store_forw_creds.c revision 32885d593baf8bac788fa78885893a51b3ad0f28
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs/*
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * CDDL HEADER START
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs *
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * The contents of this file are subject to the terms of the
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * Common Development and Distribution License (the "License").
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * You may not use this file except in compliance with the License.
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs *
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * or http://www.opensolaris.org/os/licensing.
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * See the License for the specific language governing permissions
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * and limitations under the License.
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs *
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * When distributing Covered Code, include this CDDL HEADER in each
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * If applicable, add the following below this CDDL HEADER, with the
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * fields enclosed by brackets "[]" replaced with your own identifying
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * information: Portions Copyright [yyyy] [name of copyright owner]
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs *
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * CDDL HEADER END
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs */
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs/*
0c45178b5714d692c44817c2235320c3f2b030abwl * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * Use is subject to license terms.
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs */
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs#pragma ident "%Z%%M% %I% %E% SMI"
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs#include <pwd.h>
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs#include <locale.h>
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs#include <syslog.h>
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs#include <errno.h>
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs#include <com_err.h>
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs#include <k5-int.h>
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphsextern uint_t kwarn_add_warning(char *, int);
b1a03ab1e63a57c5b968c229e2f36c79d2fdd222Victor Liextern uint_t kwarn_del_warning(char *);
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs/*
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * Store the forwarded creds in the user's local ccache and register
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs * w/ktkt_warnd(1M).
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs */
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphskrb5_error_code
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphsstore_forw_creds(krb5_context context,
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs krb5_creds **creds,
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs krb5_ticket *ticket,
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs char *lusername,
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs krb5_ccache *ccache)
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs{
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs krb5_error_code retval;
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs char ccname[MAXPATHLEN];
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs struct passwd *pwd;
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs uid_t uid;
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs char *client_name = NULL;
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs *ccache = NULL;
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs if (!(pwd = getpwnam(lusername)))
0c45178b5714d692c44817c2235320c3f2b030abwl return (ENOENT);
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs uid = getuid();
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs if (seteuid(pwd->pw_uid))
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs return (-1);
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs (void) snprintf(ccname, sizeof (ccname), "FILE:/tmp/krb5cc_%ld",
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs pwd->pw_uid);
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs if ((retval = krb5_cc_resolve(context, ccname, ccache)) != 0) {
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs krb5_set_error_message(context, retval,
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs gettext("failed to resolve cred cache %s"), ccname);
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs goto cleanup;
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs }
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs if ((retval = krb5_cc_initialize(context, *ccache,
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs ticket->enc_part2->client)) != 0) {
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs krb5_set_error_message(context, retval,
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs gettext("failed to initialize cred cache %s"), ccname);
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs goto cleanup;
cc25db92ff252ca1b7f63bd54f087f4ddf0dda4eChris Liu }
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs if ((retval = krb5_cc_store_cred(context, *ccache, *creds)) != 0) {
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs krb5_set_error_message(context, retval,
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs gettext("failed to store cred in cache %s"), ccname);
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs goto cleanup;
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs }
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs if ((retval = krb5_cc_close(context, *ccache)) != 0)
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs goto cleanup;
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs /* Register with ktkt_warnd(1M) */
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs if ((retval = krb5_unparse_name(context, (*creds)->client,
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs &client_name)) != 0)
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs goto cleanup;
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs (void) kwarn_del_warning(client_name);
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs if (kwarn_add_warning(client_name, (*creds)->times.endtime) != 0) {
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs syslog(LOG_AUTH|LOG_NOTICE,
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs "store_forw_creds: kwarn_add_warning"
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs " failed: ktkt_warnd(1M) down? ");
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs }
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs free(client_name);
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs client_name = NULL;
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphscleanup:
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs (void) seteuid(uid);
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs return (retval);
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs}
0205780bc43902d17f94f07ceacb0cd8d5eab20frralphs