/[pdpsoft]/trunk/grid-mw-security/cgul
ViewVC logotype

Log of /trunk/grid-mw-security/cgul

View Directory Listing Directory Listing

Sticky Revision:
Revision 2087 - Directory Listing
Modified Thu Nov 11 15:33:33 2010 UTC (11 years, 6 months ago) by msalle 
Bringing environ back in sync with glexec: 
- new function int cgul_unsetenv_dst() needed to remove an entry from an 'saved'
  environment.
Revision 2056 - Directory Listing
Modified Thu Oct 21 11:27:25 2010 UTC (11 years, 7 months ago) by msalle 
- rename read -> read_rc to suppress a warning
- explicitly cast const char * -> char *
Revision 2055 - Directory Listing
Modified Thu Oct 21 11:16:02 2010 UTC (11 years, 7 months ago) by msalle 
Adding missing headers
Revision 1989 - Directory Listing
Modified Fri Oct 1 13:45:36 2010 UTC (11 years, 7 months ago) by aramv 
Removed homebrew asprintf function
Revision 1988 - Directory Listing
Modified Fri Oct 1 13:24:56 2010 UTC (11 years, 7 months ago) by aramv 
Added some parenthesis around assignments used as boolean values
Revision 1921 - Directory Listing
Modified Tue Sep 14 10:06:37 2010 UTC (11 years, 8 months ago) by msalle 
- log_file:
    - add option to treat untrusted-ness as warning not as error.
    - not-regular-file is now different error, since it's ALWAYS fatal.
Revision 1911 - Directory Listing
Modified Wed Sep 1 13:30:16 2010 UTC (11 years, 8 months ago) by msalle 
Fix missing expression
Revision 1910 - Directory Listing
Modified Wed Sep 1 13:05:57 2010 UTC (11 years, 8 months ago) by msalle 
Fix typo.
Revision 1909 - Directory Listing
Modified Wed Sep 1 12:56:32 2010 UTC (11 years, 8 months ago) by msalle 
- fix for unreadable current working directory: use getcwd instead. Note that
  open and fchdir is preferred, since it goes back to exactly the original, even
  if the path has changed in the meantime.
Revision 1906 - Directory Listing
Modified Wed Sep 1 10:45:01 2010 UTC (11 years, 8 months ago) by msalle 
- fixed two typos in comments.
Revision 1905 - Directory Listing
Modified Tue Aug 31 12:44:47 2010 UTC (11 years, 8 months ago) by msalle 
- prevent "warning: unused variable `lck'"
Revision 1892 - Directory Listing
Modified Tue Aug 24 12:36:17 2010 UTC (11 years, 9 months ago) by msalle 
- Forcing umask for cgul_mkdir_with_parents() and cgul_open_logfile() to be
  identical to the specified modes, so forcing it to be not stricter than the
  specified mode.
Revision 1891 - Directory Listing
Modified Fri Aug 20 14:55:09 2010 UTC (11 years, 9 months ago) by msalle 
Add missing header...
Revision 1890 - Directory Listing
Modified Fri Aug 20 14:19:35 2010 UTC (11 years, 9 months ago) by msalle 
Make sure we don't get error on missing POSIX define
Fix typo (missing ;)
Revision 1889 - Directory Listing
Modified Fri Aug 20 09:21:16 2010 UTC (11 years, 9 months ago) by msalle 
- fixing check on ENAMETOOLONG, snprintf returns WITHOUT \0...
Revision 1888 - Directory Listing
Modified Thu Aug 19 14:57:37 2010 UTC (11 years, 9 months ago) by msalle 
- Add #ifndef #define #endif construct to prevent double inclusion
- Add missing #include for struct stat
Revision 1887 - Directory Listing
Modified Thu Aug 19 14:30:13 2010 UTC (11 years, 9 months ago) by msalle 
Fixed unchecked return of cgul_readdir()
Revision 1885 - Directory Listing
