diff -Naur ./trunk-3664/contrib/AddPrivileges ./new/contrib/AddPrivileges --- ./trunk-3664/contrib/AddPrivileges 2010-04-01 19:03:08.000000000 +0300 +++ ./new/contrib/AddPrivileges 2010-06-02 16:23:04.249554901 +0300 @@ -60,22 +60,20 @@ ADMINGRL=544 -ADMINGRD=512 +ADMINGRD=10512 +mkpasswd -l -d > $PASSWDF +mkgroup -l -d -u > $GROUPF; if id -G | grep -q "$ADMINGRD" then echo " $CURRENTU is a domain administrator" - mkpasswd -l -d > $PASSWDF - mkgroup -l -d -u > $GROUPF; elif id -G | grep -q "$ADMINGRL" then echo " $CURRENTU is a local administrator" - mkpasswd -l > $PASSWDF - mkgroup -l -u > $GROUPF; else echo " Current user '$CURRENTU' has not administrator privileges" exit $?; diff -Naur ./trunk-3664/README.cygwin ./new/README.cygwin --- ./trunk-3664/README.cygwin 2010-04-01 19:03:08.000000000 +0300 +++ ./new/README.cygwin 2010-06-04 14:31:26.062857484 +0300 @@ -1,32 +1,34 @@ -Tested with the stable release Cygwin 1.5.25-15 on +Tested with the stable release Cygwin 1.5.25 on Windows XP Pro and on Windows Server 2003 SE (both 32-bit). +Tested with the stable release Cygwin 1.7.5 on 64-bit Windows 7 Ultimate. +Can be used on heterogeneous Torque clusters. GUI and Tcl/Tk components are untested Interactive jobs are untested. -Can be used on heterogeneous Torque clusters. -Scheduler C is used only. +Scheduler C is tested only. Can be used with Maui. Mail and drmaa are untested. -In mom quota and setrlimit are not supported -because Cygwin doesn't support ones. +In mom quota and setrlimit are not supported because Cygwin doesn't support ones. -Windows file system must be NTFS!!! -Torque needs two Windows users on each host: +Torque needs two Windows users (local or domain) on each host: with Computer administrator privileges and with Limited account. Both users must be password protected. -Torque server-sched-mom can run as Cygwin daemons -or as Windows services. +Torque server-sched-mom can run as Cygwin daemons or as Windows services. +Run as administrator (right-click) on Windows 7 and similar. + ########################### ### Install Cygwin ### ########################### - -To install Cygwin, enter into Windows as user . -Browse to http://cygwin.com/win-9x.html and click the "setup-legacy.exe" link. + +Enter into Windows as user . +To install Cygwin 1.5.25 browse to http://cygwin.com/win-9x.html and click the "setup-legacy.exe" link. Download and run setup-legacy.exe. +To install Cygwin 1.7.5 (or later) browse to http://cygwin.com and click the "Install Cygwin now" link. +Download and run setup.exe. Click through the defaults and under the package selection select the following packages: @@ -34,12 +36,13 @@ automake; cygrunsrv; email; - gcc4; + gcc or gcc4; make; openssh; sunrpc; + util-linux; vim or mc is desirable. - + Download and install the default's and selected Cygwin packages. @@ -50,25 +53,25 @@ Adjust an access without password prompting on each host. - -###################################### -### Start Torque under Cygwin ### -###################################### - + +##################################### +### Start Torque under Cygwin ### +##################################### + Enter