2 * Copyright (c) 2005, PADL Software Pty Ltd.
5 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 kcm_access(krb5_context context,
48 KCM_ASSERT_VALID(ccache);
51 case KCM_OP_INITIALIZE:
54 case KCM_OP_REMOVE_CRED:
55 case KCM_OP_SET_FLAGS:
58 case KCM_OP_GET_INITIAL_TICKET:
59 case KCM_OP_GET_TICKET:
60 case KCM_OP_MOVE_CACHE:
61 case KCM_OP_SET_DEFAULT_CACHE:
62 case KCM_OP_SET_KDC_OFFSET:
71 case KCM_OP_GET_PRINCIPAL:
72 case KCM_OP_GET_CRED_UUID_LIST:
73 case KCM_OP_GET_CRED_BY_UUID:
74 case KCM_OP_GET_CACHE_UUID_LIST:
75 case KCM_OP_GET_CACHE_BY_UUID:
76 case KCM_OP_GET_DEFAULT_CACHE:
77 case KCM_OP_GET_KDC_OFFSET:
86 if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM) {
87 /* System caches cannot be reinitialized or destroyed by users */
88 if (opcode == KCM_OP_INITIALIZE ||
89 opcode == KCM_OP_DESTROY ||
90 opcode == KCM_OP_REMOVE_CRED ||
91 opcode == KCM_OP_MOVE_CACHE) {
96 /* Let root always read system caches */
97 if (CLIENT_IS_ROOT(client)) {
103 /* start out with "other" mask */
104 mask = S_IROTH|S_IWOTH;
106 /* root can do anything */
107 if (CLIENT_IS_ROOT(client)) {
109 mask |= S_IRUSR|S_IRGRP|S_IROTH;
111 mask |= S_IWUSR|S_IWGRP|S_IWOTH;
113 /* same session same as owner */
114 if (kcm_is_same_session(client, ccache->uid, ccache->session)) {
121 if (client->uid == ccache->uid) {
128 if (client->gid == ccache->gid) {
135 ret = (ccache->mode & mask) ? 0 : KRB5_FCC_PERM;
139 kcm_log(2, "Process %d is not permitted to call %s on cache %s",
140 client->pid, kcm_op2string(opcode), ccache->name);
147 kcm_chmod(krb5_context context,
152 KCM_ASSERT_VALID(ccache);
154 /* System cache mode can only be set at startup */
155 if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM)
156 return KRB5_FCC_PERM;
158 if (ccache->uid != client->uid)
159 return KRB5_FCC_PERM;
161 if (ccache->gid != client->gid)
162 return KRB5_FCC_PERM;
164 HEIMDAL_MUTEX_lock(&ccache->mutex);
168 HEIMDAL_MUTEX_unlock(&ccache->mutex);
174 kcm_chown(krb5_context context,
180 KCM_ASSERT_VALID(ccache);
182 /* System cache owner can only be set at startup */
183 if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM)
184 return KRB5_FCC_PERM;
186 if (ccache->uid != client->uid)
187 return KRB5_FCC_PERM;
189 if (ccache->gid != client->gid)
190 return KRB5_FCC_PERM;
192 HEIMDAL_MUTEX_lock(&ccache->mutex);
197 HEIMDAL_MUTEX_unlock(&ccache->mutex);
projects / FreeBSD / releng / 10.2.git / blob