Modified Thu Aug 19 12:57:05 2010 UTC (11 years, 9 months ago) by msalle 
Renaming to stick to the conventions...
Revision 1884 - Directory Listing
Modified Thu Aug 19 12:55:54 2010 UTC (11 years, 9 months ago) by msalle 
Adding a substitute for the unsafe realpath() or unportable
canonicalize_file_name().
Note that it is NOT thread safe due to the chdir trick...
Revision 1879 - Directory Listing
Modified Fri Aug 13 13:37:40 2010 UTC (11 years, 9 months ago) by msalle 
Adding new function:
 cgul_open_logfile()
opens a logfile, root-owned, with suitable checks, using J. Kupsch library.
Revision 1857 - Directory Listing
Modified Fri Jul 16 16:46:43 2010 UTC (11 years, 10 months ago) by msalle 
Syncing with fileutil in glexec. Note that there were a few issues with the
wrong groups being added:
- Rewritten trusted/confidential checks for cgul_read_config, to make it more
  consistent and solve a number of unclear situations and inconsistencies.
    * confidentiality check is now only enabled when a macro
      DEMAND_CONFIG_CONFIDENTIAL is defined.
    * Only trusted user and root are trusted for read/write. The trusted group is
      not trusted for writing.
    * When in addition a confidentiality check is done, the file may ONLY be
      readable for the trusted users, the trusted groups and the effective gid,
      the latter only when different from real gid.
- Adding a #ifdef around 2 variable definitions to prevent 'unused variable'
  warnings.
- Allow to 'drop' privilege to root group when needed.
- properly deal with negative 'gid's' (use int and cast at the right place).
Revision 1832 - Directory Listing
Modified Thu Jul 1 13:46:28 2010 UTC (11 years, 10 months ago) by msalle 
Adding const predicate to variable to prevent compiler warning.
Revision 1829 - Directory Listing
Modified Wed Jun 30 12:58:45 2010 UTC (11 years, 10 months ago) by msalle 
- Fix wrong return code for read_config: missing file should NOT be a privilege
  drop error but a I/O error.
Revision 1809 - Directory Listing
Modified Tue Jun 22 10:15:54 2010 UTC (11 years, 11 months ago) by msalle 
flock() doesn't work on Solaris, so always return error.
Revision 1798 - Directory Listing
Modified Mon Jun 21 10:26:13 2010 UTC (11 years, 11 months ago) by aramv 
Returning error code from parse_gridmapfile
Revision 1784 - Directory Listing
Modified Thu Jun 17 13:48:37 2010 UTC (11 years, 11 months ago) by aramv 
Copied gridmapdir code to CGUL
Revision 1782 - Directory Listing
Modified Wed Jun 16 09:22:25 2010 UTC (11 years, 11 months ago) by aramv 
Not logging debug messages if debug flag was not set
Revision 1749 - Directory Listing
Modified Wed Jun 9 13:54:08 2010 UTC (11 years, 11 months ago) by aramv 
Fixed memleak
Revision 1718 - Directory Listing
Modified Fri May 28 12:22:34 2010 UTC (12 years ago) by msalle 
Adding header file made by configure
Revision 1717 - Directory Listing
Modified Fri May 28 12:20:27 2010 UTC (12 years ago) by msalle 
Adding safefile-1.0 from Jim Kupsch.
Revision 1709 - Directory Listing
Modified Thu May 20 12:19:51 2010 UTC (12 years ago) by aramv 
Removed debug output
Revision 1708 - Directory Listing
Modified Thu May 20 10:37:51 2010 UTC (12 years ago) by aramv 
Only using vsnprintf when needed, renamed asprintf to my_asprintf to avoid conflicts with GNU code