into working directory as and execute the following commands: - + #./configure --disable-unixsockets --disable-gcc-warnings [--disable-daemons] #make #make install - + The next command must be at the server installation: #./contrib/AddPrivileges --add -The next command must be at the mom installation: +The next command must be at the mom installation: #./contrib/AddPrivileges --add mom - + The AddPrivileges script creates passwd&group files and adds privileges necessary for normal work Torque components. As a rule pbs_mom is demanded more privileges than pbs_server. @@ -86,7 +89,7 @@ !-------------------!!-----------------------!--------------------------!--------------------------! ! !! ! ! ! ! Windows service !! SeServiceLogonRight ! SeServiceLogonRight ! Windows XP/Server 2003 ! -! by !! ! SeCreateTokenPrivilege ! ! +! by !! ! SeCreateTokenPrivilege ! Windows 7 ! ! !! ! ! ! !-------------------!!-----------------------!--------------------------!--------------------------! ! !! ! ! ! @@ -107,9 +110,9 @@ Configure pbs_server via the .../torque/server_priv/nodes file. Initiate a pbs_server database and adjust a appropriate structure of queues: - + #pbs_server -t create - + #qmgr -c "s s scheduling=true" #qmgr -c "c q batch queue_type=execution" #qmgr -c "s q batch started=true" @@ -117,29 +120,29 @@ #qmgr -c "s q batch resources_default.nodes=1" #qmgr -c "s q batch resources_default.walltime=3600" #qmgr -c "s s default_queue=batch" - + Further restart the server: #qterm -t quick #pbs_server - + Start the scheduler: - + #pbs_sched -Configure pbs_mom via the .../torque/mom_priv/config file. +Configure pbs_mom via the .../torque/mom_priv/config file. Start the mom: - + #pbs_mom Add the client's hostname to your server's submit_hosts -Set your server's hostsname in the .../torque/server_name file. +Set your server's hostsname in the .../torque/server_name file. Submit jobs as with Limited account. @@ -154,7 +157,7 @@ See nodes information: #pbsnodes -a - + Run simple jobs: #echo "sleep 30" | qsub @@ -168,7 +171,7 @@ ######################################################## Enter into working directory as and execute the following commands: - + #./configure --disable-daemons --disable-unixsockets --disable-gcc-warnings #make #make install @@ -184,16 +187,18 @@ #./contrib/AddPrivileges --add #cygrunsrv.exe -I pbs_server -p /usr/sbin/pbs_server.exe –u -w #cygrunsrv.exe -I pbs_sched -p /usr/sbin/pbs_sched.exe –u -w - + #./contrib/AddPrivileges --add mom #cygrunsrv.exe -I pbs_mom -p /usr/sbin/pbs_mom.exe –u -w - -On Windows XP also can start server-sched-mom as services by Windows -native user SYSTEM (uid=18): - + +On Windows XP also can start server-sched-mom as services by +Windows native user SYSTEM (uid=18): + #./contrib/AddPrivileges --add SYSTEM #chown SYSTEM -R /var/spool/torque + #cygrunsrv.exe -I pbs_server -p /usr/sbin/pbs_server.exe + #cygrunsrv.exe -I pbs_sched -p /usr/sbin/pbs_sched.exe #cygrunsrv.exe -I pbs_mom -p /usr/sbin/pbs_mom.exe -Services and privileges are managed via the Windows Control Panel or comand line. +Services and privileges are managed via the Windows Control Panel