[torquedev] really patch: gssapi: use pam_open_session for AFS PAG
and tokens
Sergio Gelato
Sergio.Gelato at astro.su.se
Wed May 30 06:46:08 MDT 2007
Oops! I forgot to actually attach the patches. Here they are...
-------------- next part --------------
diff -ru gssapi-1301/configure.ac new/configure.ac
--- gssapi-1301/configure.ac 2007-02-16 20:41:27.000000000 +0100
+++ new/configure.ac 2007-05-30 14:27:51.942115877 +0200
@@ -1017,8 +1017,12 @@
AC_DEFINE_UNQUOTED(pam_get_user_2nd_arg_t, $tac_pam_get_user_2nd_arg,
[type to use for 2nd arg of pam_get_user])
-
-
+dnl check for PAM library
+AC_CHECK_LIB(pam, pam_set_item,
+ [LIBPAM="-lpam"
+ AC_CHECK_LIB(dl, dlopen, [LIBPAM="$LIBPAM -dl"])
+ ])
+AC_SUBST(LIBPAM)
diff -ru gssapi-1301/src/include/pbsgss.h new/src/include/pbsgss.h
--- gssapi-1301/src/include/pbsgss.h 2007-02-08 21:49:57.000000000 +0100
+++ new/src/include/pbsgss.h 2007-05-30 14:27:51.943115946 +0200
@@ -1,9 +1,18 @@
#ifndef _PBSGSS_H_
#define _PBSGSS_H_
+#include "pbs_config.h"
+
+#ifdef HAVE_GSSAPI_GSSAPI_H
#include <gssapi/gssapi.h>
+#endif
+#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H
#include <gssapi/gssapi_generic.h>
+#endif
+#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H
#include <gssapi/gssapi_krb5.h>
+#endif
+
#include <stdio.h>
extern gss_buffer_t empty_token;
@@ -39,7 +48,7 @@
char *ccname);
char *ccname_for_job(char *jobnamem, char *prefix);
-int authenticate_as_job(char *jobname,int setpag);
+int authenticate_as_job(char *username,char *jobname,int setpag);
int pbsgss_renew_creds (char *jobname, char *prefix);
/* Token types */
diff -ru gssapi-1301/src/lib/Libgss/Makefile.am new/src/lib/Libgss/Makefile.am
--- gssapi-1301/src/lib/Libgss/Makefile.am 2007-02-16 20:41:15.000000000 +0100
+++ new/src/lib/Libgss/Makefile.am 2007-05-30 14:27:51.943115946 +0200
@@ -3,4 +3,4 @@
lib_LTLIBRARIES = libtorquegss.la
libtorquegss_la_SOURCES = pbsgss.c
-
+libtorquegss_la_LIBADD = @LIBPAM@
diff -ru gssapi-1301/src/lib/Libgss/pbsgss.c new/src/lib/Libgss/pbsgss.c
--- gssapi-1301/src/lib/Libgss/pbsgss.c 2007-05-22 08:50:46.000000000 +0200
+++ new/src/lib/Libgss/pbsgss.c 2007-05-30 14:27:51.943115946 +0200
@@ -75,6 +75,11 @@
#include "dis.h"
#include "dis_init.h"
+#ifdef HAVE_SECURITY_PAM_APPL_H
+#include <security/pam_appl.h>
+#define USE_PAM
+#endif
+
static int retry = 0;
gss_buffer_desc empty_token_buf = { 0, (void *) "" };
@@ -838,17 +843,59 @@
return ccname;
}
+#ifdef USE_PAM
+static int pbs_pam_conv(int num_msg,
+ const struct pam_message **msg,
+ struct pam_response **resp,
+ void *appdata_ptr) {
+ return PAM_CONV_ERR; /* for now */
+}
+#endif
+
/* assumes it's running as the mom, because server doesn't need to call aklog */
-int authenticate_as_job(char *ccname,
+int authenticate_as_job(char *username,
+ char *ccname,
int setpag) {
+#ifdef USE_PAM
+ int rc;
+ struct pam_conv conv;
+ char *ccvar;
+ pam_handle_t *handle;
+#endif
+
if (setenv("KRB5CCNAME",ccname,1) != 0) {
return -1;
}
+
+#ifdef USE_PAM
+ conv.conv = pbs_pam_conv;
+ conv.appdata_ptr = NULL;
+ rc = pam_start("pbs_mom", username, &conv, &handle);
+ if (rc != PAM_SUCCESS)
+ return -2;
+ if (ccname) {
+ ccvar = malloc(sizeof("KRB5CCNAME=")+strlen(ccname));