Revision 1707 - Directory Listing
Modified Wed May 19 16:23:47 2010 UTC (12 years ago) by aramv 
Added tiny fixes to log_to_file.c
Revision 1704 - Directory Listing
Modified Wed May 19 13:21:28 2010 UTC (12 years ago) by aramv 
Using new header file
Revision 1703 - Directory Listing
Modified Wed May 19 13:19:31 2010 UTC (12 years ago) by aramv 
Added unixprivs prototypes
Revision 1702 - Directory Listing
Modified Wed May 19 12:52:50 2010 UTC (12 years ago) by aramv 
Fixed asprintf misuse
Revision 1701 - Directory Listing
Modified Wed May 19 12:45:45 2010 UTC (12 years ago) by aramv 
Fixed C++ style comment
Revision 1694 - Directory Listing
Modified Tue May 18 15:17:36 2010 UTC (12 years ago) by aramv 
Fixed pid_t to string code to be warningless. I hope it works on OpenSolaris too
Revision 1693 - Directory Listing
Modified Tue May 18 14:50:12 2010 UTC (12 years ago) by aramv 
Fixed const char bug
Revision 1686 - Directory Listing
Modified Wed May 12 13:22:02 2010 UTC (12 years ago) by msalle 
Need to #include <sys/types.h> for uid_t and gid_t
Revision 1682 - Directory Listing
Modified Tue May 11 09:40:20 2010 UTC (12 years ago) by aramv 
Different include
Revision 1675 - Directory Listing
Modified Tue May 11 09:35:18 2010 UTC (12 years ago) by aramv 
Removed main
Revision 1674 - Directory Listing
Modified Tue May 11 09:32:35 2010 UTC (12 years ago) by aramv 
Moved gridmapdir to gridmapfile
Revision 1673 - Directory Listing
Modified Tue May 11 09:32:03 2010 UTC (12 years ago) by aramv 
Moved gridmapdir to gridmapfile
Revision 1672 - Directory Listing
Modified Tue May 11 09:24:58 2010 UTC (12 years ago) by aramv 
Fixed mini-memleak
Revision 1660 - Directory Listing
Modified Thu May 6 15:29:04 2010 UTC (12 years ago) by aramv 
Added some gridmapdir code
Revision 1649 - Directory Listing
Modified Tue Apr 20 12:40:26 2010 UTC (12 years, 1 month ago) by aramv 
Missed a spot
Revision 1618 - Directory Listing
Modified Fri Apr 9 09:45:30 2010 UTC (12 years, 1 month ago) by aramv 
Fixed small bug. Added ident setter. Flushing fd after each write
Revision 1617 - Directory Listing
Modified Thu Apr 8 12:35:02 2010 UTC (12 years, 1 month ago) by okoeroo 
More firm checks
Revision 1616 - Directory Listing
Modified Thu Apr 8 12:27:00 2010 UTC (12 years, 1 month ago) by okoeroo 
fixed typos and compile problems. This now works.
Revision 1614 - Directory Listing
Modified Thu Apr 8 12:04:15 2010 UTC (12 years, 1 month ago) by aramv 
Fixed small memleak
Revision 1613 - Directory Listing
Modified Thu Apr 8 09:49:09 2010 UTC (12 years, 1 month ago) by aramv 
Moved signatures and typedefs to header
Revision 1612 - Directory Listing
Modified Thu Apr 8 09:44:44 2010 UTC (12 years, 1 month ago) by aramv 
Renamed references to EEF/EES to CGUL
Revision 1611 - Directory Listing
Modified Wed Apr 7 09:31:09 2010 UTC (12 years, 1 month ago) by okoeroo 
Added cgul_x509_select_final_cert_from_chain() which checks if there is a End-Entity Certificate or delegation to be selected as the final certificate.
Revision 1610 - Directory Listing
Modified Tue Apr 6 15:31:40 2010 UTC (12 years, 1 month ago) by okoeroo 
Added cgul_x509_select_eec_from_chain() to simplify the code in cgul_x509_chain_to_subject_dn() and cgul_x509_chain_to_issuer_dn().


