cgul/unixprivs/unixpriv.c

/****************************************************
C-GUL

 Generate random characters

****************************************************/


uid_t threadsafe_getuid_from_name (const char * username)
{
    struct passwd * p          = NULL;
    uid_t           uid        = -1;
    int             errno_save = 0;
#define HAVE_GETPWNAM_R
#ifdef HAVE_GETPWNAM_R || defined _LIBC
  #ifdef _SC_GETPW_R_SIZE_MAX
    size_t buflen = sysconf (_SC_GETPW_R_SIZE_MAX);
  #else
    size_t buflen = 128;
  #endif
    char *pwtmpbuf;
    struct passwd pwbuf;


    if (buflen == -1)
        /* `sysconf' does not support _SC_GETPW_R_SIZE_MAX.  Try a
           moderate value.  */
        buflen = 128;

    pwtmpbuf = (char *) calloc (1, buflen);

    while (getpwnam_r (username, &pwbuf, pwtmpbuf, buflen, &p) != 0)
    {
        if (errno != ERANGE)
        {
            p = NULL;
            break;
        }
        buflen *= 2;
        free (pwtmpbuf);
        
        if (!(pwtmpbuf = (char *) calloc (1, buflen)))
        {
            if (errno == ENOMEM)
            {
                /* No memory available, bail out */
                p = NULL;
                errno_save = errno;
                break;
            }
        }
    }
#else
    p = getpwnam (username);
#endif

    if (p)
    {
        uid = p -> pw_uid;
    }

    free (pwtmpbuf);
    errno = errno_save;
    return uid;
}


/*  When the proxy is located on an NFS mount and on the server side the root squash
 *  option has been enabled, the effective uid is mapped to user 'nobody' which should
 *  not be able to read the proxy file. To work around this problem, the effective
 *  uid of the process is changed to that of the calling user and once glexec is done,
 *  the saved uid is used to restore the identity of the process,
 */
#if 0
Example:
    uid_t stored_real_uid = -1;
    uid_t stored_eff_uid  = -1;

    /* Downgrade effective privileges to cope with NFS mounted file systems with root squashing */
    downgradeEffectiveToRealUid (&stored_real_uid, &stored_eff_uid);

    /* Read PEM string */
    fopen(proxyfile, "r");

    /* Restore privileges to previous state */
    upgradeEffectiveToRealUid (stored_real_uid, stored_eff_uid);
#endif
int downgradeEffectiveToRealUid (uid_t * real_uid, uid_t * saved_uid)
{
    *real_uid = getuid();
    if (*real_uid != 0)
    {
        /* Save it */
        *saved_uid = geteuid();
        if (seteuid(*real_uid))
        {
            fprintf (stderr, "Error on downsizing with seteuid()\n");
            return 1;
        }
    }
    return 0;
}

int upgradeEffectiveToRealUid (uid_t real_uid, uid_t saved_uid)
{
    /*  Do not forget to put back the original effective uid on the process. */
    if (real_uid != 0)
    {
        if (seteuid(saved_uid))
        {
            fprintf (stderr, "Error on returning seteuid()\n");
            return 1;
        }
    }
    return 0;
}


/******************************************************************************
Function:   get_gidlist()

Description:
    Finds the list of gids for user in the group file (/etc/group)
    Returns a list of gid_t which should be freed by calling program.

Parameters:
    username:   the name of the user
    ngroups:    ptr to int which will be filled with the number of gids.
    group_list: ptr to an array of gid_t.

Returns:
    0 on success. 
    -1 on realloc failure
    -2 on getgrent failure
    1 on failure
******************************************************************************/
int get_gidlist(
        const char * username,
        int * ngroups,
        gid_t ** group_list
    )
{
    struct group        * group_info = NULL;
    gid_t               * groups = NULL;
    gid_t               * newgroups = NULL;
    int                   i = 0;

