local-domain socket. The 111 * kernel's GSS-API code will pass what it can't handle 112 * directly to us. 113 */ 114 struct sockaddr_un sun; 115 int fd, oldmask, ch, debug; 116 SVCXPRT *xprt; 117 118 /* 119 * Initialize the credential cache file name substring and the 120 * search directory list. 121 */ 122 strlcpy(ccfile_substring, "krb5cc_", sizeof(ccfile_substring)); 123 ccfile_dirlist[0] = '\0'; 124 pref_realm[0] = '\0'; 125 debug = 0; 126 verbose = 0; 127 while ((ch = getopt(argc, argv, "dhvs:c:r:")) != -1) { 128 switch (ch) { 129 case 'd': 130 debug_level++; 131 break; 132 case 'h': 133 #ifndef WITHOUT_KERBEROS 134 /* 135 * Enable use of a host based initiator credential 136 * in the default keytab file. 137 */ 138 hostbased_initiator_cred = 1; 139 #else 140 errx(1, "This option not available when built" 141 " without MK_KERBEROS\n"); 142 #endif 143 break; 144 case 'v': 145 verbose = 1; 146 break; 147 case 's': 148 #ifndef WITHOUT_KERBEROS 149 /* 150 * Set the directory search list. This enables use of 151 * find_ccache_file() to search the directories for a 152 * suitable credentials cache file. 153 */ 154 strlcpy(ccfile_dirlist, optarg, sizeof(ccfile_dirlist)); 155 #else 156 errx(1, "This option not available when built" 157 " without MK_KERBEROS\n"); 158 #endif 159 break; 160 case 'c': 161 /* 162 * Specify a non-default credential cache file 163 * substring. 164 */ 165 strlcpy(ccfile_substring, optarg, 166 sizeof(ccfile_substring)); 167 break; 168 case 'r': 169 /* 170 * Set the preferred realm for the credential cache tgt. 171 */ 172 strlcpy(pref_realm, optarg, sizeof(pref_realm)); 173 break; 174 default: 175 fprintf(stderr, 176 "usage: %s [-d] [-s dir-list] [-c file-substring]" 177 " [-r preferred-realm]\n", argv[0]); 178 exit(1); 179 break; 180 } 181 } 182 183 gssd_load_mech(); 184 185 if (!debug_level) { 186 if (daemon(0, 0) != 0) 187 err(1, "Can't daemonize"); 188 signal(SIGINT, SIG_IGN); 189 signal(SIGQUIT, SIG_IGN); 190 signal(SIGHUP, SIG_IGN); 191 } 192 signal(SIGTERM, gssd_terminate); 193 signal(SIGPIPE, gssd_terminate); 194 195 memset(&sun, 0, sizeof sun); 196 sun.sun_family = AF_LOCAL; 197 unlink(_PATH_GSSDSOCK); 198 strcpy(sun.sun_path, _PATH_GSSDSOCK); 199 sun.sun_len = SUN_LEN(&sun); 200 fd = socket(AF_LOCAL, SOCK_STREAM, 0); 201 if (fd < 0) { 202 if (debug_level == 0) { 203 syslog(LOG_ERR, "Can't create local gssd socket"); 204 exit(1); 205 } 206 err(1, "Can't create local gssd socket"); 207 } 208 oldmask = umask(S_IXUSR|S_IRWXG|S_IRWXO); 209 if (bind(fd, (struct sockaddr *) &sun, sun.sun_len) < 0) { 210 if (debug_level == 0) { 211 syslog(LOG_ERR, "Can't bind local gssd socket"); 212 exit(1); 213 } 214 err(1, "Can't bind local gssd socket"); 215 } 216 umask(oldmask); 217 if (listen(fd, SOMAXCONN) < 0) { 218 if (debug_level == 0) { 219 syslog(LOG_ERR, "Can't listen on local gssd socket"); 220 exit(1); 221 } 222 err(1, "Can't listen on local gssd socket"); 223 } 224 xprt = svc_vc_create(fd, RPC_MAXDATASIZE, RPC_MAXDATASIZE); 225 if (!xprt) { 226 if (debug_level == 0) { 227 syslog(LOG_ERR, 228 "Can't create transport for local gssd socket"); 229 exit(1); 230 } 231 err(1, "Can't create transport for local gssd socket"); 232 } 233 if (!svc_reg(xprt, GSSD, GSSDVERS, gssd_1, NULL)) { 234 if (debug_level == 0) { 235 syslog(LOG_ERR, 236 "Can't register service for local gssd socket"); 237 exit(1); 238 } 239 err(1, "Can't register service for local gssd socket"); 240 } 241 242 LIST_INIT(&gss_resources); 243 gss_next_id = 1; 244 gss_start_time = time(0); 245 246 gssd_syscall(_PATH_GSSDSOCK); 247 svc_run(); 248 gssd_syscall(""); 249 250 return (0); 251 } 252 253 static void 254 gssd_load_mech(void) 255 { 256 FILE *fp; 257 char buf[256]; 258 char *p; 259 char *name, *oid, *lib, *kobj; 260 261 fp = fopen(_PATH_GSS_MECH, "r"); 262 if (!fp) 263 return; 264 265 while (fgets(buf, sizeof(buf), fp)) { 266 if (*buf == '#') 267 continue; 268 p = buf; 269 name = strsep(&p, "\t\n "); 270 if (p) while (isspace(*p)) p++; 271 oid = strsep(&p, "\t\n "); 272 if (p) while (isspace(*p)) p++; 273 lib = strsep(&p, "\t\n "); 274 if (p) while (isspace(*p)) p++; 275 kobj = strsep(&p, "\t\n "); 276 if (!name || !oid || !lib || !kobj) 277 continue; 278 279 if (strcmp(kobj, "-")) { 280 /* 281 * Attempt to load the kernel module if its 282 * not already present. 