/******************************************************************************
Function:       cgul_x509_select_eec_from_chain()
Description:    Get the End-Entity Certificate from a certificate chain
Parameters:
                certstack: certificate chain
Returns:        pointer to X509 EEC
******************************************************************************/
X509 * cgul_x509_select_eec_from_chain (STACK_OF(X509) * chain);

/******************************************************************************
Function:       cgul_x509_chain_to_subject_dn()
Description:    Get the Subject DN of the End-Entity Certificate of the X509 cert
Parameters:
                certstack: certificate chain
Returns:        Subject DN string (which should be freed)
******************************************************************************/
char * cgul_x509_chain_to_subject_dn(STACK_OF(X509) * chain);

/******************************************************************************
Function:       cgul_x509_chain_to_issuer_dn()
Description:    Get the Issuer DN of the End-Entity Certificate of the X509 cert
Parameters:
                certstack: certificate chain
Returns:        Issuer DN string (which should be freed)
******************************************************************************/
char * cgul_x509_chain_to_issuer_dn(STACK_OF(X509) * chain);
Revision 1584 - Directory Listing
Modified Sun Mar 21 19:02:50 2010 UTC (12 years, 2 months ago) by okoeroo 
Adding a function to test is a socket is still active and functional.
Revision 1556 - Directory Listing
Modified Thu Mar 11 15:52:41 2010 UTC (12 years, 2 months ago) by aramv 
Added flush
Revision 1523 - Directory Listing
Modified Thu Feb 25 09:40:15 2010 UTC (12 years, 3 months ago) by okoeroo 
Added specific variables to reduce function calls and fix a reporting error where a GID was to be printed, but a UID was set.
Revision 1516 - Directory Listing
Modified Thu Feb 18 14:18:14 2010 UTC (12 years, 3 months ago) by msalle 
- updated comment
Revision 1515 - Directory Listing
Modified Thu Feb 18 14:08:32 2010 UTC (12 years, 3 months ago) by msalle 
- Heavily improved mkdir_with_parents function for crippled automount behaviour.
Revision 1514 - Directory Listing
Modified Thu Feb 18 13:30:13 2010 UTC (12 years, 3 months ago) by msalle 
- resync-ed with glexec: lstat -> stat etc.
Revision 1512 - Directory Listing
Modified Mon Feb 15 16:16:49 2010 UTC (12 years, 3 months ago) by msalle 
- new function cgul_add_src_pattern() to add substring pattern entries from a
  src environment to a target environment. E.g. for GLEXEC_ variables into the
  target process environment.
- reworked related cgul_add_src_list(), so that it is more or less consistent
  internally consistent with the new cgul_add_src_pattern()
Revision 1510 - Directory Listing
Modified Sun Feb 14 12:31:32 2010 UTC (12 years, 3 months ago) by msalle 
Bringing fileutil back in sync with version in gLExec
Revision 1509 - Directory Listing
Modified Sun Feb 14 12:31:10 2010 UTC (12 years, 3 months ago) by msalle 
Bringing environ back in sync with version in gLExec.
Revision 1508 - Directory Listing
Modified Thu Feb 11 16:03:11 2010 UTC (12 years, 3 months ago) by msalle 
- don't change const char * parameter, so put it in a buffer..
Revision 1503 - Directory Listing
Modified Wed Feb 10 23:32:47 2010 UTC (12 years, 3 months ago) by msalle 
- cgul_write_uniq_proxy now updates the template such that one can figure out
  the actual filename
Revision 1498 - Directory Listing
Modified Wed Feb 10 15:44:18 2010 UTC (12 years, 3 months ago) by msalle 
- Updated the API for the proxy reading and config file, after extensively
  looking at use-cases.
  Preferred for config file: 'glexec'.root (or 'scas'.root or whatever), and
  reading as glexec.glexec or glexec.gid
- two writing functions synchronized.
Revision 1493 - Directory Listing
Modified Tue Feb 9 22:01:18 2010 UTC (12 years, 3 months ago) by msalle 
- (almost) no type incompatibilities. Removed 1 potentially dangerous size_t
Revision 1491 - Directory Listing
Modified Tue Feb 9 16:30:01 2010 UTC (12 years, 3 months ago) by msalle 
- introduced cgul_ prefix for environ
- synchronized two proxy writing functions, thereby fixing a const char* writing
  issue (segfault).
Revision 1486 - Directory Listing
Modified Tue Feb 9 15:13:55 2010 UTC (12 years, 3 months ago) by msalle 
- parent directory of to-be-written proxy is created and with right mode.
Revision 1484 - Directory Listing
Modified Tue Feb 9 14:54:49 2010 UTC (12 years, 3 months ago) by msalle 
- LICENSES added
- added ifndef construct to prevent double inclusion
- added many comments
- fixed a few uninitialized variables 
- fixed too small buffer for reading (\0 forgotten)
  also fixed forgotten addition of \0 after reading.
- read_config() now has preferred uid/gid. 0 (root) effectively ignores, because
  root is always trusted (cannot be untrusted).
- priv_drop has int argu's because uid/gid is unsigned.
- same for read_proxy: read_gid is int
- priv_drop now fails when NOT euid==0
- read_config figures out whether switching or not and acts accordingly: in
  switching mode we demand confidential, in non-switching, trusted is good
  enough.
- check on template in write_uniq_proxy: ending with 6 times X
- difference in file mode and dirmode, for same one...
- fixed bug in dir creation, missed last element.
Revision 1476 - Directory Listing
Modified Mon Feb 8 16:11:46 2010 UTC (12 years, 3 months ago) by msalle 
- new function cgul_read_config that reads a config file into a memory buffer
  using J. Kupsch' safefile (only the safe_is_path_trusted_r() )

