2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5_locl.h"
35 #include "kuserok_plugin.h"
38 #ifndef SYSTEM_K5LOGIN_DIR
40 * System k5login location. File namess in this directory are expected
41 * to be usernames and to contain a list of principals allowed to login
42 * as the user named the same as the file.
44 #define SYSTEM_K5LOGIN_DIR SYSCONFDIR "/k5login.d"
47 /* Plugin framework bits */
51 const char *k5login_dir
;
53 krb5_const_principal principal
;
58 static krb5_error_code
59 plcallback(krb5_context context
, const void *plug
, void *plugctx
, void *userctx
)
61 const krb5plugin_kuserok_ftable
*locate
= plug
;
62 struct plctx
*plctx
= userctx
;
64 return locate
->kuserok(plugctx
, context
, plctx
->rule
, plctx
->flags
,
65 plctx
->k5login_dir
, plctx
->luser
, plctx
->principal
,
69 static krb5_error_code plugin_reg_ret
;
70 static krb5plugin_kuserok_ftable kuserok_simple_plug
;
71 static krb5plugin_kuserok_ftable kuserok_sys_k5login_plug
;
72 static krb5plugin_kuserok_ftable kuserok_user_k5login_plug
;
73 static krb5plugin_kuserok_ftable kuserok_deny_plug
;
76 reg_def_plugins_once(void *ctx
)
79 krb5_context context
= ctx
;
81 plugin_reg_ret
= krb5_plugin_register(context
, PLUGIN_TYPE_DATA
,
83 &kuserok_simple_plug
);
84 ret
= krb5_plugin_register(context
, PLUGIN_TYPE_DATA
,
85 KRB5_PLUGIN_KUSEROK
, &kuserok_sys_k5login_plug
);
88 ret
= krb5_plugin_register(context
, PLUGIN_TYPE_DATA
,
89 KRB5_PLUGIN_KUSEROK
, &kuserok_user_k5login_plug
);
92 ret
= krb5_plugin_register(context
, PLUGIN_TYPE_DATA
,
93 KRB5_PLUGIN_KUSEROK
, &kuserok_deny_plug
);
99 * This function is designed to be portable for Win32 and POSIX. The
100 * design does lead to multiple getpwnam_r() calls, but this is probably
105 * @param context A krb5_context
106 * @param filename Name of item to introspection
107 * @param is_system_location TRUE if the dir/file are system locations or
108 * FALSE if they are user home directory locations
109 * @param dir Directory (optional)
110 * @param dirlstat A pointer to struct stat for the directory (optional)
111 * @param file File (optional)
112 * @param owner Name of user that is expected to own the file
115 static krb5_error_code
116 check_owner_dir(krb5_context context
,
117 const char *filename
,
118 krb5_boolean is_system_location
,
120 struct stat
*dirlstat
,
125 * XXX Implement this!
127 * The thing to do is to call _get_osfhandle() on fileno(file) and
128 * dirfd(dir) to get HANDLEs to the same, then call
129 * GetSecurityInfo() on those HANDLEs to get the security descriptor
130 * (SD), then check the owner and DACL. Checking the DACL sounds
131 * like a lot of work (what, derive a mode from the ACL the way
132 * NFSv4 servers do?). Checking the owner means doing an LSARPC
133 * lookup at least (to get the user's SID).
