search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
third_party/heimdal: Import lorikeet-heimdal-202307040259 (commit 33d117b8a9c11714ef7...
[Samba.git] / third_party / heimdal / lib / krb5 / kuserok.c
blob7a7de452ae6fcf300c1b8a13c01d6e2119799252
1 /*
2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "krb5_locl.h"
35 #include "kuserok_plugin.h"
36 #include <dirent.h>
37
38 #ifndef SYSTEM_K5LOGIN_DIR
39 /*
40 * System k5login location. File namess in this directory are expected
41 * to be usernames and to contain a list of principals allowed to login
42 * as the user named the same as the file.
43 */
44 #define SYSTEM_K5LOGIN_DIR SYSCONFDIR "/k5login.d"
45 #endif
46
47 /* Plugin framework bits */
48
49 struct plctx {
50 const char *rule;
51 const char *k5login_dir;
52 const char *luser;
53 krb5_const_principal principal;
54 unsigned int flags;
55 krb5_boolean result;
56 };
57
58 static krb5_error_code KRB5_LIB_CALL
59 plcallback(krb5_context context, const void *plug, void *plugctx, void *userctx)
60 {
61 const krb5plugin_kuserok_ftable *locate = plug;
62 struct plctx *plctx = userctx;
63
64 return locate->kuserok(plugctx, context, plctx->rule, plctx->flags,
65 plctx->k5login_dir, plctx->luser, plctx->principal,
66 &plctx->result);
67 }
68
69 static krb5_error_code plugin_reg_ret;
70 static const krb5plugin_kuserok_ftable kuserok_simple_plug;
71 static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug;
72 static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug;
73 static const krb5plugin_kuserok_ftable kuserok_deny_plug;
74
75 static void
76 reg_def_plugins_once(void *ctx)
77 {
78 krb5_error_code ret;
79 krb5_context context = ctx;
80
81 plugin_reg_ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA,
82 KRB5_PLUGIN_KUSEROK,
83 &kuserok_simple_plug);
84 ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA,
85 KRB5_PLUGIN_KUSEROK, &kuserok_sys_k5login_plug);
86 if (!plugin_reg_ret)
87 plugin_reg_ret = ret;
88 ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA,
89 KRB5_PLUGIN_KUSEROK, &kuserok_user_k5login_plug);
90 if (!plugin_reg_ret)
91 plugin_reg_ret = ret;
92 ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA,
93 KRB5_PLUGIN_KUSEROK, &kuserok_deny_plug);
94 if (!plugin_reg_ret)
95 plugin_reg_ret = ret;
96 }
97
98 /**
99 * This function is designed to be portable for Win32 and POSIX. The
100 * design does lead to multiple getpwnam_r() calls, but this is probably
101 * not a big deal.
102 *
103 * Inputs:
104 *
105 * @param context A krb5_context
106 * @param filename Name of item to introspection
107 * @param is_system_location TRUE if the dir/file are system locations or
108 * FALSE if they are user home directory locations
109 * @param dir Directory (optional)
110 * @param dirlstat A pointer to struct stat for the directory (optional)
111 * @param file File (optional)
112 * @param owner Name of user that is expected to own the file
113 */
114
115 static krb5_error_code
116 check_owner_dir(krb5_context context,
117 const char *filename,
118 krb5_boolean is_system_location,
119 DIR *dir,
120 struct stat *dirlstat,
121 const char *owner)
122 {
123 #ifdef _WIN32
124 /*
125 * XXX Implement this!
126 *
127 * The thing to do is to call _get_osfhandle() on fileno(file) and
128 * dirfd(dir) to get HANDLEs to the same, then call
129 * GetSecurityInfo() on those HANDLEs to get the security descriptor
130 * (SD), then check the owner and DACL. Checking the DACL sounds
131 * like a lot of work (what, derive a mode from the ACL the way
132 * NFSv4 servers do?). Checking the owner means doing an LSARPC
133 * lookup at least (to get the user's SID).