- hopefully raise all privileges also when failure.

- remove dead code
Revision 1475 - Directory Listing
Modified Mon Feb 8 15:25:32 2010 UTC (12 years, 3 months ago) by okoeroo 
Fixed errors
Revision 1474 - Directory Listing
Modified Mon Feb 8 15:18:44 2010 UTC (12 years, 3 months ago) by okoeroo 
Creating a one liner to print the current process information.
Revision 1473 - Directory Listing
Modified Mon Feb 8 15:00:23 2010 UTC (12 years, 3 months ago) by msalle 
- Added extra return code -3 for cgul_write_proxy(): permissions error
  Also split opening/changing ownership/mode for this, in this function
- fixed number of missing variable declarations
- fixed number of typos
Revision 1470 - Directory Listing
Modified Mon Feb 8 12:37:50 2010 UTC (12 years, 3 months ago) by msalle 
- First (preliminary) version of fileutil files: locking, reading/writing proxy
  and directory creation.
Revision 1453 - Directory Listing
Modified Wed Feb 3 21:29:34 2010 UTC (12 years, 3 months ago) by msalle 
- Use properly size_t when needed
Revision 1452 - Directory Listing
Modified Tue Feb 2 19:09:23 2010 UTC (12 years, 3 months ago) by msalle 
- introducing env_t (char **): now use &dst for creation/updating of
  environments instead of return value of functions.
  This makes it easier to have a few additions in a row etc.

- make sure when input whitelist and/or src is null everything works as
  expected: new environment should be created and initialized to empty, old
  environment should be left unchanged.

- make sure environ.h is effectively included once using a #ifndef
Revision 1449 - Directory Listing
Modified Tue Feb 2 02:35:46 2010 UTC (12 years, 3 months ago) by msalle 
- added new function setenv_dst() adding a name, value pair to the dst
  environment, similar to add_namevalue()

