diff options
| author | Hans Insulander <hin@cvs.openbsd.org> | 2000-12-02 22:44:50 +0000 |
|---|---|---|
| committer | Hans Insulander <hin@cvs.openbsd.org> | 2000-12-02 22:44:50 +0000 |
| commit | c066beacb2b726169179a9fb765496b319fc243e (patch) | |
| tree | 8ffd67fcd23a40a47627c1c81df5a8abe0e9c829 | |
| parent | d3f5b73d37e8d643ed68422293872a2715cd7fe9 (diff) | |
Check for symlinks before overwriting kerberos ticket files.
While i'm at it, make sure not to use Kerberos at all if there is no
local srvtab.
Based on patch from Todd Miller. Reported by <jouko@solutions.fi>.
| -rw-r--r-- | usr.bin/login/klogin.c | 34 | ||||
| -rw-r--r-- | usr.bin/su/su.c | 27 |
2 files changed, 49 insertions, 12 deletions
diff --git a/usr.bin/login/klogin.c b/usr.bin/login/klogin.c index 4f902b2e701..af273532e01 100644 --- a/usr.bin/login/klogin.c +++ b/usr.bin/login/klogin.c @@ -1,4 +1,4 @@ -/* $OpenBSD: klogin.c,v 1.10 2000/07/17 16:43:14 millert Exp $ */ +/* $OpenBSD: klogin.c,v 1.11 2000/12/02 22:44:36 hin Exp $ */ /* $NetBSD: klogin.c,v 1.7 1996/05/21 22:07:04 mrg Exp $ */ /*- @@ -38,7 +38,7 @@ #if 0 static char sccsid[] = "@(#)klogin.c 8.3 (Berkeley) 4/2/94"; #endif -static char rcsid[] = "$OpenBSD: klogin.c,v 1.10 2000/07/17 16:43:14 millert Exp $"; +static char rcsid[] = "$OpenBSD: klogin.c,v 1.11 2000/12/02 22:44:36 hin Exp $"; #endif /* not lint */ #ifdef KERBEROS @@ -80,7 +80,7 @@ klogin(pw, instance, localhost, password) struct passwd *pw; char *instance, *localhost, *password; { - int kerror; + int kerror, fd; AUTH_DAT authdata; KTEXT_ST ticket; struct hostent *hp; @@ -97,6 +97,15 @@ klogin(pw, instance, localhost, password) } #endif + /* If no srvtab file exists, fail immediatly. This will make + * login _much_ quicker on systems with sporadical contact with + * the outside world. + * We should really change the semantics for enabling kerberos. + */ + if((fd = open(KEYFILE, O_RDONLY, 0)) < 0) + return 1; + close(fd); + /* * Root logins don't use Kerberos (or at least shouldn't be * sending kerberos passwords around in cleartext), so don't @@ -119,8 +128,8 @@ klogin(pw, instance, localhost, password) */ if (strcmp(instance, "root") != 0) - snprintf(tkt_location, sizeof(tkt_location), "%s%d.%s", - TKT_ROOT, pw->pw_uid, tty); + snprintf(tkt_location, sizeof(tkt_location), "%s%d", + TKT_ROOT, pw->pw_uid); else snprintf(tkt_location, sizeof(tkt_location), "%s_root_%d.%s", TKT_ROOT, pw->pw_uid, tty); @@ -155,8 +164,19 @@ klogin(pw, instance, localhost, password) return (1); } - if (chown(TKT_FILE, pw->pw_uid, pw->pw_gid) < 0) - syslog(LOG_ERR, "chown tkfile (%s): %m", TKT_FILE); + /* + * Set the owner of the ticket file to root but bail if someone + * has nefariously swapped a link in place of the file. + */ + fd = open(TKT_FILE, O_RDWR|O_NOFOLLOW, 0); + if (fd == -1) { + syslog(LOG_ERR, "unable to open ticket file: %m"); + dest_tkt(); + return (1); + } + if (fchown(fd, pw->pw_uid, pw->pw_gid) < 0) + syslog(LOG_ERR, "fchown tkfile (%s): %m", TKT_FILE); + close(fd); (void)strlcpy(savehost, krb_get_phost(localhost), sizeof(savehost)); diff --git a/usr.bin/su/su.c b/usr.bin/su/su.c index 0a0f67e7604..c1cf55defaa 100644 --- a/usr.bin/su/su.c +++ b/usr.bin/su/su.c @@ -1,4 +1,4 @@ -/* $OpenBSD: su.c,v 1.34 2000/09/15 07:13:50 deraadt Exp $ */ +/* $OpenBSD: su.c,v 1.35 2000/12/02 22:44:49 hin Exp $ */ /* * Copyright (c) 1988 The Regents of the University of California. @@ -41,7 +41,7 @@ char copyright[] = #ifndef lint /*static char sccsid[] = "from: @(#)su.c 5.26 (Berkeley) 7/6/91";*/ -static char rcsid[] = "$OpenBSD: su.c,v 1.34 2000/09/15 07:13:50 deraadt Exp $"; +static char rcsid[] = "$OpenBSD: su.c,v 1.35 2000/12/02 22:44:49 hin Exp $"; #endif /* not lint */ #include <sys/param.h> @@ -59,6 +59,7 @@ static char rcsid[] = "$OpenBSD: su.c,v 1.34 2000/09/15 07:13:50 deraadt Exp $"; #include <string.h> #include <syslog.h> #include <unistd.h> +#include <fcntl.h> #ifdef SKEY #include <skey.h> @@ -358,11 +359,16 @@ kerberos(username, user, uid) KTEXT_ST ticket; AUTH_DAT authdata; struct hostent *hp; - int kerno; + int kerno, fd; in_addr_t faddr; char hostname[MAXHOSTNAMELEN], savehost[MAXHOSTNAMELEN]; char *ontty(), *krb_get_phost(); + /* Don't bother with Kerberos if there is no srvtab file */ + if ((fd = open(KEYFILE, O_RDONLY, 0)) < 0) + return (1); + close(fd); + if (koktologin(username, lrealm, user) && !uid) { (void)fprintf(stderr, "kerberos su: not in %s's ACL.\n", user); return (1); @@ -407,11 +413,22 @@ kerberos(username, user, uid) return (1); } - if (chown(krbtkfile, uid, -1) < 0) { - warn("chown"); + /* + * Set the owner of the ticket file to root but bail if someone + * has nefariously swapped a link in place of the file. + */ + fd = open(krbtkfile, O_RDWR|O_NOFOLLOW, 0); + if (fd == -1) { + warn("unable to open ticket file"); + (void)unlink(krbtkfile); + return (1); + } + if (fchown(fd, uid, -1) < 0) { + warn("fchown"); (void)unlink(krbtkfile); return (1); } + close(fd); (void)setpriority(PRIO_PROCESS, 0, -2); |