283 */ 284 if (modfind(kobj) < 0) { 285 if (kldload(kobj) < 0) { 286 fprintf(stderr, 287 "%s: can't find or load kernel module %s for %s\n", 288 getprogname(), kobj, name); 289 } 290 } 291 } 292 } 293 fclose(fp); 294 } 295 296 static void * 297 gssd_find_resource(uint64_t id) 298 { 299 struct gss_resource *gr; 300 301 if (!id) 302 return (NULL); 303 304 LIST_FOREACH(gr, &gss_resources, gr_link) 305 if (gr->gr_id == id) 306 return (gr->gr_res); 307 308 return (NULL); 309 } 310 311 static uint64_t 312 gssd_make_resource(void *res) 313 { 314 struct gss_resource *gr; 315 316 if (!res) 317 return (0); 318 319 gr = malloc(sizeof(struct gss_resource)); 320 if (!gr) 321 return (0); 322 gr->gr_id = (gss_next_id++) + ((uint64_t) gss_start_time << 32); 323 gr->gr_res = res; 324 LIST_INSERT_HEAD(&gss_resources, gr, gr_link); 325 gss_resource_count++; 326 if (debug_level > 1) 327 printf("%d resources allocated\n", gss_resource_count); 328 329 return (gr->gr_id); 330 } 331 332 static void 333 gssd_delete_resource(uint64_t id) 334 { 335 struct gss_resource *gr; 336 337 LIST_FOREACH(gr, &gss_resources, gr_link) { 338 if (gr->gr_id == id) { 339 LIST_REMOVE(gr, gr_link); 340 free(gr); 341 gss_resource_count--; 342 if (debug_level > 1) 343 printf("%d resources allocated\n", 344 gss_resource_count); 345 return; 346 } 347 } 348 } 349 350 static void 351 gssd_verbose_out(const char *fmt, ...) 352 { 353 va_list ap; 354 355 if (verbose != 0) { 356 va_start(ap, fmt); 357 if (debug_level == 0) 358 vsyslog(LOG_INFO | LOG_DAEMON, fmt, ap); 359 else 360 vfprintf(stderr, fmt, ap); 361 va_end(ap); 362 } 363 } 364 365 bool_t 366 gssd_null_1_svc(void *argp, void *result, struct svc_req *rqstp) 367 { 368 369 gssd_verbose_out("gssd_null: done\n"); 370 return (TRUE); 371 } 372 373 bool_t 374 gssd_init_sec_context_1_svc(init_sec_context_args *argp, init_sec_context_res *result, struct svc_req *rqstp) 375 { 376 gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; 377 gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; 378 gss_name_t name = GSS_C_NO_NAME; 379 char ccname[PATH_MAX + 5 + 1], *cp, *cp2; 380 int gotone, gotcred; 381 OM_uint32 min_stat; 382 #ifndef WITHOUT_KERBEROS 383 gss_buffer_desc principal_desc; 384 char enctype[sizeof(uint32_t)]; 385 int key_enctype; 386 OM_uint32 maj_stat; 387 #endif 388 389 memset(result, 0, sizeof(*result)); 390 if (hostbased_initiator_cred != 0 && argp->cred != 0 && 391 argp->uid == 0) { 392 /* 393 * These credentials are for a host based initiator name 394 * in a keytab file, which should now have credentials 395 * in /tmp/krb5cc_gssd, because gss_acquire_cred() did 396 * the equivalent of "kinit -k". 397 */ 398 snprintf(ccname, sizeof(ccname), "FILE:%s", 399 GSSD_CREDENTIAL_CACHE_FILE); 400 } else if (ccfile_dirlist[0] != '\0' && argp->cred == 0) { 401 /* 402 * For the "-s" case and no credentials provided as an 403 * argument, search the directory list for an appropriate 404 * credential cache file. If the search fails, return failure. 405 */ 406 gotone = 0; 407 cp = ccfile_dirlist; 408 do { 409 cp2 = strchr(cp, ':'); 410 if (cp2 != NULL) 411 *cp2 = '\0'; 412 gotone = find_ccache_file(cp, argp->uid, ccname); 413 if (gotone != 0) 414 break; 415 if (cp2 != NULL) 416 *cp2++ = ':'; 417 cp = cp2; 418 } while (cp != NULL && *cp != '\0'); 419 if (gotone == 0) { 420 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 421 gssd_verbose_out("gssd_init_sec_context: -s no" 422 " credential cache file found for uid=%d\n", 423 (int)argp->uid); 424 return (TRUE); 425 } 426 } else { 427 /* 428 * If there wasn't a "-s" option or the credentials have 429 * been provided as an argument, do it the old way. 430 * When credentials are provided, the uid should be root. 431 */ 432 if (argp->cred != 0 && argp->uid != 0) { 433 if (debug_level == 0) 434 syslog(LOG_ERR, "gss_init_sec_context:" 435 " cred for non-root"); 436 else 437 fprintf(stderr, "gss_init_sec_context:" 438 " cred for non-root\n"); 439 } 440 snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d", 441 (int) argp->uid); 442 } 443 setenv("KRB5CCNAME", ccname, TRUE); 