135 if (is_system_location
|| owner
== NULL
)
137 krb5_set_error_message(context
, EACCES
,
138 "User k5login files not supported on Windows");
141 struct passwd pw
, *pwd
= NULL
;
145 heim_assert(owner
!= NULL
, "no directory owner ?");
147 if (rk_getpwnam_r(owner
, &pw
, pwbuf
, sizeof(pwbuf
), &pwd
) != 0) {
148 krb5_set_error_message(context
, errno
,
149 "User unknown %s (getpwnam_r())", owner
);
153 krb5_set_error_message(context
, EACCES
, "no user %s", owner
);
157 if (fstat(dirfd(dir
), &st
) == -1) {
158 krb5_set_error_message(context
, EACCES
,
159 "fstat(%s) of k5login.d failed",
163 if (!S_ISDIR(st
.st_mode
)) {
164 krb5_set_error_message(context
, ENOTDIR
, "%s not a directory",
168 if (st
.st_dev
!= dirlstat
->st_dev
|| st
.st_ino
!= dirlstat
->st_ino
) {
169 krb5_set_error_message(context
, EACCES
,
170 "%s was renamed during kuserok "
171 "operation", filename
);
174 if ((st
.st_mode
& (S_IWGRP
| S_IWOTH
)) != 0) {
175 krb5_set_error_message(context
, EACCES
,
176 "%s has world and/or group write "
177 "permissions", filename
);
180 if (pwd
->pw_uid
!= st
.st_uid
&& st
.st_uid
!= 0) {
181 krb5_set_error_message(context
, EACCES
,
182 "%s not owned by the user (%s) or root",
191 static krb5_error_code
192 check_owner_file(krb5_context context
,
193 const char *filename
,
194 FILE *file
, const char *owner
)
198 * XXX Implement this!
200 * The thing to do is to call _get_osfhandle() on fileno(file) and
201 * dirfd(dir) to get HANDLEs to the same, then call
202 * GetSecurityInfo() on those HANDLEs to get the security descriptor
203 * (SD), then check the owner and DACL. Checking the DACL sounds
204 * like a lot of work (what, derive a mode from the ACL the way
205 * NFSv4 servers do?). Checking the owner means doing an LSARPC
206 * lookup at least (to get the user's SID).
208 if (is_system_location
|| owner
== NULL
)
211 krb5_set_error_message(context
, EACCES
,
212 "User k5login files not supported on Windows");
215 struct passwd pw
, *pwd
= NULL
;
219 heim_assert(owner
!= NULL
, "no file owner ?");
221 if (rk_getpwnam_r(owner
, &pw
, pwbuf
, sizeof(pwbuf
), &pwd
) != 0) {
222 krb5_set_error_message(context
, errno
,
223 "User unknown %s (getpwnam_r())", owner
);
227 krb5_set_error_message(context
, EACCES
, "no user %s", owner
);
231 if (fstat(fileno(file
), &st
) == -1) {
232 krb5_set_error_message(context
, EACCES
, "fstat(%s) of k5login failed",
236 if (S_ISDIR(st
.st_mode
)) {
237 krb5_set_error_message(context
, EISDIR
, "k5login: %s is a directory",
241 if ((st
.st_mode
& (S_IWGRP
| S_IWOTH
)) != 0) {
242 krb5_set_error_message(context
, EISDIR
,
243 "k5login %s has world and/or group write "
244 "permissions", filename
);
247 if (pwd
->pw_uid
!= st
.st_uid
|| st
.st_uid
!= 0) {
248 krb5_set_error_message(context
, EACCES
,
249 "k5login %s not owned by the user or root",
259 /* see if principal is mentioned in the filename access file, return
260 TRUE (in result) if so, FALSE otherwise */
262 static krb5_error_code
263 check_one_file(krb5_context context
,
264 const char *filename
,
266 krb5_boolean is_system_location
,
267 krb5_const_principal principal
,
268 krb5_boolean
*result
)
276 f
= fopen(filename
, "r");
281 ret
= check_owner_file(context
, filename
, f
, owner
);
285 while (fgets(buf
, sizeof(buf
), f
) != NULL
) {
287 char *newline
= buf
+ strcspn(buf
, "\n");
289 if (*newline
!= '\n') {
293 while (c
!= EOF
&& c
!= '\n')
295 /* line was too long, so ignore it */
300 ret
= krb5_parse_name(context
, buf
, &tmp
);
303 *result
= krb5_principal_compare(context
, principal
, tmp
);
304 krb5_free_principal(context
, tmp
);
316 static krb5_error_code
