IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-16 19:31:55 -06:00
Code Issues Packages Projects Releases Wiki Activity
6390db3502
freeipa/ipa-server/ipa-keytab-util/ipa-keytab-util.c
Karl MacMillan edc7af1446 Add xml-rpc interface for getting keytabs. 
Warning: this lacks any sort of authorization.
0001-01-01 00:00:00 +00:00

305 lines
5.4 KiB
C
Raw Blame History

/*
* Authors:
* Karl MacMillan <kmacmill@redhat.com>
*
* Copyright (C) 2007 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#define _GNU_SOURCE /* for asprintf */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/capability.h>
#include <sys/prctl.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#define KADMIN_PATH "/usr/kerberos/sbin/kadmin.local"
struct options
{
char *princ_name;
char *realm;
int kstdin, kstdout, kstderr;
};
void *xmalloc(size_t size)
{
void *foo = malloc(size);
if (!foo) {
fprintf(stderr, "malloc error of size %jd\n", size);
exit(1);
}
memset(foo, 0, size);
return foo;
}
void usage(void)
{
printf("ipa-keytab-util princ-name realm-name\n");
}
struct options *process_args(int argc, char **argv)
{
struct options* opts;
opts = xmalloc(sizeof(struct options));
if (argc != 3) {
usage();
exit(1);
}
opts->princ_name = argv[1];
opts->realm = argv[2];
return opts;
}
void drop_caps(void)
{
cap_t caps;
int ret;
if (geteuid() != 0)
return;
if (getuid() != 0)
return;
caps = cap_init();
if (!caps) {
perror("error initializing caps");
exit(1);
}
ret = cap_clear(caps);
if (ret != 0) {
perror("could not clear capps");
exit(1);
}
ret = cap_set_proc(caps);
if (ret != 0) {
perror("could not drop caps");
exit(1);
}
cap_free(caps);
}
pid_t exec_kadmin_local(struct options *opts)
{
int stdin_pipes[2];
int stdout_pipes[2];
int stderr_pipes[2];
int ret;
pid_t chpid;
char *princ;
/* create a pair of pipes for stdin / stdout
of the child process.
*/
if (pipe(stdin_pipes) == -1) {
perror("creating stdin");
exit(1);
}
if (pipe(stdout_pipes) == -1) {
perror("creating stdin");
exit(1);
}
if (pipe(stderr_pipes) == -1) {
perror("creating stdin");
exit(1);
}
chpid = fork();
if (chpid == -1) {
perror("fork");
exit(1);
}
/* CHILD */
if (chpid == 0) {
/* stdin */
close(stdin_pipes[1]);
dup2(stdin_pipes[0], 0);
/* stdout */
close(stdout_pipes[0]);
dup2(stdout_pipes[1], 1);
/* stderr */
close(stderr_pipes[0]);
dup2(stdout_pipes[1], 2);
/* now exec kadmin.local */
ret = asprintf(&princ, "admin@%s", opts->realm);
if (!princ) {
perror("creating bind princ");
exit(1);
}
ret = execl(KADMIN_PATH, "kadmin.local", "-p", princ, NULL);
free(princ);
if (ret == -1) {
perror("exec");
exit(1);
}
} else {
close(stdin_pipes[0]);
close(stdout_pipes[1]);
close(stderr_pipes[1]);
opts->kstdin = stdin_pipes[1];
opts->kstdout = stdout_pipes[0];
opts->kstderr = stdout_pipes[0];
}
return chpid;
}
void write_to_kadmin(struct options *opts, char *buf, int len)
{
int ret;
ret = write(opts->kstdin, buf, len);
if (ret != len) {
perror("write");
fprintf(stderr, "write is short %d:%d\n", len, ret);
exit(1);
}
fsync(opts->kstdin);
}
char *get_temp_filename(void)
{
char *fname;
/* ok - we have to use mktemp here even w/ the race
* because kadmin.local barfs if the file exists. The
* risk is pretty low and we will try to protect the files
* with selinux.
*
* TODO: generate these files in a safer place than /tmp
*/
fname = strdup("/tmp/ipa-keytab-util-XXXXXX");
if (!fname) {
fprintf(stderr, "could not allocate temporary file name");
exit(1);
}
fname = mktemp(fname);
return fname;
}
char *create_keytab(struct options *opts)
{
char *buf, *fname;
int ret;
fname = get_temp_filename();
ret = asprintf(&buf, "ktadd -k %s %s\n", fname, opts->princ_name);
if (ret == -1) {
perror("asprintf");
exit(1);
}
write_to_kadmin(opts, buf, ret);
free(buf);
write_to_kadmin(opts, "quit\n", sizeof("quit\n"));
return fname;
}
void read_keytab(char *fname)
{
FILE *fd;
char *data;
long flen, ret;
fd = fopen(fname, "r");
if (!fd) {
fprintf(stderr, "could not open file %s: ", fname);
perror(NULL);
exit(1);
}
fseek(fd, 0, SEEK_END);
flen = ftell(fd);
rewind(fd);
data = xmalloc(flen);
/* TODO: handle short reads */
ret = fread(data, 1, flen, fd);
if (ret != flen) {
fprintf(stderr, "short read");
exit(1);
}
fclose(fd);
/* write to stdout */
ret = fwrite(data, 1, flen, stdout);
if (ret != flen) {
fprintf(stderr, "short write");
exit(1);
}
}
void remove_keytab(char *filename)
{
unlink(filename);
}
/* TODO: add significantly better authorization */
int main(int argc, char **argv)
{
struct options *opts;
pid_t chpid;
int status, ret;
char *fname;
opts = process_args(argc, argv);
/* must really be root */
setuid(0);
drop_caps();
chpid = exec_kadmin_local(opts);
fname = create_keytab(opts);
ret = waitpid(-1, &status, 0);
if (WEXITSTATUS(status)) {
fprintf(stderr, "error creating keytab\n");
exit(1);
}
read_keytab(fname);
remove_keytab(fname);
return 0;
}
Reference in New Issue View Git Blame Copy Permalink