444 445 if (argp->cred) { 446 cred = gssd_find_resource(argp->cred); 447 if (!cred) { 448 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 449 gssd_verbose_out("gssd_init_sec_context: cred" 450 " resource not found\n"); 451 return (TRUE); 452 } 453 } 454 if (argp->ctx) { 455 ctx = gssd_find_resource(argp->ctx); 456 if (!ctx) { 457 result->major_status = GSS_S_CONTEXT_EXPIRED; 458 gssd_verbose_out("gssd_init_sec_context: context" 459 " resource not found\n"); 460 return (TRUE); 461 } 462 } 463 if (argp->name) { 464 name = gssd_find_resource(argp->name); 465 if (!name) { 466 result->major_status = GSS_S_BAD_NAME; 467 gssd_verbose_out("gssd_init_sec_context: name" 468 " resource not found\n"); 469 return (TRUE); 470 } 471 } 472 gotcred = 0; 473 474 result->major_status = gss_init_sec_context(&result->minor_status, 475 cred, &ctx, name, argp->mech_type, 476 argp->req_flags, argp->time_req, argp->input_chan_bindings, 477 &argp->input_token, &result->actual_mech_type, 478 &result->output_token, &result->ret_flags, &result->time_rec); 479 gssd_verbose_out("gssd_init_sec_context: done major=0x%x minor=%d" 480 " uid=%d\n", (unsigned int)result->major_status, 481 (int)result->minor_status, (int)argp->uid); 482 if (gotcred != 0) 483 gss_release_cred(&min_stat, &cred); 484 485 if (result->major_status == GSS_S_COMPLETE 486 || result->major_status == GSS_S_CONTINUE_NEEDED) { 487 if (argp->ctx) 488 result->ctx = argp->ctx; 489 else 490 result->ctx = gssd_make_resource(ctx); 491 } 492 493 return (TRUE); 494 } 495 496 bool_t 497 gssd_accept_sec_context_1_svc(accept_sec_context_args *argp, accept_sec_context_res *result, struct svc_req *rqstp) 498 { 499 gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; 500 gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; 501 gss_name_t src_name; 502 gss_cred_id_t delegated_cred_handle; 503 504 memset(result, 0, sizeof(*result)); 505 if (argp->ctx) { 506 ctx = gssd_find_resource(argp->ctx); 507 if (!ctx) { 508 result->major_status = GSS_S_CONTEXT_EXPIRED; 509 gssd_verbose_out("gssd_accept_sec_context: ctx" 510 " resource not found\n"); 511 return (TRUE); 512 } 513 } 514 if (argp->cred) { 515 cred = gssd_find_resource(argp->cred); 516 if (!cred) { 517 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 518 gssd_verbose_out("gssd_accept_sec_context: cred" 519 " resource not found\n"); 520 return (TRUE); 521 } 522 } 523 524 memset(result, 0, sizeof(*result)); 525 result->major_status = gss_accept_sec_context(&result->minor_status, 526 &ctx, cred, &argp->input_token, argp->input_chan_bindings, 527 &src_name, &result->mech_type, &result->output_token, 528 &result->ret_flags, &result->time_rec, 529 &delegated_cred_handle); 530 gssd_verbose_out("gssd_accept_sec_context: done major=0x%x minor=%d\n", 531 (unsigned int)result->major_status, (int)result->minor_status); 532 533 if (result->major_status == GSS_S_COMPLETE 534 || result->major_status == GSS_S_CONTINUE_NEEDED) { 535 if (argp->ctx) 536 result->ctx = argp->ctx; 537 else 538 result->ctx = gssd_make_resource(ctx); 539 result->src_name = gssd_make_resource(src_name); 540 result->delegated_cred_handle = 541 gssd_make_resource(delegated_cred_handle); 542 } 543 544 return (TRUE); 545 } 546 547 bool_t 548 gssd_delete_sec_context_1_svc(delete_sec_context_args *argp, delete_sec_context_res *result, struct svc_req *rqstp) 549 { 550 gss_ctx_id_t ctx = gssd_find_resource(argp->ctx); 551 552 if (ctx) { 553 result->major_status = gss_delete_sec_context( 554 &result->minor_status, &ctx, &result->output_token); 555 gssd_delete_resource(argp->ctx); 556 } else { 557 result->major_status = GSS_S_COMPLETE; 558 result->minor_status = 0; 559 } 560 gssd_verbose_out("gssd_delete_sec_context: done major=0x%x minor=%d\n", 561 (unsigned int)result->major_status, (int)result->minor_status); 562 563 return (TRUE); 564 } 565 566 bool_t 567 gssd_export_sec_context_1_svc(export_sec_context_args *argp, export_sec_context_res *result, struct svc_req *rqstp) 568 { 569 gss_ctx_id_t ctx = gssd_find_resource(argp->ctx); 570 571 if (ctx) { 572 result->major_status = gss_export_sec_context( 573 &result->minor_status, &ctx, 574 &result->interprocess_token); 575 