317 check_directory(krb5_context context
,
320 krb5_boolean is_system_location
,
321 krb5_const_principal principal
,
322 krb5_boolean
*result
)
326 char filename
[MAXPATHLEN
];
327 krb5_error_code ret
= 0;
332 if (lstat(dirname
, &st
) < 0)
335 if (!S_ISDIR(st
.st_mode
)) {
336 krb5_set_error_message(context
, ENOTDIR
, "k5login.d not a directory");
340 if ((d
= opendir(dirname
)) == NULL
) {
341 krb5_set_error_message(context
, ENOTDIR
, "Could not open k5login.d");
345 ret
= check_owner_dir(context
, dirname
, is_system_location
, d
, &st
, owner
);
349 while ((dent
= readdir(d
)) != NULL
) {
350 if (strcmp(dent
->d_name
, ".") == 0 ||
351 strcmp(dent
->d_name
, "..") == 0 ||
352 dent
->d_name
[0] == '#' || /* emacs autosave */
353 dent
->d_name
[strlen(dent
->d_name
) - 1] == '~') /* emacs backup */
355 snprintf(filename
, sizeof(filename
), "%s/%s", dirname
, dent
->d_name
);
356 ret
= check_one_file(context
, filename
, owner
, is_system_location
,
358 if (ret
== 0 && *result
== TRUE
)
360 ret
= 0; /* don't propagate errors upstream */
368 static krb5_error_code
369 check_an2ln(krb5_context context
,
370 krb5_const_principal principal
,
372 krb5_boolean
*result
)
378 /* XXX Should we make this an option? */
379 /* multi-component principals can never match */
380 if (krb5_principal_get_comp_string(context
, principal
, 1) != NULL
) {
386 lname
= malloc(strlen(luser
) + 1);
388 return krb5_enomem(context
);
389 ret
= krb5_aname_to_localname(context
, principal
, strlen(luser
)+1, lname
);
392 if (strcmp(lname
, luser
) == 0)
404 * This function takes the name of a local user and checks if
405 * principal is allowed to log in as that user.
407 * The user may have a ~/.k5login file listing principals that are
408 * allowed to login as that user. If that file does not exist, all
409 * principals with a only one component that is identical to the
410 * username, and a realm considered local, are allowed access.
412 * The .k5login file must contain one principal per line, be owned by
413 * user and not be writable by group or other (but must be readable by
416 * Note that if the file exists, no implicit access rights are given
417 * to user@@LOCALREALM.
419 * Optionally, a set of files may be put in ~/.k5login.d (a
420 * directory), in which case they will all be checked in the same
421 * manner as .k5login. The files may be called anything, but files
422 * starting with a hash (#) , or ending with a tilde (~) are
423 * ignored. Subdirectories are not traversed. Note that this directory
424 * may not be checked by other Kerberos implementations.
426 * If no configuration file exists, match user against local domains,
427 * ie luser@@LOCAL-REALMS-IN-CONFIGURATION-FILES.
429 * @param context Kerberos 5 context.
430 * @param principal principal to check if allowed to login
431 * @param luser local user id
433 * @return returns TRUE if access should be granted, FALSE otherwise.
435 * @ingroup krb5_support
438 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
439 krb5_kuserok(krb5_context context
,
440 krb5_principal principal
,
443 return _krb5_kuserok(context
, principal
, luser
, TRUE
);
447 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
448 _krb5_kuserok(krb5_context context
,
449 krb5_principal principal
,
451 krb5_boolean an2ln_ok
)
453 static heim_base_once_t reg_def_plugins
= HEIM_BASE_ONCE_INIT
;
459 * XXX we should have a struct with a krb5_context field and a
460 * krb5_error_code fied and pass the address of that as the ctx
461 * argument of heim_base_once_f(). For now we use a static to
462 * communicate failures. Actually, we ignore failures anyways,
463 * since we can't return them.
