#include "kcm_locl.h"
krb5_error_code
kcm_access(krb5_context context,
kcm_client *client,
kcm_operation opcode,
kcm_ccache ccache)
{
krb5_error_code ret;
KCM_ASSERT_VALID(ccache);
if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM) {
if (CLIENT_IS_ROOT(client)) {
ret = 0;
} else {
ret = KRB5_FCC_PERM;
}
} else if (kcm_is_same_session(client, ccache->uid, ccache->session)) {
ret = 0;
} else {
ret = KRB5_FCC_PERM;
}
if (ret) {
kcm_log(2, "Process %d is not permitted to call %s on cache %s",
client->pid, kcm_op2string(opcode), ccache->name);
}
return ret;
}
krb5_error_code
kcm_principal_access(krb5_context context,
kcm_client *client,
krb5_principal server,
kcm_operation opcode,
kcm_ccache ccache)
{
KCM_ASSERT_VALID(ccache);
if (!(server->name.name_string.len == 2 &&
strcmp(server->name.name_string.val[0], "krb5_ccache_conf_data") == 0 &&
strcmp(server->name.name_string.val[1], "password") == 0))
{
return 0;
}
krb5_error_code ret = KRB5_FCC_PERM;
switch (client->iakerb_access) {
case IAKERB_NOT_CHECKED:
{
const char* callingApp = kcm_client_get_execpath(client);
kcm_log(1, "kcm_principal_access: calling app: %s", callingApp);
if (krb5_has_entitlement(client->audit_token, CFSTR("com.apple.private.gssapi.iakerb-data-access"))) {
kcm_log(1, "kcm_principal_access: has entitlement");
client->iakerb_access = IAKERB_ACCESS_GRANTED;
} else if (strcmp(callingApp, "/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent") == 0 &&
krb5_applesigned(context, client->audit_token, "com.apple.NetAuthSysAgent")) {
client->iakerb_access = IAKERB_ACCESS_GRANTED;
} else if (strcmp(callingApp, "/usr/sbin/gssd") == 0 &&
krb5_applesigned(context, client->audit_token, "com.apple.gssd")) {
client->iakerb_access = IAKERB_ACCESS_GRANTED;
} else {
client->iakerb_access = IAKERB_ACCESS_DENIED;
}
if (client->iakerb_access == IAKERB_ACCESS_GRANTED) {
ret = 0;
}
break;
}
case IAKERB_ACCESS_GRANTED:
ret = 0;
break;
default:
ret = KRB5_FCC_PERM;
break;
}
kcm_log(1, (ret == 0 ? "kcm_principal_access: access allowed" : "kcm_principal_access: access denied"));
return ret;
}
krb5_error_code
kcm_chmod(krb5_context context,
kcm_client *client,
kcm_ccache ccache,
uint16_t mode)
{
KCM_ASSERT_VALID(ccache);
if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM)
return KRB5_FCC_PERM;
if (ccache->uid != client->uid)
return KRB5_FCC_PERM;
return 0;
}
krb5_error_code
kcm_chown(krb5_context context,
kcm_client *client,
kcm_ccache ccache,
uid_t uid)
{
KCM_ASSERT_VALID(ccache);
if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM)
return KRB5_FCC_PERM;
if (ccache->uid != client->uid && client->uid != 0)
return KRB5_FCC_PERM;
HEIMDAL_MUTEX_lock(&ccache->mutex);
ccache->uid = uid;
HEIMDAL_MUTEX_unlock(&ccache->mutex);
return 0;
}