+ if (!ccvar) {
+ pam_end(handle, rc);
+ return -3;
+ }
+ strcpy(ccvar, "KRB5CCNAME=");
+ strcat(ccvar, ccname);
+ rc = pam_putenv(handle, ccvar);
+ free(ccvar);
+ }
+ if (rc == PAM_SUCCESS)
+ rc = pam_open_session(handle, 0);
+ pam_end(handle, rc);
+ if (rc != PAM_SUCCESS)
+ return -4;
+#else
if (setpag) {
system("/usr/bin/aklog -setpag");
} else {
system("/usr/bin/aklog");
}
+#endif
return 0;
}
diff -ru gssapi-1301/src/resmom/requests.c new/src/resmom/requests.c
--- gssapi-1301/src/resmom/requests.c 2007-02-16 20:41:09.000000000 +0100
+++ new/src/resmom/requests.c 2007-05-30 14:27:51.945116084 +0200
@@ -2753,7 +2753,8 @@
#ifdef GSSAPI
ccname = ccname_for_job(preq->rq_ind.rq_cpyfile.rq_jobid,path_creds);
if (ccname) {
- if (authenticate_as_job(ccname,1) != 0) {
+ char *username = preq->rq_ind.rq_cpyfile.rq_user;
+ if (authenticate_as_job(username,ccname,1) != 0) {
sprintf(log_buffer,"Couldn't authenticate as job %s",preq->rq_ind.rq_cpyfile.rq_jobid);
log_err(0,"req_cpyfile",log_buffer);
}
diff -ru gssapi-1301/src/resmom/start_exec.c new/src/resmom/start_exec.c
--- gssapi-1301/src/resmom/start_exec.c 2007-05-22 08:50:45.000000000 +0200
+++ new/src/resmom/start_exec.c 2007-05-30 14:27:51.946116153 +0200
@@ -1786,10 +1786,19 @@
#ifdef GSSAPI
ccname = ccname_for_job(((job *)TJE->pjob)->ji_qs.ji_jobid,path_creds);
if (ccname) {
- if (authenticate_as_job(ccname,1)) {
+ char *username = TJE->pwdp ? ((struct passwd *)TJE->pwdp)->pw_name : NULL;
+ struct grpcache *gc = ((job *)TJE->pjob)->ji_grpcache;
+ if (authenticate_as_job(username,ccname,1)) {
+ free(ccname);
return FAILURE;
}
free(ccname);
+ gc->gc_ngroup = init_groups(username,
+ ((job *)TJE->pjob)->ji_qs.ji_un.ji_momt.ji_exgid,
+ NGROUPS_MAX,
+ gc->gc_groups);
+ if (gc->gc_ngroup < 0)
+ return FAILURE;
}
#endif
-------------- next part --------------
diff -ru old/src/include/job.h new/src/include/job.h
--- old/src/include/job.h 2007-02-16 20:40:47.000000000 +0100
+++ new/src/include/job.h 2007-05-30 14:29:14.290787729 +0200
@@ -168,7 +168,7 @@
#ifdef NGROUPS_MAX
struct grpcache {
int gc_ngroup; /* number of active supplementary groups */
- int gc_groups[NGROUPS_MAX];
+ GETGROUPS_T gc_groups[NGROUPS_MAX];
char gc_homedir[1]; /* more space allocated as part of this */
/* structure following here */
};
diff -ru old/src/include/mom_func.h new/src/include/mom_func.h
--- old/src/include/mom_func.h 2007-02-08 21:49:57.000000000 +0100
+++ new/src/include/mom_func.h 2007-05-30 14:29:14.291787798 +0200
@@ -137,7 +137,7 @@
extern pid_t fork_me A_((int sock));
extern int get_la A_((double *));
extern void init_abort_jobs A_((int));
-extern int init_groups A_((char *, int, int, int *));
+extern int init_groups A_((char *, int, int, GETGROUPS_T *));
extern int kill_job A_((job *, int sig));
extern void mom_deljob A_((job *));
extern void mom_freenodes A_((job *));
diff -ru old/src/resmom/mom_main.c new/src/resmom/mom_main.c
--- old/src/resmom/mom_main.c 2007-05-22 08:50:45.000000000 +0200
+++ new/src/resmom/mom_main.c 2007-05-30 14:29:14.293787936 +0200
@@ -6042,6 +6042,7 @@
static char id[] = "mom_main";
int errflg, c;
+ GETGROUPS_T g;
FILE *dummyfile;
task *ptask;
char *ptr; /* local tmp variable */
@@ -6366,9 +6367,9 @@