- check explicitly that whitelists aren't NULL, which lead to a segfault...
Revision 1447 - Directory Listing
Modified Sun Jan 31 18:24:07 2010 UTC (12 years, 3 months ago) by msalle 
We're not in 2004... Changed year to 2010
Revision 1446 - Directory Listing
Modified Sun Jan 31 11:10:18 2010 UTC (12 years, 3 months ago) by msalle 
No copyright text for us, only EGEE allowed (instructions from Francesco).
Revision 1444 - Directory Listing
Modified Fri Jan 29 10:02:55 2010 UTC (12 years, 3 months ago) by msalle 
The tabs have been spaced out...
Revision 1443 - Directory Listing
Modified Fri Jan 29 10:00:16 2010 UTC (12 years, 3 months ago) by aramv 
Changed tabs into spaces
Revision 1442 - Directory Listing
Modified Fri Jan 29 09:58:13 2010 UTC (12 years, 3 months ago) by msalle 
license text to be included in any source file (incl. .h, Makefile etc...)
Revision 1441 - Directory Listing
Modified Fri Jan 29 09:50:02 2010 UTC (12 years, 3 months ago) by msalle 
- Added a getenv for 'external' environments
- no more pointer arithmetics...
Revision 1440 - Directory Listing
Modified Thu Jan 28 21:03:50 2010 UTC (12 years, 4 months ago) by okoeroo 
Adding arbitrary X509-related functions. These are from LCMAPS. And from what I now know about OpenSSL, some might be re-written to be less fragile or use less memory.
Revision 1439 - Directory Listing
Modified Thu Jan 28 20:58:44 2010 UTC (12 years, 4 months ago) by msalle 
- fixed a few initialization (valgrind) problems.
- updated comments: remarks on strdup/putenv etc.
Revision 1438 - Directory Listing
Modified Thu Jan 28 19:46:50 2010 UTC (12 years, 4 months ago) by okoeroo 
Removing double file.
Revision 1437 - Directory Listing
Modified Thu Jan 28 19:45:25 2010 UTC (12 years, 4 months ago) by okoeroo 
Adding first part for OpenSSL (specific) tools. In this case its a (non functional) grid-proxy-verify. It's the same tool, but torn apart, refactored and with more useful APIs. Essentially the same as Jan Just's grid-proxy-verify. This code has been lifted from the lcmaps-plugins-verify-proxy.
Revision 1436 - Directory Listing
Modified Thu Jan 28 16:48:35 2010 UTC (12 years, 4 months ago) by msalle 
- added a number of new functions to:
    add single pairs to external environment,
    put some general stuff in special functions,
- Fixed a few memory leaks, probably none left (-:
Revision 1429 - Directory Listing
Modified Mon Jan 25 16:42:10 2010 UTC (12 years, 4 months ago) by msalle 
- strarrlen returns NULL when argument is NULL (not just when list is empty).
  This is convenient...
Revision 1420 - Directory Listing
Modified Mon Jan 25 10:40:31 2010 UTC (12 years, 4 months ago) by msalle 
environ.c / environ.h Provides methods to safely backup the environment, to
clear the current environment and to re-set certain parts from the backup
into it.
Revision 1418 - Directory Listing
Modified Sun Jan 24 09:49:55 2010 UTC (12 years, 4 months ago) by okoeroo 
Added:
gid_t threadsafe_getgid_from_name (const char * groupname)
Revision 1417 - Directory Listing
Modified Sat Jan 23 20:37:07 2010 UTC (12 years, 4 months ago) by okoeroo 
Adding IPv6 capable client and service implementations.

Warning! This code still needs work to be cleaned from my personal/private/local/laptop hacking.
Revision 1411 - Directory Listing
Modified Thu Jan 21 15:33:50 2010 UTC (12 years, 4 months ago) by aramv 
Added fancy bitmask and open/close functions
Revision 1409 - Directory Listing
Modified Thu Jan 21 10:40:37 2010 UTC (12 years, 4 months ago) by aramv 
Added proper timestamp and hostname
Revision 1407 - Directory Listing
Modified Wed Jan 20 16:06:49 2010 UTC (12 years, 4 months ago) by aramv 
Moved passwd size test to its own directory
Revision 1406 - Directory Listing
Modified Wed Jan 20 16:06:12 2010 UTC (12 years, 4 months ago) by aramv 
Added a log-to-file example
Revision 1405 - Directory Listing
Modified Wed Jan 20 13:42:07 2010 UTC (12 years, 4 months ago) by okoeroo 
Fixed the threadsafe_getuid_from_name() to be safer, easier to read, contain a 1k buffer by default, clean itself up properly, set errno at the end of the function to the proper state (bypassing the free() and other functions) and having sufficient comments in the code for understandability.
Revision 1404 - Directory Listing
Modified Wed Jan 20 11:48:59 2010 UTC (12 years, 4 months ago) by okoeroo 
Added threadsafe_getuid_from_name()
Revision 1403 - Directory Listing
Modified Wed Jan 20 11:21:41 2010 UTC (12 years, 4 months ago) by okoeroo 
Added Unix Privilege manipulation tool.

Includes:
UID up and Down grader and the generation of a list of gid_t's from a username.
Revision 1401 - Directory Listing
Modified Wed Jan 20 10:55:35 2010 UTC (12 years, 4 months ago) by okoeroo 
Added a set of random character selection functions.
Revision 1400 - Directory Listing
Modified Wed Jan 20 10:07:44 2010 UTC (12 years, 4 months ago) by msalle 
- checks errno
- no warnings
Revision 1397 - Directory Listing
Added Tue Jan 19 15:59:50 2010 UTC (12 years, 4 months ago) by aramv 
Added a test for password struct size on your platform
grid.support@nikhef.nl
 ViewVC Help
Powered by ViewVC 1.1.28