X-Git-Url: http://git.hungrycats.org/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=driver%2Fpasswd-kerberos.c;h=202e0eb10982395a2f1c1186545c55e7ec4da38e;hb=de460e831dc8578acfa8b72251ab9346c99c1f96;hp=1fbe2af9576930004241b858b0a850f60a05e4a9;hpb=2c902d6065f9856adf31e8540a94f1e42e68e905;p=xscreensaver diff --git a/driver/passwd-kerberos.c b/driver/passwd-kerberos.c index 1fbe2af9..202e0eb1 100644 --- a/driver/passwd-kerberos.c +++ b/driver/passwd-kerberos.c @@ -1,7 +1,6 @@ /* kpasswd.c --- verify kerberos passwords. * written by Nat Lanza (magus@cs.cmu.edu) for - * xscreensaver, Copyright (c) 1993-1997, 1998, 2000, 2003 - * Jamie Zawinski + * xscreensaver, Copyright (c) 1993-2004 Jamie Zawinski * * Permission to use, copy, modify, distribute, and sell this software and its * documentation for any purpose is hereby granted without fee, provided that @@ -26,12 +25,13 @@ #include #include #include +#include /* I'm not sure if this is exactly the right test... Might __APPLE__ be defined if this is apple hardware, but not an Apple OS? - Thanks to Jan Kujawa for the MacOS X code. + Thanks to Alexei Kosut for the MacOS X code. */ #ifdef __APPLE__ # define HAVE_DARWIN @@ -75,9 +75,13 @@ static char realm[REALM_SZ]; static char name[ANAME_SZ]; static char inst[INST_SZ]; - static char *tk_file; + static const char *tk_file; #endif /* !HAVE_DARWIN */ +/* warning suppression: duplicated in passwd.c */ +extern Bool kerberos_lock_init (int argc, char **argv, Bool verbose_p); +extern Bool kerberos_passwd_valid_p (const char *typed_passwd, Bool verbose_p); + /* Called at startup to grab user, instance, and realm information from the user's ticketfile (remember, name.inst@realm). Since we're @@ -161,12 +165,14 @@ kerberos_lock_init (int argc, char **argv, Bool verbose_p) we are. Calling it ive_got_your_local_function_right_here_buddy() would have been rude. */ +#ifndef HAVE_DARWIN static int key_to_key(char *user, char *instance, char *realm, char *passwd, C_Block key) { memcpy(key, passwd, sizeof(des_cblock)); return (0); } +#endif /* !HAVE_DARWIN */ /* Called to see if the user's typed password is valid. We do this by asking the kerberos server for a ticket and checking to see if it gave us one. @@ -190,6 +196,7 @@ kerberos_passwd_valid_p (const char *typed_passwd, Bool verbose_p) C_Block mitkey; Bool success; char *newtkfile; + int fh = -1; /* temporarily switch to a new ticketfile. I'm not using tmpnam() because it isn't entirely portable. @@ -197,7 +204,19 @@ kerberos_passwd_valid_p (const char *typed_passwd, Bool verbose_p) newtkfile = malloc(80 * sizeof(char)); memset(newtkfile, 0, sizeof(newtkfile)); - sprintf(newtkfile, "/tmp/xscrn-%i", getpid()); + sprintf(newtkfile, "/tmp/xscrn-%i.XXXXXX", getpid()); + + if( (fh = mkstemp(newtkfile)) < 0) + { + free(newtkfile); + return(False); + } + if( fchmod(fh, 0600) < 0) + { + free(newtkfile); + return(False); + } + krb_set_tkt_string(newtkfile); @@ -207,7 +226,7 @@ kerberos_passwd_valid_p (const char *typed_passwd, Bool verbose_p) des_string_to_key(typed_passwd, mitkey); if (krb_get_in_tkt(name, inst, realm, "krbtgt", realm, DEFAULT_TKT_LIFE, - key_to_key, NULL, mitkey) != 0) { + key_to_key, NULL, (char *) mitkey) != 0) { success = False; } else { success = True; @@ -220,6 +239,7 @@ kerberos_passwd_valid_p (const char *typed_passwd, Bool verbose_p) krb_set_tkt_string(tk_file); free(newtkfile); memset(mitkey, 0, sizeof(mitkey)); + close(fh); /* #### tom: should the file be removed? */ /* Did we verify successfully? */