search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Free ticket earlier [CID-108]
[heimdal.git] / appl / kf / kfd.c
blob087a9f481361656e385d9c23e58d08d8ad51da9f
1 /*
2 * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kf_locl.h"
35 RCSID("$Id$");
36
37 krb5_context context;
38 char krb5_tkfile[MAXPATHLEN];
39
40 static int help_flag;
41 static int version_flag;
42 static char *port_str;
43 char *service = KF_SERVICE;
44 int do_inetd = 0;
45 static char *regpag_str=NULL;
46
47 static struct getargs args[] = {
48 { "port", 'p', arg_string, &port_str, "port to listen to", "port" },
49 { "inetd",'i',arg_flag, &do_inetd,
50 "Not started from inetd", NULL },
51 { "regpag",'R',arg_string,&regpag_str,"path to regpag binary","regpag"},
52 { "help", 'h', arg_flag, &help_flag },
53 { "version", 0, arg_flag, &version_flag }
54 };
55
56 static int num_args = sizeof(args) / sizeof(args[0]);
57
58 static void
59 usage(int code, struct getargs *args, int num_args)
60 {
61 arg_printusage(args, num_args, NULL, "");
62 exit(code);
63 }
64
65 static int
66 server_setup(krb5_context *context, int argc, char **argv)
67 {
68 int port = 0;
69 int local_argc;
70
71 local_argc = krb5_program_setup(context, argc, argv, args, num_args, usage);
72
73 if(help_flag)
74 (*usage)(0, args, num_args);
75 if(version_flag) {
76 print_version(NULL);
77 exit(0);
78 }
79
80 if(port_str){
81 struct servent *s = roken_getservbyname(port_str, "tcp");
82 if(s)
83 port = s->s_port;
84 else {
85 char *ptr;
86
87 port = strtol (port_str, &ptr, 10);
88 if (port == 0 && ptr == port_str)
89 errx (1, "Bad port `%s'", port_str);
90 port = htons(port);
91 }
92 }
93
94 if (port == 0)
95 port = krb5_getportbyname (*context, KF_PORT_NAME, "tcp", KF_PORT_NUM);
96
97 if(argv[local_argc] != NULL)
98 usage(1, args, num_args);
99
100 return port;
101 }
102
103 static int protocol_version;
104
105 static krb5_boolean
106 kfd_match_version(const void *arg, const char *version)
107 {
108 if(strcmp(version, KF_VERSION_1) == 0) {
109 protocol_version = 1;
110 return TRUE;
111 } else if (strlen(version) == 4 &&
112 version[0] == '0' &&
113 version[1] == '.' &&
114 (version[2] == '4' || version[2] == '3') &&
115 islower((unsigned char)version[3])) {
116 protocol_version = 0;
117 return TRUE;
118 }
119 return FALSE;
120 }
121
122 static int
123 proto (int sock, const char *service)
124 {
125 krb5_auth_context auth_context;
126 krb5_error_code status;
127 krb5_principal server;
128 krb5_ticket *ticket;
129 char *name;
130 char ret_string[10];
131 char hostname[MAXHOSTNAMELEN];
132 krb5_data data;
133 krb5_data remotename;
134 krb5_data tk_file;
135 krb5_ccache ccache;
136 char ccname[MAXPATHLEN];
137 struct passwd *pwd;
138
139 status = krb5_auth_con_init (context, &auth_context);
140 if (status)
141 krb5_err(context, 1, status, "krb5_auth_con_init");
142
143 status = krb5_auth_con_setaddrs_from_fd (context,
144 auth_context,
145 &sock);
146 if (status)
147 krb5_err(context, 1, status, "krb5_auth_con_setaddr");
148
149 if(gethostname (hostname, sizeof(hostname)) < 0)
150 krb5_err(context, 1, errno, "gethostname");
151
152 status = krb5_sname_to_principal (context,
153 hostname,
154 service,
155 KRB5_NT_SRV_HST,
156 &server);
157 if (status)
158 krb5_err(context, 1, status, "krb5_sname_to_principal");
159
160 status = krb5_recvauth_match_version (context,
161 &auth_context,
162 &sock,
163 kfd_match_version,
164 NULL,
165 server,
166 0,
167 NULL,
168 &ticket);
169 if (status)
170 krb5_err(context, 1, status, "krb5_recvauth");
171
172 status = krb5_unparse_name (context,
173 ticket->client,
174 &name);
175 if (status)
176 krb5_err(context, 1, status, "krb5_unparse_name");
177
178 if(protocol_version == 0) {