    /* rewind the file pointer to the beginning of the /etc/group file */
    setgrent();

    lcmaps_log_debug(2, "\tlcmaps_get_gidlist(): looping through group file\n");
    *ngroups = 0;
    while ( ( group_info = getgrent() ) )
    {
        char ** pgr_mem = group_info->gr_mem;
        char *  gr_mem = NULL;

        lcmaps_log_debug(4, "\tlcmaps_get_gidlist(): group %s\n", group_info->gr_name);
        while ( (gr_mem = *pgr_mem) )
        {
            lcmaps_log_debug(4, "\tlcmaps_get_gidlist(): \tgroup member %s\n", gr_mem);
            if (strncmp(username, gr_mem, strlen(username))==0)
            {
                lcmaps_log_debug(2, "\tlcmaps_get_gidlist(): \t\tfound group %s for %s\n",
                    group_info->gr_name, username);
                (*ngroups)++;
                newgroups = (gid_t *) realloc(groups, ((*ngroups) * sizeof(gid_t)));
                if (newgroups == NULL)
                {
                    lcmaps_log(1, "lcmaps_get_gidlist(): cannot realloc\n");
                    free(groups);
                    return -1;
                }
                groups=newgroups;
                groups[(*ngroups)-1] = group_info->gr_gid;
            }
            ++pgr_mem;
        }
    }
    if (errno==ENOMEM)
    {
        lcmaps_log(1, "lcmaps_get_gidlist(): Cannot read the group file, %s\n", strerror(errno));
        free(groups);
        groups=NULL;
        /* Close the group file */
        endgrent();
        return -2;
    }
    *group_list=groups;
    lcmaps_log_debug(4,"\tlcmaps_get_gidlist(): %d groups found for %s\n", *ngroups, username);
    for (i = 0; i < *ngroups; i++)
    {
        lcmaps_log_debug(4,"\tlcmaps_get_gidlist(): group nr %d ==> gid_t %d\n", i+1, groups[i]);
    }
    /* Close the group file */
    endgrent();
    return 0;
}


