From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 27 Nov 2020 19:23:54 +0000 (-0500)
Subject: Remove orphaned KfM password server support
X-Git-Tag: krb5-1.20-beta1~121
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9241e2e2ee83b11f5f585676b1f2283670dd0178;p=thirdparty%2Fkrb5.git

Remove orphaned KfM password server support
---

diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
index 73d9bac2f1..2a386a70cf 100644
--- a/src/kadmin/server/ovsec_kadmd.c
+++ b/src/kadmin/server/ovsec_kadmd.c
@@ -76,10 +76,6 @@ char *kprop_port = NULL;
 static krb5_context context;
 static char *progname;
 
-#ifdef USE_PASSWORD_SERVER
-void kadm5_set_use_password_server(void);
-#endif
-
 static void
 usage()
 {
@@ -396,10 +392,6 @@ main(int argc, char *argv[])
             params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
         } else if (strcmp(*argv, "-nofork") == 0) {
             nofork = 1;
-#ifdef USE_PASSWORD_SERVER
-        } else if (strcmp(*argv, "-passwordserver") == 0) {
-            kadm5_set_use_password_server();
-#endif
 #ifndef DISABLE_IPROP
         } else if (strcmp(*argv, "-proponly") == 0) {
             proponly = 1;
diff --git a/src/lib/kadm5/srv/libkadm5srv_mit.exports b/src/lib/kadm5/srv/libkadm5srv_mit.exports
index e3c04e690a..6804f1e1cc 100644
--- a/src/lib/kadm5/srv/libkadm5srv_mit.exports
+++ b/src/lib/kadm5/srv/libkadm5srv_mit.exports
@@ -1,7 +1,6 @@
 _kadm5_check_handle
 _kadm5_chpass_principal_util
 hist_princ
-kadm5_set_use_password_server
 kadm5_chpass_principal
 kadm5_chpass_principal_3
 kadm5_chpass_principal_util
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 315c541419..8c3ad3a691 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -9,10 +9,6 @@
 #include        <kadm5/admin.h>
 #include        <kdb.h>
 #include        "server_internal.h"
-#ifdef USE_PASSWORD_SERVER
-#include        <sys/wait.h>
-#include        <signal.h>
-#endif
 
 #include <krb5/kadm5_hook_plugin.h>
 
@@ -1221,109 +1217,6 @@ static kadm5_ret_t add_to_history(krb5_context context,
     return(0);
 }
 
-/* FIXME: don't use global variable for this */
-krb5_boolean use_password_server = 0;
-
-#ifdef USE_PASSWORD_SERVER
-static krb5_boolean
-kadm5_use_password_server (void)
-{
-    return use_password_server;
-}
-#endif
-
-void kadm5_set_use_password_server (void);
-
-void
-kadm5_set_use_password_server (void)
-{
-    use_password_server = 1;
-}
-
-#ifdef USE_PASSWORD_SERVER
-
-/*
- * kadm5_launch_task () runs a program (task_path) to synchronize the
- * Apple password server with the Kerberos database.  Password server
- * programs can receive arguments on the command line (task_argv)
- * and a block of data via stdin (data_buffer).
- *
- * Because a failure to communicate with the tool results in the
- * password server falling out of sync with the database,
- * kadm5_launch_task() always fails if it can't talk to the tool.
- */
-
-static kadm5_ret_t
-kadm5_launch_task (krb5_context context,
-                   const char *task_path, char * const task_argv[],
-                   const char *buffer)
-{
-    kadm5_ret_t ret;
-    int data_pipe[2];
-
-    ret = pipe (data_pipe);
-    if (ret)
-        ret = errno;
-
-    if (!ret) {
-        pid_t pid = fork ();
-        if (pid == -1) {
-            ret = errno;
-            close (data_pipe[0]);
-            close (data_pipe[1]);
-        } else if (pid == 0) {
-            /* The child: */
-
-            if (dup2 (data_pipe[0], STDIN_FILENO) == -1)
-                _exit (1);
-
-            close (data_pipe[0]);
-            close (data_pipe[1]);
-
-            execv (task_path, task_argv);
-
-            _exit (1); /* Fail if execv fails */
-        } else {
-            /* The parent: */
-            int status;
-
-            ret = 0;
-
-            close (data_pipe[0]);
-
-            /* Write out the buffer to the child, add \n */
-            if (buffer) {
-                if (krb5_net_write (context, data_pipe[1], buffer, strlen (buffer)) < 0
-                    || krb5_net_write (context, data_pipe[1], "\n", 1) < 0)
-                {
-                    /* kill the child to make sure waitpid() won't hang later */
-                    ret = errno;
-                    kill (pid, SIGKILL);
-                }
-            }
-            close (data_pipe[1]);
-
-            waitpid (pid, &status, 0);
-
-            if (!ret) {
-                if (WIFEXITED (status)) {
-                    /* child read password and exited.  Check the return value. */
-                    if ((WEXITSTATUS (status) != 0) && (WEXITSTATUS (status) != 252)) {
-                        ret = KRB5KDC_ERR_POLICY; /* password change rejected */
-                    }
-                } else {
-                    /* child read password but crashed or was killed */
-                    ret = KRB5KRB_ERR_GENERIC; /* FIXME: better error */
-                }
-            }
-        }
-    }
-
-    return ret;
-}
-
-#endif
-
 kadm5_ret_t
 kadm5_chpass_principal(void *server_handle,
                        krb5_principal principal, char *password)
@@ -1453,35 +1346,6 @@ kadm5_chpass_principal_3(void *server_handle,
             kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
     }
 
-#ifdef USE_PASSWORD_SERVER
-    if (kadm5_use_password_server () &&
-        (krb5_princ_size (handle->context, principal) == 1)) {
-        krb5_data *princ = krb5_princ_component (handle->context, principal, 0);
-        const char *path = "/usr/sbin/mkpassdb";
-        char *argv[] = { "mkpassdb", "-setpassword", NULL, NULL };
-        char *pstring = NULL;
-
-        if (!ret) {
-            pstring = malloc ((princ->length + 1) * sizeof (char));
-            if (pstring == NULL) { ret = ENOMEM; }
-        }
-
-        if (!ret) {
-            memcpy (pstring, princ->data, princ->length);
-            pstring [princ->length] = '\0';
-            argv[2] = pstring;
-
-            ret = kadm5_launch_task (handle->context, path, argv, password);
-        }
-
-        if (pstring != NULL)
-            free (pstring);
-
-        if (ret)
-            goto done;
-    }
-#endif
-
     ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
     if (ret)
         goto done;