179 data.data = "old clnt"; /* XXX old clients only had room for
180 10 bytes of message, and also
181 didn't show it to the user */
182 data.length = strlen(data.data) + 1;
183 krb5_write_message(context, &sock, &data);
184 sleep(2); /* XXX give client time to finish */
185 krb5_errx(context, 1, "old client; exiting");
186 }
187
188 status=krb5_read_priv_message (context, auth_context,
189 &sock, &remotename);
190 if (status)
191 krb5_err(context, 1, status, "krb5_read_message");
192 status=krb5_read_priv_message (context, auth_context,
193 &sock, &tk_file);
194 if (status)
195 krb5_err(context, 1, status, "krb5_read_message");
196
197 krb5_data_zero (&data);
198
199 if(((char*)remotename.data)[remotename.length-1] != '\0')
200 krb5_errx(context, 1, "unterminated received");
201 if(((char*)tk_file.data)[tk_file.length-1] != '\0')
202 krb5_errx(context, 1, "unterminated received");
203
204 status = krb5_read_priv_message(context, auth_context, &sock, &data);
205
206 if (status) {
207 krb5_err(context, 1, errno, "krb5_read_priv_message");
208 goto out;
209 }
210
211 pwd = getpwnam ((char *)(remotename.data));
212 if (pwd == NULL) {
213 status=1;
214 krb5_warnx(context, "getpwnam: %s failed",(char *)(remotename.data));
215 goto out;
216 }
217
218 if(!krb5_kuserok (context,
219 ticket->client,
220 (char *)(remotename.data))) {
221 status=1;
222 krb5_warnx(context, "krb5_kuserok: permission denied");
223 goto out;
224 }
225
226 if (setgid(pwd->pw_gid) < 0) {
227 krb5_warn(context, errno, "setgid");
228 goto out;
229 }
230 if (setuid(pwd->pw_uid) < 0) {
231 krb5_warn(context, errno, "setuid");
232 goto out;
233 }
234
235 if (tk_file.length != 1)
236 snprintf (ccname, sizeof(ccname), "%s", (char *)(tk_file.data));
237 else
238 snprintf (ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%lu",
239 (unsigned long)pwd->pw_uid);
240
241 status = krb5_cc_resolve (context, ccname, &ccache);
242 if (status) {
243 krb5_warn(context, status, "krb5_cc_resolve");
244 goto out;
245 }
246 status = krb5_cc_initialize (context, ccache, ticket->client);
247 if (status) {
248 krb5_warn(context, status, "krb5_cc_initialize");
249 goto out;
250 }
251 status = krb5_rd_cred2 (context, auth_context, ccache, &data);
252 krb5_cc_close (context, ccache);
253 if (status) {
254 krb5_warn(context, status, "krb5_rd_cred");
255 goto out;
256
257 }
258 strlcpy(krb5_tkfile,ccname,sizeof(krb5_tkfile));
259 krb5_warnx(context, "%s forwarded ticket to %s,%s",
260 name,
261 (char *)(remotename.data),ccname);
262 out:
263 if (status) {
264 strlcpy(ret_string, "no", sizeof(ret_string));
265 krb5_warnx(context, "failed");
266 } else {
267 strlcpy(ret_string, "ok", sizeof(ret_string));
268 }
269
270 krb5_data_free (&tk_file);
271 krb5_data_free (&remotename);
272 krb5_data_free (&data);
273 free(name);
274
275 data.data = ret_string;
276 data.length = strlen(ret_string) + 1;
277 return krb5_write_priv_message(context, auth_context, &sock, &data);
278 }
279
280 static int
281 doit (int port, const char *service)
282 {
283 if (do_inetd)
284 mini_inetd(port);
285 return proto (STDIN_FILENO, service);
286 }
287
288 int
289 main(int argc, char **argv)
290 {
291 int port;
292 int ret;
293 krb5_log_facility *fac;
294
295 setprogname (argv[0]);
296 roken_openlog (argv[0], LOG_ODELAY | LOG_PID,LOG_AUTH);
297 port = server_setup(&context, argc, argv);
298 ret = krb5_openlog(context, "kfd", &fac);
299 if(ret) krb5_err(context, 1, ret, "krb5_openlog");
300 ret = krb5_set_warn_dest(context, fac);
301 if(ret) krb5_err(context, 1, ret, "krb5_set_warn_dest");
302
303 ret = doit (port, service);
304 closelog();
305 if (ret == 0 && regpag_str != NULL)
306 ret = execl(regpag_str, "regpag", "-t", krb5_tkfile, "-r", NULL);
307 return ret;
308 }
Heimdal