xref: /illumos-gate/usr/src/cmd/cmd-inet/common/store_forw_creds.c (revision d2a70789f056fc6c9ce3ab047b52126d80b0e3da) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 
29 #include <pwd.h>
30 #include <locale.h>
31 #include <syslog.h>
32 #include <errno.h>
33 #include <com_err.h>
34 #include <k5-int.h>
35 
36 extern uint_t kwarn_add_warning(char *, int);
37 extern uint_t kwarn_del_warning(char *);
38 
39 /*
40  * Store the forwarded creds in the user's local ccache and register
41  * w/ktkt_warnd(1M).
42  */
43 krb5_error_code
44 store_forw_creds(krb5_context context,
45 		    krb5_creds **creds,
46 		    krb5_ticket *ticket,
47 		    char *lusername,
48 		    krb5_ccache *ccache)
49 {
50 	krb5_error_code retval;
51 	char ccname[MAXPATHLEN];
52 	struct passwd *pwd;
53 	uid_t uid;
54 	char *client_name = NULL;
55 
56 	*ccache = NULL;
57 	if (!(pwd = getpwnam(lusername)))
58 		return (ENOENT);
59 
60 	uid = getuid();
61 	if (seteuid(pwd->pw_uid))
62 		return (-1);
63 
64 	(void) snprintf(ccname, sizeof (ccname), "FILE:/tmp/krb5cc_%ld",
65 	    pwd->pw_uid);
66 
67 	if ((retval = krb5_cc_resolve(context, ccname, ccache)) != 0) {
68 		krb5_set_error_message(context, retval,
69 		    gettext("failed to resolve cred cache %s"), ccname);
70 		goto cleanup;
71 	}
72 
73 	if ((retval = krb5_cc_initialize(context, *ccache,
74 	    ticket->enc_part2->client)) != 0) {
75 		krb5_set_error_message(context, retval,
76 		    gettext("failed to initialize cred cache %s"), ccname);
77 		goto cleanup;
78 	}
79 
80 	if ((retval = krb5_cc_store_cred(context, *ccache, *creds)) != 0) {
81 		krb5_set_error_message(context, retval,
82 		    gettext("failed to store cred in cache %s"), ccname);
83 		goto cleanup;
84 	}
85 
86 	if ((retval = krb5_cc_close(context, *ccache)) != 0)
87 		goto cleanup;
88 
89 	/* Register with ktkt_warnd(1M) */
90 	if ((retval = krb5_unparse_name(context, (*creds)->client,
91 	    &client_name)) != 0)
92 		goto cleanup;
93 	(void) kwarn_del_warning(client_name);
94 	if (kwarn_add_warning(client_name, (*creds)->times.endtime) != 0) {
95 		syslog(LOG_AUTH|LOG_NOTICE,
96 		    "store_forw_creds: kwarn_add_warning"
97 		    " failed: ktkt_warnd(1M) down? ");
98 	}
99 	free(client_name);
100 	client_name = NULL;
101 
102 cleanup:
103 	(void) seteuid(uid);
104 
105 	return (retval);
106 }
107