result->format = KGSS_HEIMDAL_1_1; 576 gssd_delete_resource(argp->ctx); 577 } else { 578 result->major_status = GSS_S_FAILURE; 579 result->minor_status = 0; 580 result->interprocess_token.length = 0; 581 result->interprocess_token.value = NULL; 582 } 583 gssd_verbose_out("gssd_export_sec_context: done major=0x%x minor=%d\n", 584 (unsigned int)result->major_status, (int)result->minor_status); 585 586 return (TRUE); 587 } 588 589 bool_t 590 gssd_import_name_1_svc(import_name_args *argp, import_name_res *result, struct svc_req *rqstp) 591 { 592 gss_name_t name; 593 594 result->major_status = gss_import_name(&result->minor_status, 595 &argp->input_name_buffer, argp->input_name_type, &name); 596 gssd_verbose_out("gssd_import_name: done major=0x%x minor=%d\n", 597 (unsigned int)result->major_status, (int)result->minor_status); 598 599 if (result->major_status == GSS_S_COMPLETE) 600 result->output_name = gssd_make_resource(name); 601 else 602 result->output_name = 0; 603 604 return (TRUE); 605 } 606 607 bool_t 608 gssd_canonicalize_name_1_svc(canonicalize_name_args *argp, canonicalize_name_res *result, struct svc_req *rqstp) 609 { 610 gss_name_t name = gssd_find_resource(argp->input_name); 611 gss_name_t output_name; 612 613 memset(result, 0, sizeof(*result)); 614 if (!name) { 615 result->major_status = GSS_S_BAD_NAME; 616 return (TRUE); 617 } 618 619 result->major_status = gss_canonicalize_name(&result->minor_status, 620 name, argp->mech_type, &output_name); 621 gssd_verbose_out("gssd_canonicalize_name: done major=0x%x minor=%d\n", 622 (unsigned int)result->major_status, (int)result->minor_status); 623 624 if (result->major_status == GSS_S_COMPLETE) 625 result->output_name = gssd_make_resource(output_name); 626 else 627 result->output_name = 0; 628 629 return (TRUE); 630 } 631 632 bool_t 633 gssd_export_name_1_svc(export_name_args *argp, export_name_res *result, struct svc_req *rqstp) 634 { 635 gss_name_t name = gssd_find_resource(argp->input_name); 636 637 memset(result, 0, sizeof(*result)); 638 if (!name) { 639 result->major_status = GSS_S_BAD_NAME; 640 gssd_verbose_out("gssd_export_name: name resource not found\n"); 641 return (TRUE); 642 } 643 644 result->major_status = gss_export_name(&result->minor_status, 645 name, &result->exported_name); 646 gssd_verbose_out("gssd_export_name: done major=0x%x minor=%d\n", 647 (unsigned int)result->major_status, (int)result->minor_status); 648 649 return (TRUE); 650 } 651 652 bool_t 653 gssd_release_name_1_svc(release_name_args *argp, release_name_res *result, struct svc_req *rqstp) 654 { 655 gss_name_t name = gssd_find_resource(argp->input_name); 656 657 if (name) { 658 result->major_status = gss_release_name(&result->minor_status, 659 &name); 660 gssd_delete_resource(argp->input_name); 661 } else { 662 result->major_status = GSS_S_COMPLETE; 663 result->minor_status = 0; 664 } 665 gssd_verbose_out("gssd_release_name: done major=0x%x minor=%d\n", 666 (unsigned int)result->major_status, (int)result->minor_status); 667 668 return (TRUE); 669 } 670 671 bool_t 672 gssd_pname_to_uid_1_svc(pname_to_uid_args *argp, pname_to_uid_res *result, struct svc_req *rqstp) 673 { 674 gss_name_t name = gssd_find_resource(argp->pname); 675 uid_t uid; 676 char buf[1024], *bufp; 677 struct passwd pwd, *pw; 678 size_t buflen; 679 int error; 680 static size_t buflen_hint = 1024; 681 682 memset(result, 0, sizeof(*result)); 683 if (name) { 684 result->major_status = 685 gss_pname_to_uid(&result->minor_status, 686 name, argp->mech, &uid); 687 if (result->major_status == GSS_S_COMPLETE) { 688 result->uid = uid; 689 buflen = buflen_hint; 690 for (;;) { 691 pw = NULL; 692 bufp = buf; 693 if (buflen > sizeof(buf)) 694 bufp = malloc(buflen); 695 if (bufp == NULL) 696 break; 697 error = getpwuid_r(uid, &pwd, bufp, buflen, 698 &pw); 699 if (error != ERANGE) 700 break; 701 if (buflen > sizeof(buf)) 702 free(bufp); 703 buflen += 1024; 704 if (buflen > buflen_hint) 705 buflen_hint = buflen; 706 } 707 if (pw) { 708 int len = NGROUPS; 709 int groups[NGROUPS]; 710 result->gid = pw->pw_gid; 711 getgrouplist(pw->pw_name, pw->pw_gid, 712 groups, &len); 713 result->gidlist.gidlist_len = len; 714 result->gidlist.gidlist_val = 715 mem_alloc(len * sizeof(int)); 716 memcpy(result->gidlist.gidlist_val, groups, 717 len * sizeof(int)); 718 gssd_verbose_out("gssd_pname_to_uid: mapped" 719 " to uid=%d, gid=%d\n", (int)result->uid, 720 (int)result->gid); 721 } else { 722 result->gid = 65534; 723 result->gidlist.gidlist_len = 0; 724 result->gidlist.gidlist_val = NULL; 725 gssd_verbose_out("gssd_pname_to_uid: mapped" 726 " to uid=%d, but no groups\n", 727 (int)result->uid); 728 } 729 if (bufp != NULL && buflen > sizeof(buf)) 730 free(bufp); 731 } else 732 gssd_verbose_out("gssd_pname_to_uid: failed major=0x%x" 733 " minor=%d\n", (unsigned int)result->major_status, 734 (int)result->minor_status); 735 } else { 736 result->major_status = GSS_S_BAD_NAME; 737 result->minor_status = 0; 738 gssd_verbose_out("gssd_pname_to_uid: no name\n"); 739 } 740 741 return (TRUE); 742 } 743 744 bool_t 745 gssd_acquire_cred_1_svc(acquire_cred_args *argp, acquire_cred_res *result, struct svc_req *rqstp) 746 { 747 gss_name_t desired_name = GSS_C_NO_NAME; 748 gss_cred_id_t cred; 749 char ccname[PATH_MAX + 5 + 1], *cp, *cp2; 750 int gotone; 751 #ifndef WITHOUT_KERBEROS 752 gss_buffer_desc namebuf; 753 uint32_t minstat; 754 krb5_error_code kret; 755 #endif 756 757 memset(result, 0, sizeof(*result)); 758 if (argp->desired_name) { 759 desired_name = gssd_find_resource(argp->desired_name); 760 if (!desired_name) { 761 result->major_status = GSS_S_BAD_NAME; 762 gssd_verbose_out("gssd_acquire_cred: no desired name" 763 " found\n"); 764 return (TRUE); 765 } 766 } 767 768 #ifndef WITHOUT_KERBEROS 769 if (hostbased_initiator_cred != 0 && argp->desired_name != 0 && 770 argp->uid == 0 && argp->cred_usage == GSS_C_INITIATE) { 771 /* This is a host based initiator name in the keytab file. */ 772 snprintf(ccname, sizeof(ccname), "FILE:%s", 773 GSSD_CREDENTIAL_CACHE_FILE); 774 setenv("KRB5CCNAME", ccname, TRUE); 775 result->major_status = gss_display_name(&result->minor_status, 776 desired_name, &namebuf, NULL); 777 gssd_verbose_out("gssd_acquire_cred: desired name for host " 778 "based initiator cred major=0x%x minor=%d\n", 779 (unsigned int)result->major_status, 780 (int)result->minor_status); 781 if (result->major_status != GSS_S_COMPLETE) 782 return (TRUE); 783 if (namebuf.length > PATH_MAX + 5) { 784 result->minor_status = 0; 785 result->major_status = GSS_S_FAILURE; 786 return (TRUE); 787 } 788 memcpy(ccname, namebuf.value, namebuf.length); 789 ccname[namebuf.length] = '\0'; 790 if ((cp = strchr(ccname, '@')) != NULL) 791 *cp = '/'; 792 kret = gssd_get_cc_from_keytab(ccname); 793 gssd_verbose_out("gssd_acquire_cred: using keytab entry for " 794 "%s, kerberos ret=%d\n", ccname, (int)kret); 795 gss_release_buffer(&minstat, &namebuf); 796 if (kret != 0) { 797 result->minor_status = kret; 798 result->major_status = GSS_S_FAILURE; 799 return (TRUE); 800 } 801 } else 802 #endif /* !WITHOUT_KERBEROS */ 803 if (ccfile_dirlist[0] != '\0' && argp->desired_name == 0) { 804 /* 805 * For the "-s" case and no name provided as an 806 * argument, search the directory list for an appropriate 807 * credential cache file. If the search fails, return failure. 808 */ 809 gotone = 0; 810 cp = ccfile_dirlist; 811 do { 812 cp2 = strchr(cp, ':'); 813 if (cp2 != NULL) 814 *cp2 = '\0'; 815 gotone = find_ccache_file(cp, argp->uid, ccname); 816 if (gotone != 0) 817 break; 818 if (cp2 != NULL) 819 *cp2++ = ':'; 820 cp = cp2; 821 } while (cp != NULL && *cp != '\0'); 822 if (gotone == 0) { 823 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 824 gssd_verbose_out("gssd_acquire_cred: no cred cache" 825 " file found\n"); 826 return (TRUE); 827 } 828 setenv("KRB5CCNAME", ccname, TRUE); 829 } else { 830 /* 831 * If there wasn't a "-s" option or the name has 832 * been provided as an argument, do it the old way. 833 * When a name is provided, it will normally exist in the 834 * default keytab file and the uid will be root. 835 */ 836 if (argp->desired_name != 0 && argp->uid != 0) { 837 if (debug_level == 0) 838 syslog(LOG_ERR, "gss_acquire_cred:" 839 " principal_name for non-root"); 840 else 841 fprintf(stderr, "gss_acquire_cred:" 842 " principal_name for non-root\n"); 843 } 844 snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d", 