134 */
135 if (is_system_location || owner == NULL)
136 return 0;
137 krb5_set_error_message(context, EACCES,
138 "User k5login files not supported on Windows");
139 return EACCES;
140 #else
141 struct passwd pw, *pwd = NULL;
142 char pwbuf[2048];
143 struct stat st;
144
145 heim_assert(owner != NULL, "no directory owner ?");
146
147 if (getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) {
148 krb5_set_error_message(context, errno,
149 "User unknown %s (getpwnam_r())", owner);
150 return EACCES;
151 }
152 if (pwd == NULL) {
153 krb5_set_error_message(context, EACCES, "no user %s", owner);
154 return EACCES;
155 }
156
157 if (fstat(dirfd(dir), &st) == -1) {
158 krb5_set_error_message(context, EACCES,
159 "fstat(%s) of k5login.d failed",
160 filename);
161 return EACCES;
162 }
163 if (!S_ISDIR(st.st_mode)) {
164 krb5_set_error_message(context, ENOTDIR, "%s not a directory",
165 filename);
166 return ENOTDIR;
167 }
168 if (st.st_dev != dirlstat->st_dev || st.st_ino != dirlstat->st_ino) {
169 krb5_set_error_message(context, EACCES,
170 "%s was renamed during kuserok "
171 "operation", filename);
172 return EACCES;
173 }
174 if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) {
175 krb5_set_error_message(context, EACCES,
176 "%s has world and/or group write "
177 "permissions", filename);
178 return EACCES;
179 }
180 if (pwd->pw_uid != st.st_uid && st.st_uid != 0) {
181 krb5_set_error_message(context, EACCES,
182 "%s not owned by the user (%s) or root",
183 filename, owner);
184 return EACCES;
185 }
186
187 return 0;
188 #endif
189 }
190
191 static krb5_error_code
192 check_owner_file(krb5_context context,
193 const char *filename,
194 FILE *file, const char *owner)
195 {
196 #ifdef _WIN32
197 /*
198 * XXX Implement this!
199 *
200 * The thing to do is to call _get_osfhandle() on fileno(file) and
201 * dirfd(dir) to get HANDLEs to the same, then call
202 * GetSecurityInfo() on those HANDLEs to get the security descriptor
203 * (SD), then check the owner and DACL. Checking the DACL sounds
204 * like a lot of work (what, derive a mode from the ACL the way
205 * NFSv4 servers do?). Checking the owner means doing an LSARPC
206 * lookup at least (to get the user's SID).
207 */
208 if (owner == NULL)
209 return 0;
210
211 krb5_set_error_message(context, EACCES,
212 "User k5login files not supported on Windows");
213 return EACCES;
214 #else
215 struct passwd pw, *pwd = NULL;
216 char pwbuf[2048];
217 struct stat st;
218
219 if (owner == NULL)
220 return 0;
221
222 if (getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) {
223 krb5_set_error_message(context, errno,
224 "User unknown %s (getpwnam_r())", owner);
225 return EACCES;
226 }
227 if (pwd == NULL) {
228 krb5_set_error_message(context, EACCES, "no user %s", owner);
229 return EACCES;
230 }
231
232 if (fstat(fileno(file), &st) == -1) {
233 krb5_set_error_message(context, EACCES, "fstat(%s) of k5login failed",
234 filename);
235 return EACCES;
236 }
237 if (S_ISDIR(st.st_mode)) {
238 krb5_set_error_message(context, EISDIR, "k5login: %s is a directory",
239 filename);
240 return EISDIR;
241 }
242 if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) {
243 krb5_set_error_message(context, EISDIR,
244 "k5login %s has world and/or group write "
245 "permissions", filename);
246 return EACCES;
247 }
248 if (pwd->pw_uid != st.st_uid && st.st_uid != 0) {
249 krb5_set_error_message(context, EACCES,
250 "k5login %s not owned by the user or root",
251 filename);
252 return EACCES;
253 }
254
255 return 0;
256 #endif
257 }
258
259
260 /* see if principal is mentioned in the filename access file, return
261 TRUE (in result) if so, FALSE otherwise */
262
263 static krb5_error_code
264 check_one_file(krb5_context context,