465 heim_base_once_f(®_def_plugins
, context
, reg_def_plugins_once
);
469 ctx
.principal
= principal
;
472 ctx
.k5login_dir
= krb5_config_get_string(context
, NULL
, "libdefaults",
473 "k5login_directory", NULL
);
476 ctx
.flags
|= KUSEROK_ANAME_TO_LNAME_OK
;
478 if (krb5_config_get_bool_default(context
, NULL
, FALSE
, "libdefaults",
479 "k5login_authoritative", NULL
))
480 ctx
.flags
|= KUSEROK_K5LOGIN_IS_AUTHORITATIVE
;
482 if ((ctx
.flags
& KUSEROK_K5LOGIN_IS_AUTHORITATIVE
) && plugin_reg_ret
)
483 return plugin_reg_ret
; /* fail safe */
485 rules
= krb5_config_get_strings(context
, NULL
, "libdefaults",
488 /* Default: check ~/.k5login */
489 ctx
.rule
= "USER-K5LOGIN";
491 ret
= plcallback(context
, &kuserok_user_k5login_plug
, NULL
, &ctx
);
496 ret
= plcallback(context
, &kuserok_simple_plug
, NULL
, &ctx
);
504 for (n
= 0; rules
[n
]; n
++) {
507 ret
= _krb5_plugin_run_f(context
, "krb5", KRB5_PLUGIN_KUSEROK
,
508 KRB5_PLUGIN_KUSEROK_VERSION_0
, 0,
510 if (ret
!= KRB5_PLUGIN_NO_HANDLE
)
516 krb5_config_free_strings(rules
);
522 * Simple kuserok: check that the lname for the aname matches luser.
525 static krb5_error_code
526 kuserok_simple_plug_f(void *plug_ctx
, krb5_context context
, const char *rule
,
527 unsigned int flags
, const char *k5login_dir
,
528 const char *luser
, krb5_const_principal principal
,
529 krb5_boolean
*result
)
533 if (strcmp(rule
, "SIMPLE") != 0 || (flags
& KUSEROK_ANAME_TO_LNAME_OK
) == 0)
534 return KRB5_PLUGIN_NO_HANDLE
;
536 ret
= check_an2ln(context
, principal
, luser
, result
);
537 if (ret
== 0 && *result
== FALSE
)
538 return KRB5_PLUGIN_NO_HANDLE
;
544 * Check k5login files in a system location, rather than in home
548 static krb5_error_code
549 kuserok_sys_k5login_plug_f(void *plug_ctx
, krb5_context context
,
550 const char *rule
, unsigned int flags
,
551 const char *k5login_dir
, const char *luser
,
552 krb5_const_principal principal
, krb5_boolean
*result
)
555 const char *profile_dir
= NULL
;
560 if (strcmp(rule
, "SYSTEM-K5LOGIN") != 0 &&
561 strncmp(rule
, "SYSTEM-K5LOGIN:", strlen("SYSTEM-K5LOGIN:")) != 0)
562 return KRB5_PLUGIN_NO_HANDLE
;
564 profile_dir
= strchr(rule
, ':');
565 if (profile_dir
== NULL
)
566 profile_dir
= k5login_dir
? k5login_dir
: SYSTEM_K5LOGIN_DIR
;
570 ret
= _krb5_expand_path_tokensv(context
, profile_dir
, &path
,
571 "luser", luser
, NULL
);
575 ret
= check_one_file(context
, path
, NULL
, TRUE
, principal
, result
);
579 ((flags
& KUSEROK_K5LOGIN_IS_AUTHORITATIVE
) || *result
== TRUE
))
583 return KRB5_PLUGIN_NO_HANDLE
;
587 * Check ~luser/.k5login and/or ~/luser/.k5login.d
590 static krb5_error_code
591 kuserok_user_k5login_plug_f(void *plug_ctx
, krb5_context context
,
592 const char *rule
, unsigned int flags
,
593 const char *k5login_dir
, const char *luser
,
