diff options
author | Greg Hudson <ghudson@mit.edu> | 2015-12-16 12:51:36 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2016-04-06 14:19:24 -0400 |
commit | e2d7a66f48bcf3da846faf39d6433a122ae0be3c (patch) | |
tree | 01ed3a38b7f4712f6cbcffde400627dbe38b4d3d /src/plugins | |
parent | 9a892a37611675d8eaec0a0c1d91fbc300eb1b69 (diff) | |
download | krb5-e2d7a66f48bcf3da846faf39d6433a122ae0be3c.zip krb5-e2d7a66f48bcf3da846faf39d6433a122ae0be3c.tar.gz krb5-e2d7a66f48bcf3da846faf39d6433a122ae0be3c.tar.bz2 |
Fix kdb5_ldap_util stashsrvpw password file logic
kdb5_ldap_util stashsrvpw has several inconsistencies with the
password file determination in libkdb_ldap, and could try to fopen() a
NULL filename in some cases. Factor out the determination of the
configured password file and make it consistent with libkdb_ldap.
DEF_SERVICE_PASSWD_FILE is no longer used after these changes, as it
is not respected by libkdb_ldap.
Reported by Will Fiveash.
ticket: 8295
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c | 74 | ||||
-rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h | 2 |
2 files changed, 49 insertions, 27 deletions
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c index 64d0f91..022156a 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c @@ -40,6 +40,49 @@ #include "kdb5_ldap_util.h" #include "kdb5_ldap_list.h" +/* Get the configured LDAP service password file. The caller should free the + * result with profile_release_string(). */ +static krb5_error_code +get_conf_service_file(profile_t profile, const char *realm, char **path_out) +{ + char *subsection, *path; + long ret; + + *path_out = NULL; + + /* Get the [dbmodules] subsection for realm. */ + ret = profile_get_string(profile, KDB_REALM_SECTION, realm, + KDB_MODULE_POINTER, realm, &subsection); + if (ret) + return ret; + + /* Look up the password file in the [dbmodules] subsection. */ + ret = profile_get_string(profile, KDB_MODULE_SECTION, subsection, + KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE, NULL, + &path); + profile_release_string(subsection); + if (ret) + return ret; + + if (path == NULL) { + /* Look up the password file in [dbdefaults] as a fallback. */ + ret = profile_get_string(profile, KDB_MODULE_DEF_SECTION, + KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE, NULL, + NULL, &path); + if (ret) + return ret; + } + + if (path == NULL) { + k5_setmsg(util_context, ENOENT, + _("ldap_service_password_file not configured")); + return ENOENT; + } + + *path_out = path; + return 0; +} + /* * Convert the user supplied password into hexadecimal and stash it. Only a * little more secure than storing plain password in the file ... @@ -97,37 +140,19 @@ kdb5_ldap_stash_service_password(int argc, char **argv) goto cleanup; } } else { /* argc == 2 */ - char *section; - service_object = strdup (argv[1]); if (service_object == NULL) { com_err(me, ENOMEM, _("while setting service object password")); goto cleanup; } - /* Pick up the stash-file name from krb5.conf */ - profile_get_string(util_context->profile, KDB_REALM_SECTION, - util_context->default_realm, KDB_MODULE_POINTER, NULL, §ion); - - if (section == NULL) { - profile_get_string(util_context->profile, KDB_MODULE_DEF_SECTION, - KDB_MODULE_POINTER, NULL, NULL, §ion); - if (section == NULL) { - /* Stash file path neither in krb5.conf nor on command line */ - file_name = strdup(DEF_SERVICE_PASSWD_FILE); - if (file_name == NULL) { - com_err(me, ENOMEM, - _("while setting service object password")); - goto cleanup; - } - goto done; - } + ret = get_conf_service_file(util_context->profile, + util_context->default_realm, &file_name); + if (ret) { + com_err(me, ret, _("while getting service password filename")); + goto cleanup; } - - profile_get_string (util_context->profile, KDB_MODULE_SECTION, section, - "ldap_service_password_file", NULL, &file_name); } -done: /* Get password from user */ { @@ -296,8 +321,7 @@ cleanup: if (service_object) free(service_object); - if (file_name) - free(file_name); + profile_release_string(file_name); if (tmp_file) free(tmp_file); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h index 0f1a1ea..cf652c5 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h @@ -32,8 +32,6 @@ #define MAX_LEN 1024 #define MAX_SERVICE_PASSWD_LEN 256 -#define DEF_SERVICE_PASSWD_FILE "/usr/local/var/service_passwd" - extern int tohex(krb5_data, krb5_data *); extern void kdb5_ldap_stash_service_password(int argc, char **argv); |