exit(1);
}
- c = getgid();
+ g = getgid();
- setgroups(1,(gid_t *)&c); /* secure suppl. groups */
+ setgroups(1,&g); /* secure suppl. groups */
c = sysconf(_SC_OPEN_MAX);
diff -ru old/src/resmom/prolog.c new/src/resmom/prolog.c
--- old/src/resmom/prolog.c 2007-02-16 20:41:09.000000000 +0100
+++ new/src/resmom/prolog.c 2007-05-30 14:29:14.293787936 +0200
@@ -493,7 +493,7 @@
{
setgroups(
pjob->ji_grpcache->gc_ngroup,
- (gid_t *)pjob->ji_grpcache->gc_groups);
+ pjob->ji_grpcache->gc_groups);
setgid(pjob->ji_qs.ji_un.ji_momt.ji_exgid);
diff -ru old/src/resmom/requests.c new/src/resmom/requests.c
--- old/src/resmom/requests.c 2007-05-30 14:27:51.000000000 +0200
+++ new/src/resmom/requests.c 2007-05-30 14:29:14.295788074 +0200
@@ -170,7 +170,7 @@
static uid_t useruid;
static gid_t usergid;
static int ngroup;
-static int *groups;
+static GETGROUPS_T *groups;
static char *output_retained = "Output retained on that host in: ";
static char rcperr[MAXPATHLEN]; /* file to contain rcp error */
@@ -249,7 +249,7 @@
pid_t pid;
job *pjob;
struct passwd *pwdp;
- static int fgrp[NGROUPS_MAX];
+ static GETGROUPS_T fgrp[NGROUPS_MAX];
char *idir;
@@ -460,7 +460,7 @@
if (SetUID == TRUE)
{
- setgroups(ngroup,(gid_t *)groups);
+ setgroups(ngroup,groups);
setgid(usergid);
setuid(useruid); /* run as the user */
@@ -2193,7 +2193,7 @@
{
/* NOTE: if routine called as user, all of the following may silently fail */
- setgroups(ngroup,(gid_t *)groups);
+ setgroups(ngroup,groups);
setgid(usergid);
setuid(useruid); /* run as the user */
diff -ru old/src/resmom/start_exec.c new/src/resmom/start_exec.c
--- old/src/resmom/start_exec.c 2007-05-30 14:27:51.000000000 +0200
+++ new/src/resmom/start_exec.c 2007-05-30 14:29:14.296788143 +0200
@@ -3036,7 +3036,7 @@
setgroups(
pjob->ji_grpcache->gc_ngroup,
- (gid_t *)pjob->ji_grpcache->gc_groups);
+ pjob->ji_grpcache->gc_groups);
setgid(pjob->ji_qs.ji_un.ji_momt.ji_exgid);
@@ -4150,7 +4150,7 @@
/* become the user and execv the shell and become the real job */
setgroups(pjob->ji_grpcache->gc_ngroup,
- (gid_t *)pjob->ji_grpcache->gc_groups);
+ pjob->ji_grpcache->gc_groups);
setgid(pjob->ji_qs.ji_un.ji_momt.ji_exgid);
setuid(pjob->ji_qs.ji_un.ji_momt.ji_exuid);
@@ -5399,7 +5399,7 @@
char *pwname, /* I User's name */
int pwgrp, /* I User's group from pw entry */
int groupsize,/* I size of the array, following argument */
- int *groups) /* O ptr to group array, list build there */
+ GETGROUPS_T *groups) /* O ptr to group array, list build there */
{
/* DJH Jan 2004. The original implementation looped over all groups
@@ -5414,7 +5414,7 @@
char id[]="init_groups";
extern sigset_t allsigs; /* set up at the start of mom_main */
sigset_t savedset;
- gid_t *savedgroups;
+ GETGROUPS_T *savedgroups;
int n, nsaved;
@@ -5424,16 +5424,21 @@
/* save current group access because we're about to overwrite it */
nsaved = getgroups(0,savedgroups);
- savedgroups = malloc(sizeof(gid_t) * (nsaved + 2));
+ if (nsaved < 0)
+ {
+ log_err(errno,id,"getgroups");
+ return(-1);
+ }
+ savedgroups = malloc(sizeof(GETGROUPS_T) * (nsaved + 1));
if (!savedgroups) {
sprintf(log_buffer,"Couldn't malloc memory to save groups\n");
log_err(errno,id,log_buffer);
return -1;
}
