![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to kuserok.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / krb|
Return to kuserok.c CVS log | Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / krb |
1.1 ! root 1: /* ! 2: * $Source: /usr/src/kerberosIV/krb/RCS/kuserok.c,v $ ! 3: * $Author: kfall $ ! 4: * ! 5: * Copyright 1987, 1988 by the Massachusetts Institute of Technology. ! 6: * ! 7: * For copying and distribution information, please see the file ! 8: * <mit-copyright.h>. ! 9: * ! 10: * kuserok: check if a kerberos principal has ! 11: * access to a local account ! 12: */ ! 13: ! 14: #ifndef lint ! 15: static char rcsid_kuserok_c[] = ! 16: "$Header: /usr/src/kerberosIV/krb/RCS/kuserok.c,v 4.7 90/06/23 03:11:11 kfall Exp $"; ! 17: #endif lint ! 18: ! 19: #include <mit-copyright.h> ! 20: ! 21: #include <sys/param.h> ! 22: #include <sys/socket.h> ! 23: #include <sys/stat.h> ! 24: #include <sys/file.h> ! 25: #include <des.h> ! 26: #include <krb.h> ! 27: #include <stdio.h> ! 28: #include <pwd.h> ! 29: #include <strings.h> ! 30: ! 31: #define OK 0 ! 32: #define NOTOK 1 ! 33: #define MAX_USERNAME 10 ! 34: ! 35: /* ! 36: * Given a Kerberos principal "kdata", and a local username "luser", ! 37: * determine whether user is authorized to login according to the ! 38: * authorization file ("~luser/.klogin" by default). Returns OK ! 39: * if authorized, NOTOK if not authorized. ! 40: * ! 41: * If there is no account for "luser" on the local machine, returns ! 42: * NOTOK. If there is no authorization file, and the given Kerberos ! 43: * name "kdata" translates to the same name as "luser" (using ! 44: * krb_kntoln()), returns OK. Otherwise, if the authorization file ! 45: * can't be accessed, returns NOTOK. Otherwise, the file is read for ! 46: * a matching principal name, instance, and realm. If one is found, ! 47: * returns OK, if none is found, returns NOTOK. ! 48: * ! 49: * The file entries are in the format: ! 50: * ! 51: * name.instance@realm ! 52: * ! 53: * one entry per line. ! 54: * ! 55: * The ATHENA_COMPAT code supports old-style Athena ~luser/.klogin ! 56: * file entries. See the file "kparse.c". ! 57: */ ! 58: ! 59: int ! 60: kuserok(kdata, luser) ! 61: AUTH_DAT *kdata; ! 62: char *luser; ! 63: { ! 64: struct stat sbuf; ! 65: struct passwd *pwd; ! 66: char pbuf[MAXPATHLEN]; ! 67: int isok = NOTOK, rc; ! 68: FILE *fp; ! 69: char kuser[MAX_USERNAME]; ! 70: char principal[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ]; ! 71: char linebuf[BUFSIZ]; ! 72: char *newline; ! 73: int gobble; ! 74: ! 75: /* no account => no access */ ! 76: if ((pwd = getpwnam(luser)) == NULL) { ! 77: return(NOTOK); ! 78: } ! 79: (void) strcpy(pbuf, pwd->pw_dir); ! 80: (void) strcat(pbuf, "/.klogin"); ! 81: ! 82: if (access(pbuf, F_OK)) { /* not accessible */ ! 83: /* ! 84: * if he's trying to log in as himself, and there is no .klogin file, ! 85: * let him. To find out, call ! 86: * krb_kntoln to convert the triple in kdata to a name which we can ! 87: * string compare. ! 88: */ ! 89: if (!krb_kntoln(kdata, kuser) && (strcmp(kuser, luser) == 0)) { ! 90: return(OK); ! 91: } ! 92: } ! 93: /* open ~/.klogin */ ! 94: if ((fp = fopen(pbuf, "r")) == NULL) { ! 95: return(NOTOK); ! 96: } ! 97: /* ! 98: * security: if the user does not own his own .klogin file, ! 99: * do not grant access ! 100: */ ! 101: if (fstat(fileno(fp), &sbuf)) { ! 102: fclose(fp); ! 103: return(NOTOK); ! 104: } ! 105: if (sbuf.st_uid != pwd->pw_uid) { ! 106: fclose(fp); ! 107: return(NOTOK); ! 108: } ! 109: ! 110: /* check each line */ ! 111: while ((isok != OK) && (fgets(linebuf, BUFSIZ, fp) != NULL)) { ! 112: /* null-terminate the input string */ ! 113: linebuf[BUFSIZ-1] = '\0'; ! 114: newline = NULL; ! 115: /* nuke the newline if it exists */ ! 116: if (newline = index(linebuf, '\n')) ! 117: *newline = '\0'; ! 118: rc = kname_parse(principal, inst, realm, linebuf); ! 119: if (rc == KSUCCESS) { ! 120: isok = (strncmp(kdata->pname, principal, ANAME_SZ) || ! 121: strncmp(kdata->pinst, inst, INST_SZ) || ! 122: strncasecmp(kdata->prealm, realm, REALM_SZ)); ! 123: } ! 124: /* clean up the rest of the line if necessary */ ! 125: if (!newline) ! 126: while (((gobble = getc(fp)) != EOF) && gobble != '\n'); ! 127: } ! 128: fclose(fp); ! 129: return(isok); ! 130: }
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.