594 krb5_const_principal principal
,
595 krb5_boolean
*result
)
598 return KRB5_PLUGIN_NO_HANDLE
;
602 const char *profile_dir
= NULL
;
604 krb5_boolean found_file
= FALSE
;
605 struct passwd pw
, *pwd
= NULL
;
608 if (strcmp(rule
, "USER-K5LOGIN") != 0)
609 return KRB5_PLUGIN_NO_HANDLE
;
611 profile_dir
= k5login_dir
;
612 if (profile_dir
== NULL
) {
613 /* Don't deadlock with gssd or anything of the sort */
614 if (!_krb5_homedir_access(context
))
615 return KRB5_PLUGIN_NO_HANDLE
;
617 if (getpwnam_r(luser
, &pw
, pwbuf
, sizeof(pwbuf
), &pwd
) != 0) {
618 krb5_set_error_message(context
, errno
, "User unknown (getpwnam_r())");
619 return KRB5_PLUGIN_NO_HANDLE
;
622 krb5_set_error_message(context
, errno
, "User unknown (getpwnam())");
623 return KRB5_PLUGIN_NO_HANDLE
;
625 profile_dir
= pwd
->pw_dir
;
628 #define KLOGIN "/.k5login"
630 if (asprintf(&path
, "%s/.k5login.d", profile_dir
) == -1)
631 return krb5_enomem(context
);
633 ret
= _krb5_expand_path_tokensv(context
, path
, &path_exp
,
634 "luser", luser
, NULL
);
640 /* check user's ~/.k5login */
641 path
[strlen(path
) - strlen(".d")] = '\0';
642 ret
= check_one_file(context
, path
, luser
, FALSE
, principal
, result
);
645 ((flags
& KUSEROK_K5LOGIN_IS_AUTHORITATIVE
) || *result
== TRUE
)) {
653 path
[strlen(path
)] = '.'; /* put back the .d; clever|hackish? you decide */
654 ret
= check_directory(context
, path
, luser
, FALSE
, principal
, result
);
657 ((flags
& KUSEROK_K5LOGIN_IS_AUTHORITATIVE
) || *result
== TRUE
))
660 if (ret
!= ENOENT
&& ret
!= ENOTDIR
)
664 if (found_file
== FALSE
)
665 return KRB5_PLUGIN_NO_HANDLE
;
671 static krb5_error_code
672 kuserok_deny_plug_f(void *plug_ctx
, krb5_context context
, const char *rule
,
673 unsigned int flags
, const char *k5login_dir
,
674 const char *luser
, krb5_const_principal principal
,
675 krb5_boolean
*result
)
677 if (strcmp(rule
, "DENY") != 0)
678 return KRB5_PLUGIN_NO_HANDLE
;
684 static krb5_error_code
685 kuser_ok_null_plugin_init(krb5_context context
, void **ctx
)
692 kuser_ok_null_plugin_fini(void *ctx
)
697 static krb5plugin_kuserok_ftable kuserok_simple_plug
= {
698 KRB5_PLUGIN_KUSEROK_VERSION_0
,
699 kuser_ok_null_plugin_init
,
700 kuser_ok_null_plugin_fini
,
701 kuserok_simple_plug_f
,
704 static krb5plugin_kuserok_ftable kuserok_sys_k5login_plug
= {
705 KRB5_PLUGIN_KUSEROK_VERSION_0
,
706 kuser_ok_null_plugin_init
,
707 kuser_ok_null_plugin_fini
,
708 kuserok_sys_k5login_plug_f
,
711 static krb5plugin_kuserok_ftable kuserok_user_k5login_plug
= {
712 KRB5_PLUGIN_KUSEROK_VERSION_0
,
713 kuser_ok_null_plugin_init
,
714 kuser_ok_null_plugin_fini
,
715 kuserok_user_k5login_plug_f
,
718 static krb5plugin_kuserok_ftable kuserok_deny_plug
= {
719 KRB5_PLUGIN_KUSEROK_VERSION_0
,
720 kuser_ok_null_plugin_init
,
721 kuser_ok_null_plugin_fini
,