845 (int) argp->uid); 846 setenv("KRB5CCNAME", ccname, TRUE); 847 } 848 849 result->major_status = gss_acquire_cred(&result->minor_status, 850 desired_name, argp->time_req, argp->desired_mechs, 851 argp->cred_usage, &cred, &result->actual_mechs, &result->time_rec); 852 gssd_verbose_out("gssd_acquire_cred: done major=0x%x minor=%d\n", 853 (unsigned int)result->major_status, (int)result->minor_status); 854 855 if (result->major_status == GSS_S_COMPLETE) 856 result->output_cred = gssd_make_resource(cred); 857 else 858 result->output_cred = 0; 859 860 return (TRUE); 861 } 862 863 bool_t 864 gssd_set_cred_option_1_svc(set_cred_option_args *argp, set_cred_option_res *result, struct svc_req *rqstp) 865 { 866 gss_cred_id_t cred = gssd_find_resource(argp->cred); 867 868 memset(result, 0, sizeof(*result)); 869 if (!cred) { 870 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 871 gssd_verbose_out("gssd_set_cred: no credentials\n"); 872 return (TRUE); 873 } 874 875 result->major_status = gss_set_cred_option(&result->minor_status, 876 &cred, argp->option_name, &argp->option_value); 877 gssd_verbose_out("gssd_set_cred: done major=0x%x minor=%d\n", 878 (unsigned int)result->major_status, (int)result->minor_status); 879 880 return (TRUE); 881 } 882 883 bool_t 884 gssd_release_cred_1_svc(release_cred_args *argp, release_cred_res *result, struct svc_req *rqstp) 885 { 886 gss_cred_id_t cred = gssd_find_resource(argp->cred); 887 888 if (cred) { 889 result->major_status = gss_release_cred(&result->minor_status, 890 &cred); 891 gssd_delete_resource(argp->cred); 892 } else { 893 result->major_status = GSS_S_COMPLETE; 894 result->minor_status = 0; 895 } 896 gssd_verbose_out("gssd_release_cred: done major=0x%x minor=%d\n", 897 (unsigned int)result->major_status, (int)result->minor_status); 898 899 return (TRUE); 900 } 901 902 bool_t 903 gssd_display_status_1_svc(display_status_args *argp, display_status_res *result, struct svc_req *rqstp) 904 { 905 906 result->message_context = argp->message_context; 907 result->major_status = gss_display_status(&result->minor_status, 908 argp->status_value, argp->status_type, argp->mech_type, 909 &result->message_context, &result->status_string); 910 gssd_verbose_out("gssd_display_status: done major=0x%x minor=%d\n", 911 (unsigned int)result->major_status, (int)result->minor_status); 912 913 return (TRUE); 914 } 915 916 int 917 gssd_1_freeresult(SVCXPRT *transp, xdrproc_t xdr_result, caddr_t result) 918 { 919 /* 920 * We don't use XDR to free the results - anything which was 921 * allocated came from GSS-API. We use xdr_result to figure 922 * out what to do. 923 */ 924 OM_uint32 junk; 925 926 if (xdr_result == (xdrproc_t) xdr_init_sec_context_res) { 927 init_sec_context_res *p = (init_sec_context_res *) result; 928 gss_release_buffer(&junk, &p->output_token); 929 } else if (xdr_result == (xdrproc_t) xdr_accept_sec_context_res) { 930 accept_sec_context_res *p = (accept_sec_context_res *) result; 931 gss_release_buffer(&junk, &p->output_token); 932 } else if (xdr_result == (xdrproc_t) xdr_delete_sec_context_res) { 933 delete_sec_context_res *p = (delete_sec_context_res *) result; 934 gss_release_buffer(&junk, &p->output_token); 935 } else if (xdr_result == (xdrproc_t) xdr_export_sec_context_res) { 936 export_sec_context_res *p = (export_sec_context_res *) result; 937 if (p->interprocess_token.length) 938 memset(p->interprocess_token.value, 0, 939 p->interprocess_token.length); 940 gss_release_buffer(&junk, &p->interprocess_token); 941 } else if (xdr_result == (xdrproc_t) xdr_export_name_res) { 942 export_name_res *p = (export_name_res *) result; 943 gss_release_buffer(&junk, &p->exported_name); 944 } else if (xdr_result == (xdrproc_t) xdr_acquire_cred_res) { 945 acquire_cred_res *p = (acquire_cred_res *) result; 946 gss_release_oid_set(&junk, &p->actual_mechs); 947 } else if (xdr_result == (xdrproc_t) xdr_pname_to_uid_res) { 948 pname_to_uid_res *p = (pname_to_uid_res *) result; 949 if (p->gidlist.gidlist_val) 950 free(p->gidlist.gidlist_val); 951 } else if (xdr_result == (xdrproc_t) xdr_display_status_res) { 952 display_status_res *p = (display_status_res *) result; 953 gss_release_buffer(&junk, &p->status_string); 954 } 955 956 return (TRUE); 957 } 958 959 /* 960 * Search a directory for the most likely candidate to be used as the 961 * credential cache for a uid. If successful, return 1 and fill the 962 * file's path id into "rpath". Otherwise, return 0. 