/[pdpsoft]/trunk/grid-mw-security/cgul/unixprivs/unixpriv.c
ViewVC logotype

Annotation of /trunk/grid-mw-security/cgul/unixprivs/unixpriv.c

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1403 - (hide annotations) (download) (as text)
Wed Jan 20 11:21:41 2010 UTC (12 years, 6 months ago) by okoeroo
File MIME type: text/x-chdr
File size: 4361 byte(s)
Added Unix Privilege manipulation tool.

Includes:
UID up and Down grader and the generation of a list of gid_t's from a username.



1 okoeroo 1403 /****************************************************
2     C-GUL
3    
4     Generate random characters
5    
6     ****************************************************/
7    
8    
9    
10    
11    
12     /* When the proxy is located on an NFS mount and on the server side the root squash
13     * option has been enabled, the effective uid is mapped to user 'nobody' which should
14     * not be able to read the proxy file. To work around this problem, the effective
15     * uid of the process is changed to that of the calling user and once glexec is done,
16     * the saved uid is used to restore the identity of the process,
17     */
18     #if 0
19     Example:
20     uid_t stored_real_uid = -1;
21     uid_t stored_eff_uid = -1;
22    
23     /* Downgrade effective privileges to cope with NFS mounted file systems with root squashing */
24     downgradeEffectiveToRealUid (&stored_real_uid, &stored_eff_uid);
25    
26     /* Read PEM string */
27     fopen(proxyfile, "r");
28    
29     /* Restore privileges to previous state */
30     upgradeEffectiveToRealUid (stored_real_uid, stored_eff_uid);
31     #endif
32     int downgradeEffectiveToRealUid (uid_t * real_uid, uid_t * saved_uid)
33     {
34     *real_uid = getuid();
35     if (*real_uid != 0)
36     {
37     /* Save it */
38     *saved_uid = geteuid();
39     if (seteuid(*real_uid))
40     {
41     fprintf (stderr, "Error on downsizing with seteuid()\n");
42     return 1;
43     }
44     }
45     return 0;
46     }
47    
48     int upgradeEffectiveToRealUid (uid_t real_uid, uid_t saved_uid)
49     {
50     /* Do not forget to put back the original effective uid on the process. */
51     if (real_uid != 0)
52     {
53     if (seteuid(saved_uid))
54     {
55     fprintf (stderr, "Error on returning seteuid()\n");
56     return 1;
57     }
58     }
59     return 0;
60     }
61    
62    
63    
64     /******************************************************************************
65     Function: get_gidlist()
66    
67     Description:
68     Finds the list of gids for user in the group file (/etc/group)
69     Returns a list of gid_t which should be freed by calling program.
70    
71     Parameters:
72     username: the name of the user
73     ngroups: ptr to int which will be filled with the number of gids.
74     group_list: ptr to an array of gid_t.
75    
76     Returns:
77     0 on success.
78     -1 on realloc failure
79     -2 on getgrent failure
80     1 on failure
81     ******************************************************************************/
82     int get_gidlist(
83     const char * username,
84     int * ngroups,
85     gid_t ** group_list
86     )
87     {
88     struct group * group_info = NULL;
89     gid_t * groups = NULL;
90     gid_t * newgroups = NULL;
91     int i = 0;
92    
93     /* rewind the file pointer to the beginning of the /etc/group file */
94     setgrent();
95    
96     lcmaps_log_debug(2, "\tlcmaps_get_gidlist(): looping through group file\n");
97     *ngroups = 0;
98     while ( ( group_info = getgrent() ) )
99     {
100     char ** pgr_mem = group_info->gr_mem;
101     char * gr_mem = NULL;
102    
103     lcmaps_log_debug(4, "\tlcmaps_get_gidlist(): group %s\n", group_info->gr_name);
104     while ( (gr_mem = *pgr_mem) )
105     {
106     lcmaps_log_debug(4, "\tlcmaps_get_gidlist(): \tgroup member %s\n", gr_mem);
107     if (strncmp(username, gr_mem, strlen(username))==0)
108     {
109     lcmaps_log_debug(2, "\tlcmaps_get_gidlist(): \t\tfound group %s for %s\n",
110     group_info->gr_name, username);
111     (*ngroups)++;
112     newgroups = (gid_t *) realloc(groups, ((*ngroups) * sizeof(gid_t)));
113     if (newgroups == NULL)
114     {
115     lcmaps_log(1, "lcmaps_get_gidlist(): cannot realloc\n");
116     free(groups);
117     return -1;
118     }
119     groups=newgroups;
120     groups[(*ngroups)-1] = group_info->gr_gid;
121     }
122     ++pgr_mem;
123     }
124     }
125     if (errno==ENOMEM)
126     {
127     lcmaps_log(1, "lcmaps_get_gidlist(): Cannot read the group file, %s\n", strerror(errno));
128     free(groups);
129     groups=NULL;
130     /* Close the group file */
131     endgrent();
132     return -2;
133     }
134     *group_list=groups;
135     lcmaps_log_debug(4,"\tlcmaps_get_gidlist(): %d groups found for %s\n", *ngroups, username);
136     for (i = 0; i < *ngroups; i++)
137     {
138     lcmaps_log_debug(4,"\tlcmaps_get_gidlist(): group nr %d ==> gid_t %d\n", i+1, groups[i]);
139     }
140     /* Close the group file */
141     endgrent();
142     return 0;
143     }
144    
145    

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28