Fix kdb5_ldap_util stashsrvpw password file logic

kdb5_ldap_util stashsrvpw has several inconsistencies with the password file determination in libkdb_ldap, and could try to fopen() a NULL filename in some cases. Factor out the determination of the configured password file and make it consistent with libkdb_ldap. DEF_SERVICE_PASSWD_FILE is no longer used after these changes, as it is not respected by libkdb_ldap. Reported by Will Fiveash. ticket: 8295
krb5 · Apr 6, 2016 · e2d7a66 · e2d7a66 · wfiveash · Apr 6, 2016
1 parent 9a892a3
commit e2d7a66
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 27 deletions.
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -40,6 +40,49 @@
 #include "kdb5_ldap_util.h"
 #include "kdb5_ldap_list.h"
 
+/* Get the configured LDAP service password file.  The caller should free the
+ * result with profile_release_string(). */
+static krb5_error_code
+get_conf_service_file(profile_t profile, const char *realm, char **path_out)
+{
+    char *subsection, *path;
+    long ret;
+
+    *path_out = NULL;
+
+    /* Get the [dbmodules] subsection for realm. */
+    ret = profile_get_string(profile, KDB_REALM_SECTION, realm,
+                             KDB_MODULE_POINTER, realm, &subsection);
+    if (ret)
+        return ret;
+
+    /* Look up the password file in the [dbmodules] subsection. */
+    ret = profile_get_string(profile, KDB_MODULE_SECTION, subsection,
+                             KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE, NULL,
+                             &path);
+    profile_release_string(subsection);
+    if (ret)
+        return ret;
+
+    if (path == NULL) {
+        /* Look up the password file in [dbdefaults] as a fallback. */
+        ret = profile_get_string(profile, KDB_MODULE_DEF_SECTION,
+                                 KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE, NULL,
+                                 NULL, &path);
+        if (ret)
+            return ret;
+    }
+
+    if (path == NULL) {
+        k5_setmsg(util_context, ENOENT,
+                  _("ldap_service_password_file not configured"));
+        return ENOENT;
+    }
+
+    *path_out = path;
+    return 0;
+}
+
 /*
  * Convert the user supplied password into hexadecimal and stash it. Only a
  * little more secure than storing plain password in the file ...
@@ -97,37 +140,19 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
             goto cleanup;
         }
     } else { /* argc == 2 */
-        char *section;
-
         service_object = strdup (argv[1]);
         if (service_object == NULL) {
             com_err(me, ENOMEM, _("while setting service object password"));
             goto cleanup;
         }
 
-        /* Pick up the stash-file name from krb5.conf */
-        profile_get_string(util_context->profile, KDB_REALM_SECTION,
-                           util_context->default_realm, KDB_MODULE_POINTER, NULL, &section);
-
-        if (section == NULL) {
-            profile_get_string(util_context->profile, KDB_MODULE_DEF_SECTION,
-                               KDB_MODULE_POINTER, NULL, NULL, &section);
-            if (section == NULL) {
-                /* Stash file path neither in krb5.conf nor on command line */
-                file_name = strdup(DEF_SERVICE_PASSWD_FILE);
-                if (file_name == NULL) {
-                    com_err(me, ENOMEM,
-                            _("while setting service object password"));
-                    goto cleanup;
-                }
-                goto done;
-            }
+        ret = get_conf_service_file(util_context->profile,
+                                    util_context->default_realm, &file_name);
+        if (ret) {
+            com_err(me, ret, _("while getting service password filename"));
+            goto cleanup;
         }
-
-        profile_get_string (util_context->profile, KDB_MODULE_SECTION, section,
-                            "ldap_service_password_file", NULL, &file_name);
     }
-done:
 
     /* Get password from user */
     {
@@ -296,8 +321,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
     if (service_object)
         free(service_object);
 
-    if (file_name)
-        free(file_name);
+    profile_release_string(file_name);
 
     if (tmp_file)
         free(tmp_file);

diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
@@ -32,8 +32,6 @@
 #define MAX_LEN                 1024
 #define MAX_SERVICE_PASSWD_LEN  256
 
-#define DEF_SERVICE_PASSWD_FILE "/usr/local/var/service_passwd"
-
 extern int tohex(krb5_data, krb5_data *);
 
 extern void kdb5_ldap_stash_service_password(int argc, char **argv);