or command line. diff -Naur ./trunk-3664/src/include/pbs_config.h.in ./new/src/include/pbs_config.h.in --- ./trunk-3664/src/include/pbs_config.h.in 2010-05-28 07:53:55.000000000 +0300 +++ ./new/src/include/pbs_config.h.in 2010-06-02 17:32:35.827555121 +0300 @@ -563,22 +563,10 @@ #endif - #ifndef __GNUC__ # define __attribute__ /* nothing */ #endif -#ifdef __CYGWIN__ -/* sys/types.h from cygwin fails to define uid_t and gid_t */ -#ifndef uid_t -#define uid_t int -#endif -#ifndef gid_t -#define gid_t int -#endif -#endif /* __CYGWIN__ */ - - #endif /* _PBS_CONFIG_H_ */ diff -Naur ./trunk-3664/src/lib/Liblog/chk_file_sec.c ./new/src/lib/Liblog/chk_file_sec.c --- ./trunk-3664/src/lib/Liblog/chk_file_sec.c 2010-04-01 19:03:08.000000000 +0300 +++ ./new/src/lib/Liblog/chk_file_sec.c 2010-06-04 14:36:39.380124111 +0300 @@ -78,7 +78,6 @@ */ #include /* the master config generated by configure */ - #include #include #include @@ -94,6 +93,44 @@ #include #include +#ifdef __CYGWIN__ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +SID_IDENTIFIER_AUTHORITY sid_world_auth = {SECURITY_WORLD_SID_AUTHORITY}; +SID_IDENTIFIER_AUTHORITY sid_nt_auth = {SECURITY_NT_AUTHORITY}; + +NET_API_STATUS WINAPI (*netapibufferfree)(PVOID); +NET_API_STATUS WINAPI (*netuserenum)(LPWSTR,DWORD,DWORD,PBYTE*,DWORD,PDWORD,PDWORD,PDWORD); +NET_API_STATUS WINAPI (*netgroupenum)(LPWSTR,DWORD,PBYTE*,DWORD,PDWORD,PDWORD,PDWORD); +NET_API_STATUS WINAPI (*netlocalgroupenum)(LPWSTR,DWORD,PBYTE*,DWORD,PDWORD,PDWORD,PDWORD); +NET_API_STATUS WINAPI (*netlocalgroupgetmembers)(LPWSTR,LPWSTR,DWORD,PBYTE*,DWORD,PDWORD,PDWORD,PDWORD); +NET_API_STATUS WINAPI (*netgroupgetusers)(LPWSTR,LPWSTR,DWORD,PBYTE*,DWORD,PDWORD,PDWORD,PDWORD); +NET_API_STATUS WINAPI (*netgetdcname)(LPWSTR,LPWSTR,PBYTE*); +NET_API_STATUS WINAPI (*netusergetinfo)(LPWSTR,LPWSTR,DWORD,PBYTE*); + +NTSTATUS NTAPI (*lsaclose)(LSA_HANDLE); +NTSTATUS NTAPI (*lsaopenpolicy)(PLSA_UNICODE_STRING,PLSA_OBJECT_ATTRIBUTES,ACCESS_MASK,PLSA_HANDLE); +NTSTATUS NTAPI (*lsaqueryinformationpolicy)(LSA_HANDLE,POLICY_INFORMATION_CLASS,PVOID*); +NTSTATUS NTAPI (*lsafreememory)(PVOID); + +LPWSTR servername; + +#endif /* __CYGWIN__ */ + + #ifndef S_ISLNK #define S_ISLNK(m) (((m) & S_IFMT) == S_IFLNK) #endif @@ -101,126 +138,374 @@ int chk_file_sec_stderr = 0; +#ifdef __CYGWIN__ + +/* ----------------------------- HELPERS ---------------------------------------- */ + +BOOL load_netapi (HANDLE hNetapi,HANDLE hAdvapi) +{ + if ((!hNetapi) || (!hAdvapi)) + return FALSE; + + if (!(netapibufferfree = (void *) GetProcAddress (hNetapi, "NetApiBufferFree"))) + return FALSE; + if (!(netuserenum = (void *) GetProcAddress (hNetapi, "NetUserEnum"))) + return FALSE; + if (!(netlocalgroupenum = (void *) GetProcAddress (hNetapi, "NetLocalGroupEnum"))) + return FALSE; + if (!(netgetdcname = (void *) GetProcAddress (hNetapi, "NetGetDCName"))) + return FALSE; + if (!(netusergetinfo = (void *) GetProcAddress (hNetapi, "NetUserGetInfo"))) + return FALSE; + if (!(netgroupenum = (void *) GetProcAddress (hNetapi, "NetGroupEnum"))) + return FALSE; + if (!(netgroupgetusers = (void *) GetProcAddress (hNetapi, "NetGroupGetUsers"))) + return FALSE; + if (!