- if (nsaved < 0)
+ nsaved = getgroups(nsaved,savedgroups);
+ if (nsaved < 0)
{
log_err(errno,id,"getgroups");
- free(savedgroups);
return(-1);
}
@@ -5493,7 +5498,7 @@
}
else
{
- n = getgroups(groupsize,(gid_t *)groups);
+ n = getgroups(groupsize,groups);
}
/* restore state */
@@ -5519,7 +5524,7 @@
char *pwname, /* I User's name */
int pwgrp, /* I User's group from pw entry */
int groupsize, /* I size of the array, following argument */
- int *groups) /* O ptr to group array, list build there */
+ GETGROUPS_T *groups) /* O ptr to group array, list build there */
{
struct group *grp;
diff -ru old/src/scheduler.basl/af_system.c new/src/scheduler.basl/af_system.c
--- old/src/scheduler.basl/af_system.c 2007-02-08 21:50:17.000000000 +0100
+++ new/src/scheduler.basl/af_system.c 2007-05-30 14:29:14.297788212 +0200
@@ -459,15 +459,16 @@
static void secureEnv(void)
{
int c;
+ GETGROUPS_T g;
/* The following is code to reduce security risks */
/* start out with standard umask, system resource limit infinite */
umask(022);
if (setup_env(PBS_ENVIRON) == -1)
exit(1);
- c = getgid();
+ g = getgid();
/* secure suppl. group ids */
- if( setgroups(1, (gid_t *)&c) == -1 ) {
+ if( setgroups(1, &g) == -1 ) {
perror("setgroups");
exit(1);
}
diff -ru old/src/scheduler.cc/pbs_sched.c new/src/scheduler.cc/pbs_sched.c
--- old/src/scheduler.cc/pbs_sched.c 2007-02-16 20:41:00.000000000 +0100
+++ new/src/scheduler.cc/pbs_sched.c 2007-05-30 14:29:14.297788212 +0200
@@ -683,6 +683,7 @@
char *id = "main";
struct hostent *hp;
int go, c, errflg = 0;
+ GETGROUPS_T g;
int lockfds;
int t = 1;
pid_t pid;
@@ -806,8 +807,8 @@
umask(022);
if (setup_env(PBS_ENVIRON)==-1)
exit(1);
- c = getgid();
- (void)setgroups(1, (gid_t *)&c); /* secure suppl. groups */
+ g = getgid();
+ (void)setgroups(1, &g); /* secure suppl. groups */
c = sysconf(_SC_OPEN_MAX);
while (--c > 2)
(void)close(c); /* close any file desc left open by parent */
diff -ru old/src/scheduler.tcl/pbs_sched.c new/src/scheduler.tcl/pbs_sched.c
--- old/src/scheduler.tcl/pbs_sched.c 2007-02-08 21:49:36.000000000 +0100
+++ new/src/scheduler.tcl/pbs_sched.c 2007-05-30 14:29:14.298788281 +0200
@@ -613,6 +613,7 @@
int code;
struct hostent *hp;
int go, c, errflg = 0;
+ GETGROUPS_T g;
int lockfds;
int t = 1;
char *ptr;
@@ -740,8 +741,8 @@
umask(022);
if (setup_env(PBS_ENVIRON)==-1)
exit(1);
- c = getgid();
- (void)setgroups(1, (gid_t *)&c); /* secure suppl. group ids */
+ g = getgid();
+ (void)setgroups(1, &g); /* secure suppl. group ids */
c = sysconf(_SC_OPEN_MAX);
while (--c > 2)
(void)close(c); /* close any file desc left open by parent */
diff -ru old/src/server/pbsd_init.c new/src/server/pbsd_init.c
--- old/src/server/pbsd_init.c 2007-05-22 08:50:46.000000000 +0200
+++ new/src/server/pbsd_init.c 2007-05-30 14:29:14.298788281 +0200
@@ -249,6 +249,7 @@
int fd;
int had;
int i;
+ GETGROUPS_T g;
static char id[] = "pbsd_init";
char *job_suffix = JOB_FILE_SUFFIX;
int job_suf_len = strlen(job_suffix);
@@ -272,9 +273,9 @@
return(-1);
}
- i = getgid();
+ g = getgid();
- setgroups(1,(gid_t *)&i); /* secure suppl. groups */
+ setgroups(1,&g); /* secure suppl. groups */
i = sysconf(_SC_OPEN_MAX);
More information about the torquedev
mailing list