From c0ff0c7f42238cb83d37d85950c58dc449b26f01 Mon Sep 17 00:00:00 2001 From: Cheyenne Wills Date: Wed, 21 Jun 2023 10:12:41 -0600 Subject: [PATCH] auth: Remove src/auth/copyauth Analysis of the source for code for copyauth has flagged potential string buffer overflows due to the use of strcpy. Attempting to fix the use of strcpy, would require additional work since copyauth currently fails to build due to unresolved external references during linking. The copyauth command has not been built by default on non-Windows systems since 2009, 'curpag-via-pioctl-20090603' (4af75fe96a), and never has been built by default on Windows system since the initial git commit for openafs. According to the man page, the functionality of copyauth has been superseded by aklog, there is also a caution noted about using copyauth due to security concerns. Remove the copyauth utility and the associated references. Change-Id: I96ba9af341bc97a329132ed4fd39f3b567d0ea4a Reviewed-on: https://gerrit.openafs.org/15480 Reviewed-by: Andrew Deason Tested-by: BuildBot Reviewed-by: Michael Meffie --- doc/man-pages/NTMakefile | 1 - doc/man-pages/pod1/copyauth.pod | 44 ---------- src/WINNT/install/wix/files.wxi | 1 - src/auth/.gitignore | 1 - src/auth/Makefile.in | 8 +- src/auth/NTMakefile | 15 +--- src/auth/copyauth.c | 86 ------------------- src/auth/test/Makefile.in | 2 +- .../HP-UX/psf-1.2.10-transarc-paths-11.00 | 1 - .../HP-UX/psf-1.2.10-transarc-paths-11.11 | 1 - .../HP-UX/psf-1.2.10-transarc-paths-11.22 | 1 - src/packaging/RedHat/openafs.spec.in | 1 - 12 files changed, 3 insertions(+), 159 deletions(-) delete mode 100644 doc/man-pages/pod1/copyauth.pod delete mode 100644 src/auth/copyauth.c diff --git a/doc/man-pages/NTMakefile b/doc/man-pages/NTMakefile index eb6e4c505c..3fbd777977 100644 --- a/doc/man-pages/NTMakefile +++ b/doc/man-pages/NTMakefile @@ -33,7 +33,6 @@ PODS = \ pod1\aklog.pod \ pod1\cmdebug.pod \ pod1\afs_compile_et.pod \ - pod1\copyauth.pod \ pod1\dlog.pod \ pod1\fs.pod \ pod1\fs_apropos.pod \ diff --git a/doc/man-pages/pod1/copyauth.pod b/doc/man-pages/pod1/copyauth.pod deleted file mode 100644 index a578acdc0c..0000000000 --- a/doc/man-pages/pod1/copyauth.pod +++ /dev/null @@ -1,44 +0,0 @@ -=head1 NAME - -copyauth - Copies user's AFS credentials to a new cell - -=head1 SYNOPSIS - -=for html -
- -B S<<< > >>> - -=for html -
- -=head1 DESCRIPTION - -The B command copies existing AFS credentials in the local -cell to the foreign cell specified on the command line. - -The functionality in this command is largely superseded by L. - -=head1 CAUTIONS - -This functionality only works if you have a shared AFS key across multiple -cells, which is strongly discouraged as it weakens security. If you do -not understand those risks, you should not use this tool. - -=head1 EXAMPLES - - % copyauth other.cell.org - -=head1 PRIVILEGE REQUIRED - -None. - -=head1 SEE ALSO - -L, -L - -=head1 COPYRIGHT - -This documentation was written by Steven Jenkins and is covered -by the IBM Public License Version 1.0. diff --git a/src/WINNT/install/wix/files.wxi b/src/WINNT/install/wix/files.wxi index fa3ac11be6..af73cc89cb 100644 --- a/src/WINNT/install/wix/files.wxi +++ b/src/WINNT/install/wix/files.wxi @@ -361,7 +361,6 @@ - diff --git a/src/auth/.gitignore b/src/auth/.gitignore index 25eb94394b..128c5d8aa4 100644 --- a/src/auth/.gitignore +++ b/src/auth/.gitignore @@ -5,7 +5,6 @@ /acfg_errors.c /auth.h /cellconfig.h -/copyauth /ktc_errors.c /setkey /token.h diff --git a/src/auth/Makefile.in b/src/auth/Makefile.in index 3f132f13a5..524cfd6400 100644 --- a/src/auth/Makefile.in +++ b/src/auth/Makefile.in @@ -87,7 +87,6 @@ cellconfig.lo: cellconfig.c ${INCLS} realms.lo: realms.c ${INCLS} netrestrict.lo: ${INCLS} -copyauth.o: copyauth.c ${INCLS} AFS_component_version_number.o setkey.o: setkey.c ${INCLS} AFS_component_version_number.o $(LT_objs): $(INCLS) @@ -111,9 +110,6 @@ libauth_pic.la: $(LT_objs) libpam_auth.la: $(BASE_objs) $(LT_LDLIB_pic) $(BASE_objs) -copyauth: copyauth.o ${LIBS} - $(AFS_LDRULE) copyauth.o ${LIBS} ${XLIBS} - setkey: setkey.o ${LIBS} $(AFS_LDRULE) setkey.o ${LIBS} ${XLIBS} @@ -126,7 +122,6 @@ cellconfig.h: acfg_errors.et cellconfig.p.h CFLAGS_authcon.lo = @CFLAGS_NODEPRECATED_DECLARATIONS@ authcon.lo: cellconfig.h cellconfig.lo: cellconfig.h -copyauth.o: cellconfig.h keys.lo: cellconfig.h ktc.lo: cellconfig.h netrestrict.lo: cellconfig.h @@ -141,7 +136,6 @@ auth.h: ktc_errors.et auth.p.h ${COMPILE_ET_H} -p ${srcdir} ktc_errors -h auth authcon.lo: auth.h -copyauth.o: auth.h ktc.lo: auth.h token.lo: auth.h userok.lo: auth.h @@ -187,7 +181,7 @@ test: clean: $(LT_CLEAN) - $(RM) -f *.o *.a copyauth setkey auth.h cellconfig.h acfg_errors.c \ + $(RM) -f *.o *.a setkey auth.h cellconfig.h acfg_errors.c \ ktc_errors.c token.h token.xdr.c core Ktoken.xdr.c \ AFS_component_version_number.c diff --git a/src/auth/NTMakefile b/src/auth/NTMakefile index 28bca867a0..2615f7c33a 100644 --- a/src/auth/NTMakefile +++ b/src/auth/NTMakefile @@ -108,19 +108,6 @@ $(SETKEY_EXEFILE): $(SETKEY_EXEOBJS) $(EXELIBS) $(CODESIGN_USERLAND) $(SYMSTORE_IMPORT) -# build copyauth -COPYAUTH_EXEFILE = $(DESTDIR)\etc\copyauth.exe - -COPYAUTH_EXEOBJS =\ - $(OUT)\copyauth.obj - -$(COPYAUTH_EXEFILE): $(COPYAUTH_EXEOBJS) $(EXELIBS) - $(EXECONLINK) - $(_VC_MANIFEST_EMBED_EXE) - $(EXEPREP) - $(CODESIGN_USERLAND) - $(SYMSTORE_IMPORT) - $(INCFILES):$$(@F) $(COPY) $** $(INCFILEDIR)\. @@ -134,7 +121,7 @@ ktc_errors.c auth.h: ktc_errors.et auth.p.h install_headers: $(INCFILES) -install: $(AFSAUTH_LIBFILE) $(AFSAUTH_KRB_LIBFILE) $(OUT)\setkey.exe # $(COPYAUTH_EXEFILE) +install: $(AFSAUTH_LIBFILE) $(AFSAUTH_KRB_LIBFILE) $(OUT)\setkey.exe clean:: $(DEL) acfg_errors.c ktc_errors.c diff --git a/src/auth/copyauth.c b/src/auth/copyauth.c deleted file mode 100644 index 17503b0a2e..0000000000 --- a/src/auth/copyauth.c +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright 2000, International Business Machines Corporation and others. - * All Rights Reserved. - * - * This software has been released under the terms of the IBM Public - * License. For details, see the LICENSE file in the top-level source - * directory or online at http://www.openafs.org/dl/license10.html - */ - -#include -#include - -#include - -#include - -#include "auth.h" -#include "cellconfig.h" - -#include "AFS_component_version_number.c" - -char whoami[256]; - -int -main(int argc, char **argv) -{ - char localName[64]; - afs_int32 code; - char *cname; - struct afsconf_dir *tdir; - struct ktc_principal tserver; - struct ktc_token token; - - strcpy(whoami, argv[0]); - - if (argc <= 1) { - printf - ("%s: copies a file system ticket from the local cell to another cell\n", - whoami); - printf("%s: usage is 'setauth \n", whoami); - exit(1); - } - - cname = argv[1]; - - /* lookup the name of the local cell */ - tdir = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATH); - if (!tdir) { - printf("copyauth: can't open dir %s\n", AFSDIR_CLIENT_ETC_DIRPATH); - exit(1); - } - code = afsconf_GetLocalCell(tdir, localName, sizeof(localName)); - if (code) { - printf("%s: can't determine local cell name\n", whoami); - exit(1); - } - /* done with configuration stuff now */ - afsconf_Close(tdir); - - - /* get ticket in local cell */ - strcpy(tserver.cell, localName); - strcpy(tserver.name, "afs"); - tserver.instance[0] = 0; - code = ktc_GetToken(&tserver, &token, sizeof(token), NULL); - if (code) { - printf - ("%s: failed to get '%s' service ticket in cell '%s' (code %d)\n", - whoami, tserver.name, tserver.cell, code); - exit(1); - } - - /* and now set the ticket in the new cell */ - strcpy(tserver.cell, argv[1]); - code = ktc_SetToken(&tserver, &token, NULL, 0); - if (code) { - printf - ("%s: failed to set ticket (code %d), are you sure you're authenticated?\n", - whoami, code); - exit(1); - } - - /* all done */ - printf("Authentication established for cell %s.\n", cname); - exit(0); -} diff --git a/src/auth/test/Makefile.in b/src/auth/test/Makefile.in index 57407c7660..3be7596f7a 100644 --- a/src/auth/test/Makefile.in +++ b/src/auth/test/Makefile.in @@ -33,7 +33,7 @@ testnetrestrict: testnetrestrict.lo clean: $(LT_CLEAN) - $(RM) -f *.o copyauth testcellconf ktctest testnetrestrict core + $(RM) -f *.o testcellconf ktctest testnetrestrict core install: diff --git a/src/packaging/HP-UX/psf-1.2.10-transarc-paths-11.00 b/src/packaging/HP-UX/psf-1.2.10-transarc-paths-11.00 index b3dcff9b0e..b42a1a3434 100644 --- a/src/packaging/HP-UX/psf-1.2.10-transarc-paths-11.00 +++ b/src/packaging/HP-UX/psf-1.2.10-transarc-paths-11.00 @@ -182,7 +182,6 @@ file_permissions -u 222 -o root -g sys file backup file butc - file copyauth file fms file fstrace file kas diff --git a/src/packaging/HP-UX/psf-1.2.10-transarc-paths-11.11 b/src/packaging/HP-UX/psf-1.2.10-transarc-paths-11.11 index 03a04fa039..d42e85f6bc 100644 --- a/src/packaging/HP-UX/psf-1.2.10-transarc-paths-11.11 +++ b/src/packaging/HP-UX/psf-1.2.10-transarc-paths-11.11 @@ -183,7 +183,6 @@ file_permissions -u 222 -o root -g sys file backup file butc - file copyauth file fms file fstrace file kas diff --git a/src/packaging/HP-UX/psf-1.2.10-transarc-paths-11.22 b/src/packaging/HP-UX/psf-1.2.10-transarc-paths-11.22 index 5f447373f3..7e25acf6ac 100644 --- a/src/packaging/HP-UX/psf-1.2.10-transarc-paths-11.22 +++ b/src/packaging/HP-UX/psf-1.2.10-transarc-paths-11.22 @@ -182,7 +182,6 @@ file_permissions -u 222 -o root -g sys file backup file butc - file copyauth file fms file fstrace file kas diff --git a/src/packaging/RedHat/openafs.spec.in b/src/packaging/RedHat/openafs.spec.in index a91f07a144..186b5f6fed 100644 --- a/src/packaging/RedHat/openafs.spec.in +++ b/src/packaging/RedHat/openafs.spec.in @@ -776,7 +776,6 @@ rm -f $RPM_BUILD_ROOT%{_mandir}/man1/symlink_list.1 rm -f $RPM_BUILD_ROOT%{_mandir}/man1/symlink_make.1 rm -f $RPM_BUILD_ROOT%{_mandir}/man1/symlink_remove.1 rm -f $RPM_BUILD_ROOT%{_mandir}/man1/dlog.* -rm -f $RPM_BUILD_ROOT%{_mandir}/man1/copyauth.* rm -f $RPM_BUILD_ROOT%{_mandir}/man1/dpass.* rm -f $RPM_BUILD_ROOT%{_mandir}/man1/livesys.* rm -f $RPM_BUILD_ROOT%{_mandir}/man8/afsd.fuse.8