(netlocalgroupgetmembers = (void *) GetProcAddress (hNetapi, "NetLocalGroupGetMembers"))) + return FALSE; + if (!(lsaclose = (void *) GetProcAddress (hAdvapi, "LsaClose"))) + return FALSE; + if (!(lsaopenpolicy = (void *) GetProcAddress (hAdvapi, "LsaOpenPolicy"))) + return FALSE; + if (!(lsaqueryinformationpolicy = (void *) GetProcAddress (hAdvapi, "LsaQueryInformationPolicy"))) + return FALSE; + if (!(lsafreememory = (void *) GetProcAddress (hAdvapi, "LsaFreeMemory"))) + return FALSE; + + return TRUE; +} + +void uni2ansi (LPWSTR wcs, char *mbs, int size) +{ + if (wcs) + WideCharToMultiByte (CP_ACP, 0, wcs, -1, mbs, size, NULL, NULL); + else + *mbs = '\0'; +} + +void uni2utf8 (LPWSTR wcs, char *mbs, int size) +{ + if (wcs) + WideCharToMultiByte (CP_UTF8, 0, wcs, -1, mbs, size, NULL, NULL); + else + *mbs = '\0'; +} + +/* ----------------------------- BASIC FUNCTIONS ----------------------------------- */ + +int enum_local_users (LPWSTR groupname,char *username) +{ + GROUP_USERS_INFO_0 *buf0; + LOCALGROUP_MEMBERS_INFO_1 *buf1; + DWORD entries = 0; + DWORD total = 0; + DWORD reshdl = 0; + int i,ret=-1; + char grp_username[128]; + + /* Print local users*/ + if (!netlocalgroupgetmembers (NULL, groupname, 1, (void *) &buf1, MAX_PREFERRED_LENGTH, &entries, &total, &reshdl)) + { + ret=0; + for (i = 0; i < entries; ++i) + if (buf1[i].lgrmi1_sidusage == SidTypeUser) + { + uni2utf8 (buf1[i].lgrmi1_name, grp_username, sizeof (grp_username)); + if (strcmp(grp_username,username)==0) + { + ret=1; + break; + } + } + netapibufferfree (buf1); + } + + return ret; +} + +int enum_domain_users (LPWSTR server_name, LPWSTR groupname,char *username) +{ + GROUP_USERS_INFO_0 *buf0; + LOCALGROUP_MEMBERS_INFO_1 *buf1; + DWORD entries = 0; + DWORD total = 0; + DWORD reshdl = 0; + int i,ret=-1; + char grp_username[128]; + + if (!netgroupgetusers (server_name, groupname, 0, (void *) &buf0, MAX_PREFERRED_LENGTH, &entries, &total, &reshdl)) + { + ret=0; + for (i = 0; i < entries; ++i) + { + uni2utf8 (buf0[i].grui0_name, grp_username, sizeof (grp_username)); + + + if (strcmp(grp_username,username)==0) + { + ret=1; + break; + } + } + netapibufferfree (buf0); + } + + return ret; +} + +int check_local_user_privileges (char *username_utf8, int usertype) +{ + + LOCALGROUP_INFO_0 *buffer; + DWORD entriesread = 0; + DWORD totalentries = 0; + DWORD resume_handle = 0; + DWORD rc; + + char errbuf[1024]; + int user=-1,admin=-1,ret; + + do + { + DWORD i; + rc = netlocalgroupenum (NULL, 0, (void *) &buffer, 1024, &entriesread, &totalentries, &resume_handle); + switch (rc) + { + case ERROR_ACCESS_DENIED: + return 1; + case ERROR_MORE_DATA: + case ERROR_SUCCESS: + break; + default: + return 1; + } + + for (i = 0; i < entriesread; i++) + { + char localgroup_name_acp[128]; + char domain_name[128]; + DWORD domain_name_len = 128; + char psid_buffer[1024]; + + DWORD sid_length = 1024; + int gid; + SID_NAME_USE acc_type; + + uni2ansi (buffer[i].lgrpi0_name, localgroup_name_acp, sizeof (localgroup_name_acp)); + + if (!LookupAccountName (NULL, localgroup_name_acp, &psid_buffer, &sid_length, domain_name, &domain_name_len, &acc_type)) + { + continue; + } + + gid = *GetSidSubAuthority (&psid_buffer, *GetSidSubAuthorityCount(&psid_buffer) - 1); + + if (gid==544) + { + ret = enum_local_users (buffer[i].lgrpi0_name,username_utf8); + if (ret>admin) + admin=ret; + } + + if (gid==545) + { + ret = enum_local_users (buffer[i].lgrpi0_name, username_utf8); + if (ret>user) + user=ret; + } + + } + netapibufferfree (buffer); + } + while (rc == ERROR_MORE_DATA); + + /* check if user is Admin */ + if (usertype==0) + return (admin==1)?1:0; + + /* check if user is Simple User */ + return (admin==0 && user==1)?1:0; +} + +int check_domain_user_privileges (LPWSTR servername, char *username_utf8, int usertype) +{ + GROUP_INFO_2 *buffer; + DWORD entriesread = 0; + DWORD totalentries = 0; + DWORD resume_handle = 0; + DWORD rc; + + char errbuf[1024]; + int user=-1,admin=-1,ret; + + do + { + DWORD i; + rc = netgroupenum (servername, 2, (void *) &buffer, 1024, &entriesread, &totalentries, &resume_handle); + + switch (rc) + { + case ERROR_ACCESS_DENIED: + return; + case ERROR_MORE_DATA: + case ERROR_SUCCESS: + break; + default: + return; + } + + for (i = 0; i < entriesread; i++) + { + + int gid = buffer[i].grpi2_group_id; + + if (gid==512) + { + ret = enum_domain_users (servername, buffer[i].grpi2_name,username_utf8); + if (ret>admin) + admin=ret; + } + if (gid==513) + { + ret = enum_domain_users (servername, buffer[i].grpi2_name, username_utf8); + if (ret>user) + user=ret; + } + } + netapibufferfree (buffer); + } + while (rc == ERROR_MORE_DATA); + + /* check if user is Admin */ + if (usertype==0) + return (admin==1)?1:0; + /* check if user is Simple User */ + return (admin==0 && user==1)?1:0; +} + +/* ----------------------------- TORQUE FUNCTIONS ----------------------------------- */ + /* * IamRoot returns 1 if current user has root (Administrator) account, * else returns 0 */ + int IamRoot() - { -#ifndef __CYGWIN__ - if ((getuid() == 0) && (geteuid() == 0)) - { - return 1; - } - fprintf(stderr, "Must be run as root\n"); +{ + struct passwd *p; + int uid; + HANDLE hAdvapi, hNetapi; + + servername=NULL; + hNetapi = LoadLibrary ("netapi32.dll"); + hAdvapi = LoadLibrary ("advapi32.dll"); -#else - struct group *gr; - struct passwd *p; - char **t; + if (!load_netapi (hNetapi,hAdvapi)) + { + log_err(-1, "IamRoot","Cann`t load netapi32.dll and advapi32.dll libraries\n"); + return 0; + } - if (getuid() == 18) - { - return 1; - } - if ((p = getpwuid(getuid())) == NULL) - { - fprintf(stderr, "No password entry for current user. Check your /etc/passwd file.\n"); - return 0; - } - if ((gr=getgrgid(544)) != NULL) - { - for (t = gr->gr_mem; t && *t; t++) + if (netgetdcname (NULL, NULL, (void *) &servername) != ERROR_SUCCESS) { - if (!strcmp (p->pw_name, *t)) + log_err(-1, "IamRoot","Cann`t get the name of the primary domain controller\n"); + } + + uid=getuid(); + + if (uid==18) return 1; + + if ((p = getpwuid(uid))==NULL) + { + log_err(-1, "IamRoot","WARNING!!! No password entry for currient user. Check your /etc/passwd file.\n"); + return 0; } - fprintf(stderr, "Must be run as user with Administrator privileges\n"); - } - else - { - fprintf(stderr, "No group entry. Check your /etc/group file.