exec patch for clear text items
Marc Phillips
rmarc at copacetic.net
Thu Jan 27 17:26:24 CET 2011
Thought this might be useful for others.
This is a first run through on an exec patch. I'm sure
it can be greatly improved. I've only tested it thus far
on Linux, but I don't see why it wouldn't work on other unix
platforms.
Adds in an exec option for any text field. This is useful
for me as I have policy that states I can't have any passwords
in clear text on the file system. I have an exec that calls
out to an encrypted database for password retrieval:
Just have to change your clear text entry to: "exec:<your callout>"
Just like in Apache for SSL passwords, but is good for any text field.
It also keeps the logger from logging the return value:
*** freeradius-server-2.1.10/src/main/conffile.c 2010-09-28 06:03:56.000000000 -0500
--- freeradius-server-2.1.10-exec/src/main/conffile.c 2011-01-27 09:26:07.000000000 -0600
***************
*** 921,927 ****
if (!value) return -1;
}
! cf_log_info(cs, "\t%s = \"%s\"", name, value ? value : "(null)");
*q = value ? strdup(value) : NULL;
break;
--- 921,951 ----
if (!value) return -1;
}
! /* Add Callout for cleartext values */
! if (strncmp(value,"exec:",5) == 0) {
! char *token;
! FILE *fileptr;
! char exec_return[1024];
! memset (exec_return,0x00,sizeof(exec_return));
! token = strtok(value,":");
! token = strtok(NULL,":");
! fileptr = popen(token, "r");
! if (fileptr == NULL) {
! return -1;
! }
! while (fgets(exec_return, sizeof(exec_return)-1, fileptr) != NULL) {
! }
! /* Get rid of carrage return from command output */
! exec_return[strlen(exec_return)-1]='\0';
! if (exec_return == NULL) {
! return -1;
! }
! pclose(fileptr);
! value = strdup(&exec_return);
! cf_log_info(cs, "\t%s = \"return from (%s)\"", name, token ? token : "(null)");
! } else {
! cf_log_info(cs, "\t%s = \"%s\"", name, value ? value : "(null)");
! }
*q = value ? strdup(value) : NULL;
break;
More information about the Freeradius-Devel
mailing list