963 */ 964 static int 965 find_ccache_file(const char *dirpath, uid_t uid, char *rpath) 966 { 967 DIR *dirp; 968 struct dirent *dp; 969 struct stat sb; 970 time_t exptime, oexptime; 971 int gotone, len, rating, orating; 972 char namepath[PATH_MAX + 5 + 1]; 973 char retpath[PATH_MAX + 5 + 1]; 974 975 dirp = opendir(dirpath); 976 if (dirp == NULL) 977 return (0); 978 gotone = 0; 979 orating = 0; 980 oexptime = 0; 981 while ((dp = readdir(dirp)) != NULL) { 982 len = snprintf(namepath, sizeof(namepath), "%s/%s", dirpath, 983 dp->d_name); 984 if (len < sizeof(namepath) && 985 (hostbased_initiator_cred == 0 || strcmp(namepath, 986 GSSD_CREDENTIAL_CACHE_FILE) != 0) && 987 strstr(dp->d_name, ccfile_substring) != NULL && 988 lstat(namepath, &sb) >= 0 && 989 sb.st_uid == uid && 990 S_ISREG(sb.st_mode)) { 991 len = snprintf(namepath, sizeof(namepath), "FILE:%s/%s", 992 dirpath, dp->d_name); 993 if (len < sizeof(namepath) && 994 is_a_valid_tgt_cache(namepath, uid, &rating, 995 &exptime) != 0) { 996 if (gotone == 0 || rating > orating || 997 (rating == orating && exptime > oexptime)) { 998 orating = rating; 999 oexptime = exptime; 1000 strcpy(retpath, namepath); 1001 gotone = 1; 1002 } 1003 } 1004 } 1005 } 1006 closedir(dirp); 1007 if (gotone != 0) { 1008 strcpy(rpath, retpath); 1009 return (1); 1010 } 1011 return (0); 1012 } 1013 1014 /* 1015 * Try to determine if the file is a valid tgt cache file. 1016 * Check that the file has a valid tgt for a principal. 1017 * If it does, return 1, otherwise return 0. 1018 * It also returns a "rating" and the expiry time for the TGT, when found. 1019 * This "rating" is higher based on heuristics that make it more 1020 * likely to be the correct credential cache file to use. It can 1021 * be used by the caller, along with expiry time, to select from 1022 * multiple credential cache files. 1023 */ 1024 static int 1025 is_a_valid_tgt_cache(const char *filepath, uid_t uid, int *retrating, 1026 time_t *retexptime) 1027 { 1028 #ifndef WITHOUT_KERBEROS 1029 krb5_context context; 1030 krb5_principal princ; 1031 krb5_ccache ccache; 1032 krb5_error_code retval; 1033 krb5_cc_cursor curse; 1034 krb5_creds krbcred; 1035 int gotone, orating, rating, ret; 1036 struct passwd *pw; 1037 char *cp, *cp2, *pname; 1038 time_t exptime; 1039 1040 /* Find a likely name for the uid principal. */ 1041 pw = getpwuid(uid); 1042 1043 /* 1044 * Do a bunch of krb5 library stuff to try and determine if 1045 * this file is a credentials cache with an appropriate TGT 1046 * in it. 1047 */ 1048 retval = krb5_init_context(&context); 1049 if (retval != 0) 1050 return (0); 1051 retval = krb5_cc_resolve(context, filepath, &ccache); 1052 if (retval != 0) { 1053 krb5_free_context(context); 1054 return (0); 1055 } 1056 ret = 0; 1057 orating = 0; 1058 exptime = 0; 1059 retval = krb5_cc_start_seq_get(context, ccache, &curse); 1060 if (retval == 0) { 1061 while ((retval = krb5_cc_next_cred(context, ccache, &curse, 1062 &krbcred)) == 0) { 1063 gotone = 0; 1064 rating = 0; 1065 retval = krb5_unparse_name(context, krbcred.server, 1066 &pname); 1067 if (retval == 0) { 1068 cp = strchr(pname, '/'); 1069 if (cp != NULL) { 1070 *cp++ = '\0'; 1071 if (strcmp(pname, "krbtgt") == 0 && 1072 krbcred.times.endtime > time(NULL) 1073 ) { 1074 gotone = 1; 1075 /* 1076 * Test to see if this is a 1077 * tgt for cross-realm auth. 1078 * Rate it higher, if it is not. 1079 */ 1080 cp2 = strchr(cp, '@'); 1081 if (cp2 != NULL) { 1082 *cp2++ = '\0'; 1083 if (strcmp(cp, cp2) == 1084 0) 1085 rating++; 1086 } 1087 } 1088 } 1089 free(pname); 1090 } 1091 if (gotone != 0) { 1092 retval = krb5_unparse_name(context, 1093 krbcred.client, &pname); 1094 if (retval == 0) { 1095 cp = strchr(pname, '@'); 1096 if (cp != NULL) { 1097 *cp++ = '\0'; 1098 if (pw != NULL && strcmp(pname, 1099 pw->pw_name) == 0) 1100 rating++; 1101 if (strchr(pname, '/') == NULL) 1102 rating++; 1103 if (pref_realm[0] != '\0' && 1104 strcmp(cp, pref_realm) == 0) 