265 const char *filename,
266 const char *owner,
267 krb5_boolean is_system_location,
268 krb5_const_principal principal,
269 krb5_boolean *result)
270 {
271 FILE *f;
272 char buf[BUFSIZ];
273 krb5_error_code ret;
274
275 *result = FALSE;
276
277 f = fopen(filename, "r");
278 if (f == NULL)
279 return errno;
280 rk_cloexec_file(f);
281
282 ret = check_owner_file(context, filename, f, owner);
283 if (ret)
284 goto out;
285
286 while (fgets(buf, sizeof(buf), f) != NULL) {
287 krb5_principal tmp;
288 char *newline = buf + strcspn(buf, "\n");
289
290 if (*newline != '\n') {
291 int c;
292 c = fgetc(f);
293 if (c != EOF) {
294 while (c != EOF && c != '\n')
295 c = fgetc(f);
296 /* line was too long, so ignore it */
297 continue;
298 }
299 }
300 *newline = '\0';
301 ret = krb5_parse_name(context, buf, &tmp);
302 if (ret)
303 continue;
304 *result = krb5_principal_compare(context, principal, tmp);
305 krb5_free_principal(context, tmp);
306 if (*result) {
307 fclose (f);
308 return 0;
309 }
310 }
311
312 out:
313 fclose(f);
314 return 0;
315 }
316
317 static krb5_error_code
318 check_directory(krb5_context context,
319 const char *dirname,
320 const char *owner,
321 krb5_boolean is_system_location,
322 krb5_const_principal principal,
323 krb5_boolean *result)
324 {
325 DIR *d;
326 struct dirent *dent;
327 char filename[MAXPATHLEN];
328 size_t len;
329 krb5_error_code ret = 0;
330 struct stat st;
331
332 *result = FALSE;
333
334 if (lstat(dirname, &st) < 0)
335 return errno;
336
337 if (!S_ISDIR(st.st_mode)) {
338 krb5_set_error_message(context, ENOTDIR, "k5login.d not a directory");
339 return ENOTDIR;
340 }
341
342 if ((d = opendir(dirname)) == NULL) {
343 krb5_set_error_message(context, ENOTDIR, "Could not open k5login.d");
344 return errno;
345 }
346
347 ret = check_owner_dir(context, dirname, is_system_location, d, &st, owner);
348 if (ret)
349 goto out;
350
351 while ((dent = readdir(d)) != NULL) {
352 /*
353 * XXX: Should we also skip files whose names start with "."?
354 * Vim ".filename.swp" files are also good candidates to skip.
355 * Once we ignore "#*" and "*~", it is not clear what other
356 * heuristics to apply.
357 */
358 if (strcmp(dent->d_name, ".") == 0 ||
359 strcmp(dent->d_name, "..") == 0 ||
360 dent->d_name[0] == '#' || /* emacs autosave */
361 dent->d_name[strlen(dent->d_name) - 1] == '~') /* emacs backup */
362 continue;
363 len = snprintf(filename, sizeof(filename), "%s/%s", dirname, dent->d_name);
364 /* Skip too-long filenames that got truncated by snprintf() */
365 if (len < sizeof(filename)) {
366 ret = check_one_file(context, filename, owner, is_system_location,
367 principal, result);
368 if (ret == 0 && *result == TRUE)
369 break;
370 }
371 ret = 0; /* don't propagate errors upstream */
372 }
373
374 out:
375 closedir(d);
376 return ret;
377 }
378
379 static krb5_error_code
380 check_an2ln(krb5_context context,
381 krb5_const_principal principal,
382 const char *luser,
383 krb5_boolean *result)
384 {
385 krb5_error_code ret;
386 char *lname;
387
388 #if 0
389 /* XXX Should we make this an option? */
390 /* multi-component principals can never match */
391 if (krb5_principal_get_comp_string(context, principal, 1) != NULL) {
392 *result = FALSE;
393 return 0;
394 }
395 #endif
396
397 lname = malloc(strlen(luser) + 1);
398 if (lname == NULL)
399 return krb5_enomem(context);
400 ret = krb5_aname_to_localname(context, principal, strlen(luser)+1, lname);
401 if (ret)
402 goto out;
403 if (strcmp(lname, luser) == 0)
404 *result = TRUE;
405 else
406 *result = FALSE;
407
408 out:
409 free(lname);
410 return 0;
411
412 }
413
414 /**
415 * This function takes the name of a local user and checks if
416 * principal is allowed to log in as that user.