\n"); - } -#endif /* __CYGWIN__ */ - return 0; - } /* END IamRoot() */ + + if (check_local_user_privileges(p->pw_name,0) || check_domain_user_privileges(servername,p->pw_name,0)) + return 1; + + log_err(-1, "IamRoot","WARNING!!! Must be run with Administrator privileges.\n"); + return 0; +} -#ifdef __CYGWIN__ /* * IamAdminByName returns 1 if user has Administrator account, * else returns 0 */ -int IamAdminByName(char *userName) - { - struct group *gr; - char **t; - - if ((gr=getgrgid(544)) != NULL) - { - for (t = gr->gr_mem; t && *t; t++) - if (!strcmp (userName, *t)) - return 1; - } - return 0; - } /* END IamAdminByName */ +int IamAdminByName(char *userName) +{ + return (check_local_user_privileges(userName,0) || check_domain_user_privileges(servername,userName,0))?1:0; +} /* * IamUser returns 1 if current user isn't included to Administrators group * (i.e. has a limited account), else returns 0 */ + int IamUser() - { - struct group *gr; - struct passwd *p; - char **t; +{ + struct passwd *p; - if ((p = getpwuid(getuid())) && (gr = getgrgid(544)) != NULL) + if ((p = getpwuid(getuid())) != NULL) { - for (t = gr->gr_mem; t && *t; t++) - { - if (!strcmp (p->pw_name, *t)) - return 0; - } - return 1; + printf("Check %s\n",p->pw_name); + if (check_local_user_privileges(p->pw_name,1) || check_domain_user_privileges(servername,p->pw_name,1)) + return 1; } - log_err(-1, "WARNING!!!", "Check your /etc/group and /etc/passwd files.\n"); - return 0; - } /* END IamUser() */ + log_err(-1, "IamUser","WARNING!!! Check your /etc/group and /etc/passwd files.\n"); + return 0; +} /* END IamUser() */ -/* - * IamUserByName returns 1 if user isn't included to Administrators group - * (i.e. has a limited account), else returns 0 +/* + * IamUserByName returns 1 if current user isn't included to Administrators group + * (i.e. has a limited account), else returns 0 */ + int IamUserByName(char *userName) - { - struct group *gr; - char **t; - char buff[512]; +{ + char buff[512]; + + + if (check_local_user_privileges(userName,1) || check_domain_user_privileges(servername,userName,1)) + { + return 1; + } + else + if (IamAdminByName(userName)) + { + sprintf(buff, "WARNING!!! Can`t run job with Administrator privileges. Your should limit preveleges for \"%s\"!",userName); + log_err(-1, "IamUserByName", buff); + return 0; + } + sprintf(buff, "WARNING!!! Can`t find user \"%s\"!",userName); + log_err(-1, "IamUserByName", buff); + return 0; +} + + +#else /* not def __CYGWIN__ */ + +int IamRoot() +{ + if ((getuid() == 0) && (geteuid() == 0)) + return 1; + fprintf(stderr, "Must be run as root\n"); + return 0; +} - if ((gr = getgrgid(544)) != NULL) - { - for (t = gr->gr_mem; t && *t; t++) - if (!strcmp (userName, *t)) - { - sprintf(buff, "Can`t run job with Administrator privileges. Your should limit privileges for \"%s\"", userName); - log_err(-1, "WARNING!!!", buff); - return 0; - } - /* else log_err(-1,"Try",*t); */ - return 1; - } - return 0; - } /* END IamUserByName */ #endif /* __CYGWIN__ */ + + /* * chk_file_sec() - Check file/directory security * Part of the PBS System Security "Feature"