1105 rating++; 1106 } 1107 } 1108 free(pname); 1109 if (rating > orating) { 1110 orating = rating; 1111 exptime = krbcred.times.endtime; 1112 } else if (rating == orating && 1113 krbcred.times.endtime > exptime) 1114 exptime = krbcred.times.endtime; 1115 ret = 1; 1116 } 1117 krb5_free_cred_contents(context, &krbcred); 1118 } 1119 krb5_cc_end_seq_get(context, ccache, &curse); 1120 } 1121 krb5_cc_close(context, ccache); 1122 krb5_free_context(context); 1123 if (ret != 0) { 1124 *retrating = orating; 1125 *retexptime = exptime; 1126 } 1127 return (ret); 1128 #else /* WITHOUT_KERBEROS */ 1129 return (0); 1130 #endif /* !WITHOUT_KERBEROS */ 1131 } 1132 1133 #ifndef WITHOUT_KERBEROS 1134 /* 1135 * This function attempts to do essentially a "kinit -k" for the principal 1136 * name provided as the argument, so that there will be a TGT in the 1137 * credential cache. 1138 */ 1139 static krb5_error_code 1140 gssd_get_cc_from_keytab(const char *name) 1141 { 1142 krb5_error_code ret, opt_ret, princ_ret, cc_ret, kt_ret, cred_ret; 1143 krb5_context context; 1144 krb5_principal principal; 1145 krb5_keytab kt; 1146 krb5_creds cred; 1147 krb5_get_init_creds_opt *opt; 1148 krb5_deltat start_time = 0; 1149 krb5_ccache ccache; 1150 1151 ret = krb5_init_context(&context); 1152 if (ret != 0) 1153 return (ret); 1154 opt_ret = cc_ret = kt_ret = cred_ret = 1; /* anything non-zero */ 1155 princ_ret = ret = krb5_parse_name(context, name, &principal); 1156 if (ret == 0) 1157 opt_ret = ret = krb5_get_init_creds_opt_alloc(context, &opt); 1158 if (ret == 0) 1159 cc_ret = ret = krb5_cc_default(context, &ccache); 1160 if (ret == 0) 1161 ret = krb5_cc_initialize(context, ccache, principal); 1162 if (ret == 0) { 1163 krb5_get_init_creds_opt_set_default_flags(context, "gssd", 1164 krb5_principal_get_realm(context, principal), opt); 1165 kt_ret = ret = krb5_kt_default(context, &kt); 1166 } 1167 if (ret == 0) 1168 cred_ret = ret = krb5_get_init_creds_keytab(context, &cred, 1169 principal, kt, start_time, NULL, opt); 1170 if (ret == 0) 1171 ret = krb5_cc_store_cred(context, ccache, &cred); 1172 if (kt_ret == 0) 1173 krb5_kt_close(context, kt); 1174 if (cc_ret == 0) 1175 krb5_cc_close(context, ccache); 1176 if (opt_ret == 0) 1177 krb5_get_init_creds_opt_free(context, opt); 1178 if (princ_ret == 0) 1179 krb5_free_principal(context, principal); 1180 if (cred_ret == 0) 1181 krb5_free_cred_contents(context, &cred); 1182 krb5_free_context(context); 1183 return (ret); 1184 } 1185 1186 /* 1187 * Acquire a gss credential for a uid. 1188 */ 1189 static OM_uint32 1190 gssd_get_user_cred(OM_uint32 *min_statp, uid_t uid, gss_cred_id_t *credp) 1191 { 1192 gss_buffer_desc principal_desc; 1193 gss_name_t name; 1194 OM_uint32 maj_stat, min_stat; 1195 gss_OID_set mechlist; 1196 struct passwd *pw; 1197 1198 pw = getpwuid(uid); 1199 if (pw == NULL) { 1200 *min_statp = 0; 1201 return (GSS_S_FAILURE); 1202 } 1203 1204 /* 1205 * The mechanism must be set to KerberosV for acquisition 1206 * of credentials to work reliably. 1207 */ 1208 maj_stat = gss_create_empty_oid_set(min_statp, &mechlist); 1209 if (maj_stat != GSS_S_COMPLETE) 1210 return (maj_stat); 1211 maj_stat = gss_add_oid_set_member(min_statp, GSS_KRB5_MECH_OID_X, 1212 &mechlist); 1213 if (maj_stat != GSS_S_COMPLETE) { 1214 gss_release_oid_set(&min_stat, &mechlist); 1215 return (maj_stat); 1216 } 1217 1218 principal_desc.value = (void *)pw->pw_name; 1219 principal_desc.length = strlen(pw->pw_name); 1220 maj_stat = gss_import_name(min_statp, &principal_desc, 1221 GSS_C_NT_USER_NAME, &name); 1222 if (maj_stat != GSS_S_COMPLETE) { 1223 gss_release_oid_set(&min_stat, &mechlist); 1224 return (maj_stat); 1225 } 1226 /* Acquire the credentials. */ 1227 maj_stat = gss_acquire_cred(min_statp, name, 0, mechlist, 1228 GSS_C_INITIATE, credp, NULL, NULL); 1229 gss_release_name(&min_stat, &name); 1230 gss_release_oid_set(&min_stat, &mechlist); 1231 return (maj_stat); 1232 } 1233 #endif /* !WITHOUT_KERBEROS */ 1234 1235 void gssd_terminate(int sig __unused) 1236 { 1237 1238 #ifndef WITHOUT_KERBEROS 1239 if (hostbased_initiator_cred != 0) 1240 unlink(GSSD_CREDENTIAL_CACHE_FILE); 1241 #endif 1242 gssd_syscall(""); 1243 exit(0); 1244 } 1245 1246