417 *
418 * The user may have a ~/.k5login file listing principals that are
419 * allowed to login as that user. If that file does not exist, all
420 * principals with a only one component that is identical to the
421 * username, and a realm considered local, are allowed access.
422 *
423 * The .k5login file must contain one principal per line, be owned by
424 * user and not be writable by group or other (but must be readable by
425 * anyone).
426 *
427 * Note that if the file exists, no implicit access rights are given
428 * to user@@LOCALREALM.
429 *
430 * Optionally, a set of files may be put in ~/.k5login.d (a
431 * directory), in which case they will all be checked in the same
432 * manner as .k5login. The files may be called anything, but files
433 * starting with a hash (#) , or ending with a tilde (~) are
434 * ignored. Subdirectories are not traversed. Note that this directory
435 * may not be checked by other Kerberos implementations.
436 *
437 * If no configuration file exists, match user against local domains,
438 * ie luser@@LOCAL-REALMS-IN-CONFIGURATION-FILES.
439 *
440 * @param context Kerberos 5 context.
441 * @param principal principal to check if allowed to login
442 * @param luser local user id
443 *
444 * @return returns TRUE if access should be granted, FALSE otherwise.
445 *
446 * @ingroup krb5_support
447 */
448
449 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
450 krb5_kuserok(krb5_context context,
451 krb5_principal principal,
452 const char *luser)
453 {
454 return _krb5_kuserok(context, principal, luser, TRUE);
455 }
456
457
458 static const char *const kuserok_plugin_deps[] = { "krb5", NULL };
459
460 static const struct heim_plugin_data
461 kuserok_plugin_data = {
462 "krb5",
463 KRB5_PLUGIN_KUSEROK,
464 KRB5_PLUGIN_KUSEROK_VERSION_0,
465 kuserok_plugin_deps,
466 krb5_get_instance
467 };
468
469 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
470 _krb5_kuserok(krb5_context context,
471 krb5_principal principal,
472 const char *luser,
473 krb5_boolean an2ln_ok)
474 {
475 static heim_base_once_t reg_def_plugins = HEIM_BASE_ONCE_INIT;
476 krb5_error_code ret;
477 struct plctx ctx;
478 char **rules;
479
480 /*
481 * XXX we should have a struct with a krb5_context field and a
482 * krb5_error_code fied and pass the address of that as the ctx
483 * argument of heim_base_once_f(). For now we use a static to
484 * communicate failures. Actually, we ignore failures anyways,
485 * since we can't return them.
486 */
487 heim_base_once_f(&reg_def_plugins, context, reg_def_plugins_once);
488
489 ctx.flags = 0;
490 ctx.luser = luser;
491 ctx.principal = principal;
492 ctx.result = FALSE;
493
494 ctx.k5login_dir = krb5_config_get_string(context, NULL, "libdefaults",
495 "k5login_directory", NULL);
496
497 if (an2ln_ok)
498 ctx.flags |= KUSEROK_ANAME_TO_LNAME_OK;
499
500 if (krb5_config_get_bool_default(context, NULL, FALSE, "libdefaults",
501 "k5login_authoritative", NULL))
502 ctx.flags |= KUSEROK_K5LOGIN_IS_AUTHORITATIVE;
503
504 if ((ctx.flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE) && plugin_reg_ret)
505 return plugin_reg_ret; /* fail safe */
506
507 rules = krb5_config_get_strings(context, NULL, "libdefaults",
508 "kuserok", NULL);
509 if (rules == NULL) {
510 /* Default: check ~/.k5login */
511 ctx.rule = "USER-K5LOGIN";
512
513 ret = plcallback(context, &kuserok_user_k5login_plug, NULL, &ctx);
514 if (ret == 0)
515 goto out;
516
517 ctx.rule = "SIMPLE";
518 ret = plcallback(context, &kuserok_simple_plug, NULL, &ctx);
519 if (ret == 0)
520 goto out;
521
522 ctx.result = FALSE;
523 } else {
524 size_t n;
525
526 for (n = 0; rules[n]; n++) {
527 ctx.rule = rules[n];
528
529 ret = _krb5_plugin_run_f(context, &kuserok_plugin_data,
530 0, &ctx, plcallback);
531 if (ret != KRB5_PLUGIN_NO_HANDLE)
532 goto out;
533 }
534 }
535
536 out:
537 krb5_config_free_strings(rules);
538
539 return ctx.result;
540 }
541
542 /*
543 * Simple kuserok: check that the lname for the aname matches luser.
