![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to kuserok.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / krb|
Return to kuserok.c CVS log | Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / krb |
1.1 root 1: /*
2: * $Source: /usr/src/kerberosIV/krb/RCS/kuserok.c,v $
3: * $Author: kfall $
4: *
5: * Copyright 1987, 1988 by the Massachusetts Institute of Technology.
6: *
7: * For copying and distribution information, please see the file
8: * <mit-copyright.h>.
9: *
10: * kuserok: check if a kerberos principal has
11: * access to a local account
12: */
13:
14: #ifndef lint
15: static char rcsid_kuserok_c[] =
16: "$Header: /usr/src/kerberosIV/krb/RCS/kuserok.c,v 4.7 90/06/23 03:11:11 kfall Exp $";
17: #endif lint
18:
19: #include <mit-copyright.h>
20:
21: #include <sys/param.h>
22: #include <sys/socket.h>
23: #include <sys/stat.h>
24: #include <sys/file.h>
25: #include <des.h>
26: #include <krb.h>
27: #include <stdio.h>
28: #include <pwd.h>
29: #include <strings.h>
30:
31: #define OK 0
32: #define NOTOK 1
33: #define MAX_USERNAME 10
34:
35: /*
36: * Given a Kerberos principal "kdata", and a local username "luser",
37: * determine whether user is authorized to login according to the
38: * authorization file ("~luser/.klogin" by default). Returns OK
39: * if authorized, NOTOK if not authorized.
40: *
41: * If there is no account for "luser" on the local machine, returns
42: * NOTOK. If there is no authorization file, and the given Kerberos
43: * name "kdata" translates to the same name as "luser" (using
44: * krb_kntoln()), returns OK. Otherwise, if the authorization file
45: * can't be accessed, returns NOTOK. Otherwise, the file is read for
46: * a matching principal name, instance, and realm. If one is found,
47: * returns OK, if none is found, returns NOTOK.
48: *
49: * The file entries are in the format:
50: *
51: * name.instance@realm
52: *
53: * one entry per line.
54: *
55: * The ATHENA_COMPAT code supports old-style Athena ~luser/.klogin
56: * file entries. See the file "kparse.c".
57: */
58:
59: int
60: kuserok(kdata, luser)
61: AUTH_DAT *kdata;
62: char *luser;
63: {
64: struct stat sbuf;
65: struct passwd *pwd;
66: char pbuf[MAXPATHLEN];
67: int isok = NOTOK, rc;
68: FILE *fp;
69: char kuser[MAX_USERNAME];
70: char principal[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
71: char linebuf[BUFSIZ];
72: char *newline;
73: int gobble;
74:
75: /* no account => no access */
76: if ((pwd = getpwnam(luser)) == NULL) {
77: return(NOTOK);
78: }
79: (void) strcpy(pbuf, pwd->pw_dir);
80: (void) strcat(pbuf, "/.klogin");
81:
82: if (access(pbuf, F_OK)) { /* not accessible */
83: /*
84: * if he's trying to log in as himself, and there is no .klogin file,
85: * let him. To find out, call
86: * krb_kntoln to convert the triple in kdata to a name which we can
87: * string compare.
88: */
89: if (!krb_kntoln(kdata, kuser) && (strcmp(kuser, luser) == 0)) {
90: return(OK);
91: }
92: }
93: /* open ~/.klogin */
94: if ((fp = fopen(pbuf, "r")) == NULL) {
95: return(NOTOK);
96: }
97: /*
98: * security: if the user does not own his own .klogin file,
99: * do not grant access
100: */
101: if (fstat(fileno(fp), &sbuf)) {
102: fclose(fp);
103: return(NOTOK);
104: }
105: if (sbuf.st_uid != pwd->pw_uid) {
106: fclose(fp);
107: return(NOTOK);
108: }
109:
110: /* check each line */
111: while ((isok != OK) && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
112: /* null-terminate the input string */
113: linebuf[BUFSIZ-1] = '\0';
114: newline = NULL;
115: /* nuke the newline if it exists */
116: if (newline = index(linebuf, '\n'))
117: *newline = '\0';
118: rc = kname_parse(principal, inst, realm, linebuf);
119: if (rc == KSUCCESS) {
120: isok = (strncmp(kdata->pname, principal, ANAME_SZ) ||
121: strncmp(kdata->pinst, inst, INST_SZ) ||
122: strncasecmp(kdata->prealm, realm, REALM_SZ));
123: }
124: /* clean up the rest of the line if necessary */
125: if (!newline)
126: while (((gobble = getc(fp)) != EOF) && gobble != '\n');
127: }
128: fclose(fp);
129: return(isok);
130: }
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.