1	okoeroo	1403	/****************************************************
2			C-GUL
3
4			Generate random characters
5
6			****************************************************/
7
8
9	okoeroo	1404	uid_t threadsafe_getuid_from_name (const char * username)
10			{
11			struct passwd * p = NULL;
12			uid_t uid = -1;
13			int errno_save = 0;
14			#define HAVE_GETPWNAM_R
15			#ifdef HAVE_GETPWNAM_R \|\| defined _LIBC
16			#ifdef _SC_GETPW_R_SIZE_MAX
17			size_t buflen = sysconf (_SC_GETPW_R_SIZE_MAX);
18			#else
19			size_t buflen = 128;
20			#endif
21			char *pwtmpbuf;
22			struct passwd pwbuf;
23	okoeroo	1403
24
25	okoeroo	1404	if (buflen == -1)
26			/* `sysconf' does not support _SC_GETPW_R_SIZE_MAX. Try a
27			moderate value. */
28			buflen = 128;
29	okoeroo	1403
30	okoeroo	1404	pwtmpbuf = (char *) calloc (1, buflen);
31
32			while (getpwnam_r (username, &pwbuf, pwtmpbuf, buflen, &p) != 0)
33			{
34			if (errno != ERANGE)
35			{
36			p = NULL;
37			break;
38			}
39			buflen *= 2;
40			free (pwtmpbuf);
41
42			if (!(pwtmpbuf = (char *) calloc (1, buflen)))
43			{
44			if (errno == ENOMEM)
45			{
46			/* No memory available, bail out */
47			p = NULL;
48			errno_save = errno;
49			break;
50			}
51			}
52			}
53			#else
54			p = getpwnam (username);
55			#endif
56
57			if (p)
58			{
59			uid = p -> pw_uid;
60			}
61
62			free (pwtmpbuf);
63			errno = errno_save;
64			return uid;
65			}
66
67
68
69	okoeroo	1403	/* When the proxy is located on an NFS mount and on the server side the root squash
70			* option has been enabled, the effective uid is mapped to user 'nobody' which should
71			* not be able to read the proxy file. To work around this problem, the effective
72			* uid of the process is changed to that of the calling user and once glexec is done,
73			* the saved uid is used to restore the identity of the process,
74			*/
75			#if 0
76			Example:
77			uid_t stored_real_uid = -1;
78			uid_t stored_eff_uid = -1;
79
80			/* Downgrade effective privileges to cope with NFS mounted file systems with root squashing */
81			downgradeEffectiveToRealUid (&stored_real_uid, &stored_eff_uid);
82
83			/* Read PEM string */
84			fopen(proxyfile, "r");
85
86			/* Restore privileges to previous state */
87			upgradeEffectiveToRealUid (stored_real_uid, stored_eff_uid);
88			#endif
89			int downgradeEffectiveToRealUid (uid_t * real_uid, uid_t * saved_uid)
90			{
91			*real_uid = getuid();
92			if (*real_uid != 0)
93			{
94			/* Save it */
95			*saved_uid = geteuid();
96			if (seteuid(*real_uid))
97			{
98			fprintf (stderr, "Error on downsizing with seteuid()\n");
99			return 1;
100			}
101			}
102			return 0;
103			}
104
105			int upgradeEffectiveToRealUid (uid_t real_uid, uid_t saved_uid)
106			{
107			/* Do not forget to put back the original effective uid on the process. */
108			if (real_uid != 0)
109			{
110			if (seteuid(saved_uid))
111			{
112			fprintf (stderr, "Error on returning seteuid()\n");
113			return 1;
114			}
115			}
116			return 0;
117			}
118
119
120
121			/******************************************************************************
122			Function: get_gidlist()
123
124			Description:
125			Finds the list of gids for user in the group file (/etc/group)
126			Returns a list of gid_t which should be freed by calling program.
127
128			Parameters:
129			username: the name of the user
130			ngroups: ptr to int which will be filled with the number of gids.
131			group_list: ptr to an array of gid_t.
132
133			Returns:
134			0 on success.
135			-1 on realloc failure
136			-2 on getgrent failure
137			1 on failure
138			******************************************************************************/
139			int get_gidlist(
140			const char * username,
141			int * ngroups,
142			gid_t ** group_list
143			)
144			{
145			struct group * group_info = NULL;
146			gid_t * groups = NULL;
147			gid_t * newgroups = NULL;
148			int i = 0;
149
150			/* rewind the file pointer to the beginning of the /etc/group file */
151			setgrent();
152
153			lcmaps_log_debug(2, "\tlcmaps_get_gidlist(): looping through group file\n");
154			*ngroups = 0;
155			while ( ( group_info = getgrent() ) )
156			{
157			char ** pgr_mem = group_info->gr_mem;
158			char * gr_mem = NULL;
159
160			lcmaps_log_debug(4, "\tlcmaps_get_gidlist(): group %s\n", group_info->gr_name);
161			while ( (gr_mem = *pgr_mem) )
162			{
163			lcmaps_log_debug(4, "\tlcmaps_get_gidlist(): \tgroup member %s\n", gr_mem);
164			if (strncmp(username, gr_mem, strlen(username))==0)
165			{
166			lcmaps_log_debug(2, "\tlcmaps_get_gidlist(): \t\tfound group %s for %s\n",
167			group_info->gr_name, username);
168			(*ngroups)++;
169			newgroups = (gid_t ) realloc(groups, ((ngroups) * sizeof(gid_t)));
170			if (newgroups == NULL)
171			{
172			lcmaps_log(1, "lcmaps_get_gidlist(): cannot realloc\n");
173			free(groups);
174			return -1;
175			}
176			groups=newgroups;
177			groups[(*ngroups)-1] = group_info->gr_gid;
178			}
179			++pgr_mem;
180			}
181			}
182			if (errno==ENOMEM)
183			{
184			lcmaps_log(1, "lcmaps_get_gidlist(): Cannot read the group file, %s\n", strerror(errno));
185			free(groups);
186			groups=NULL;
187			/* Close the group file */
188			endgrent();
189			return -2;
190			}
191			*group_list=groups;
192			lcmaps_log_debug(4,"\tlcmaps_get_gidlist(): %d groups found for %s\n", *ngroups, username);
193			for (i = 0; i < *ngroups; i++)
194			{
195			lcmaps_log_debug(4,"\tlcmaps_get_gidlist(): group nr %d ==> gid_t %d\n", i+1, groups[i]);
196			}
197			/* Close the group file */
198			endgrent();
199			return 0;
200			}
201
202
grid.support@nikhef.nl	ViewVC Help
Powered by ViewVC 1.1.28