544 */
545
546 static krb5_error_code KRB5_LIB_CALL
547 kuserok_simple_plug_f(void *plug_ctx, krb5_context context, const char *rule,
548 unsigned int flags, const char *k5login_dir,
549 const char *luser, krb5_const_principal principal,
550 krb5_boolean *result)
551 {
552 krb5_error_code ret;
553
554 if (strcmp(rule, "SIMPLE") != 0 || (flags & KUSEROK_ANAME_TO_LNAME_OK) == 0)
555 return KRB5_PLUGIN_NO_HANDLE;
556
557 ret = check_an2ln(context, principal, luser, result);
558 if (ret == 0 && *result == FALSE)
559 return KRB5_PLUGIN_NO_HANDLE;
560
561 return 0;
562 }
563
564 /*
565 * Check k5login files in a system location, rather than in home
566 * directories.
567 */
568
569 static krb5_error_code KRB5_LIB_CALL
570 kuserok_sys_k5login_plug_f(void *plug_ctx, krb5_context context,
571 const char *rule, unsigned int flags,
572 const char *k5login_dir, const char *luser,
573 krb5_const_principal principal, krb5_boolean *result)
574 {
575 char filename[MAXPATHLEN];
576 size_t len;
577 const char *profile_dir = NULL;
578 krb5_error_code ret;
579
580 *result = FALSE;
581
582 if (strcmp(rule, "SYSTEM-K5LOGIN") != 0 &&
583 strncmp(rule, "SYSTEM-K5LOGIN:", strlen("SYSTEM-K5LOGIN:")) != 0)
584 return KRB5_PLUGIN_NO_HANDLE;
585
586 profile_dir = strchr(rule, ':');
587 if (profile_dir == NULL)
588 profile_dir = k5login_dir ? k5login_dir : SYSTEM_K5LOGIN_DIR;
589 else
590 profile_dir++;
591
592 len = snprintf(filename, sizeof(filename), "%s/%s", profile_dir, luser);
593 if (len < sizeof(filename)) {
594 ret = check_one_file(context, filename, NULL, TRUE, principal, result);
595
596 if (ret == 0 &&
597 ((flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE) || *result == TRUE))
598 return 0;
599 }
600
601 *result = FALSE;
602 return KRB5_PLUGIN_NO_HANDLE;
603 }
604
605 /*
606 * Check ~luser/.k5login and/or ~/luser/.k5login.d
607 */
608
609 static krb5_error_code KRB5_LIB_CALL
610 kuserok_user_k5login_plug_f(void *plug_ctx, krb5_context context,
611 const char *rule, unsigned int flags,
612 const char *k5login_dir, const char *luser,
613 krb5_const_principal principal,
614 krb5_boolean *result)
615 {
616 #ifdef _WIN32
617 return KRB5_PLUGIN_NO_HANDLE;
618 #else
619 char *path;
620 char *path_exp;
621 const char *profile_dir = NULL;
622 krb5_error_code ret;
623 krb5_boolean found_file = FALSE;
624 struct passwd pw, *pwd = NULL;
625 char pwbuf[2048];
626
627 if (strcmp(rule, "USER-K5LOGIN") != 0)
628 return KRB5_PLUGIN_NO_HANDLE;
629
630 profile_dir = k5login_dir;
631 if (profile_dir == NULL) {
632 /* Don't deadlock with gssd or anything of the sort */
633 if (!_krb5_homedir_access(context))
634 return KRB5_PLUGIN_NO_HANDLE;
635
636 if (getpwnam_r(luser, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) {
637 krb5_set_error_message(context, errno, "User unknown (getpwnam_r())");
638 return KRB5_PLUGIN_NO_HANDLE;
639 }
640 if (pwd == NULL) {
641 krb5_set_error_message(context, errno, "User unknown (getpwnam())");
642 return KRB5_PLUGIN_NO_HANDLE;
643 }
644 profile_dir = pwd->pw_dir;
645 }
646
647 #define KLOGIN "/.k5login"
648
649 if (asprintf(&path, "%s/.k5login.d", profile_dir) == -1)
650 return krb5_enomem(context);
651
652 ret = _krb5_expand_path_tokensv(context, path, 1, &path_exp,
653 "luser", luser, NULL);
654 free(path);
655 if (ret)
656 return ret;
657 path = path_exp;
658
659 /* check user's ~/.k5login */
660 path[strlen(path) - strlen(".d")] = '\0';
661 ret = check_one_file(context, path, luser, FALSE, principal, result);
662
663 /*
664 * A match in ~/.k5login is sufficient. A non-match, falls through to the
665 * .k5login.d code below.
666 */
667 if (ret == 0 && *result == TRUE) {
668 free(path);
669 return 0;
670 }
671 if (ret != ENOENT)
672 found_file = TRUE;
673
674 /*
675 * A match in ~/.k5login.d/somefile is sufficient. A non-match, falls
676 * through to the code below that handles negative results.
677 *
678 * XXX: put back the .d; clever|hackish? you decide
679 */
680 path[strlen(path)] = '.';
681 ret = check_directory(context, path, luser, FALSE, principal, result);
682 free(path);
683 if (ret == 0 && *result == TRUE)
684 return 0;
685 if (ret != ENOENT && ret != ENOTDIR)
686 found_file = TRUE;
687
688 /*
689 * When either ~/.k5login or ~/.k5login.d/ exists, but neither matches
690 * and we're authoritative, we're done. Otherwise, give other plugins
691 * a chance.
692 */
693 *result = FALSE;
694 if (found_file && (flags & KUSEROK_K5LOGIN_IS_AUTHORITATIVE))
695 return 0;
696 return KRB5_PLUGIN_NO_HANDLE;
697 #endif
698 }
699
700 static krb5_error_code KRB5_LIB_CALL
701 kuserok_deny_plug_f(void *plug_ctx, krb5_context context, const char *rule,
702 unsigned int flags, const char *k5login_dir,
703 const char *luser, krb5_const_principal principal,
704 krb5_boolean *result)
705 {
706 if (strcmp(rule, "DENY") != 0)
707 return KRB5_PLUGIN_NO_HANDLE;
708
709 *result = FALSE;
710 return 0;
711 }
712
713 static krb5_error_code KRB5_LIB_CALL
714 kuser_ok_null_plugin_init(krb5_context context, void **ctx)
715 {
716 *ctx = NULL;
717 return 0;
718 }
719
720 static void KRB5_LIB_CALL
721 kuser_ok_null_plugin_fini(void *ctx)
722 {
723 return;
724 }
725
726 static const krb5plugin_kuserok_ftable kuserok_simple_plug = {
727 KRB5_PLUGIN_KUSEROK_VERSION_0,
728 kuser_ok_null_plugin_init,
729 kuser_ok_null_plugin_fini,
730 kuserok_simple_plug_f,
731 };
732
733 static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug = {
734 KRB5_PLUGIN_KUSEROK_VERSION_0,
735 kuser_ok_null_plugin_init,
736 kuser_ok_null_plugin_fini,
737 kuserok_sys_k5login_plug_f,
738 };
739
740 static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug = {
741 KRB5_PLUGIN_KUSEROK_VERSION_0,
742 kuser_ok_null_plugin_init,
743 kuser_ok_null_plugin_fini,
744 kuserok_user_k5login_plug_f,
745 };
746
747 static const krb5plugin_kuserok_ftable kuserok_deny_plug = {
748 KRB5_PLUGIN_KUSEROK_VERSION_0,
749 kuser_ok_null_plugin_init,
750 kuser_ok_null_plugin_fini,
751 kuserok_deny_plug_f,
752 };
753
Samba GIT mirror