/[pdpsoft]/trunk/grid-mw-security/cgul/unixprivs/unixpriv.c
ViewVC logotype

Contents of /trunk/grid-mw-security/cgul/unixprivs/unixpriv.c

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1403 - (show annotations) (download) (as text)
Wed Jan 20 11:21:41 2010 UTC (12 years, 6 months ago) by okoeroo
File MIME type: text/x-chdr
File size: 4361 byte(s)
Added Unix Privilege manipulation tool.

Includes:
UID up and Down grader and the generation of a list of gid_t's from a username.



1 /****************************************************
2 C-GUL
3
4 Generate random characters
5
6 ****************************************************/
7
8
9
10
11
12 /* When the proxy is located on an NFS mount and on the server side the root squash
13 * option has been enabled, the effective uid is mapped to user 'nobody' which should
14 * not be able to read the proxy file. To work around this problem, the effective
15 * uid of the process is changed to that of the calling user and once glexec is done,
16 * the saved uid is used to restore the identity of the process,
17 */
18 #if 0
19 Example:
20 uid_t stored_real_uid = -1;
21 uid_t stored_eff_uid = -1;
22
23 /* Downgrade effective privileges to cope with NFS mounted file systems with root squashing */
24 downgradeEffectiveToRealUid (&stored_real_uid, &stored_eff_uid);
25
26 /* Read PEM string */
27 fopen(proxyfile, "r");
28
29 /* Restore privileges to previous state */
30 upgradeEffectiveToRealUid (stored_real_uid, stored_eff_uid);
31 #endif
32 int downgradeEffectiveToRealUid (uid_t * real_uid, uid_t * saved_uid)
33 {
34 *real_uid = getuid();
35 if (*real_uid != 0)
36 {
37 /* Save it */
38 *saved_uid = geteuid();
39 if (seteuid(*real_uid))
40 {
41 fprintf (stderr, "Error on downsizing with seteuid()\n");
42 return 1;
43 }
44 }
45 return 0;
46 }
47
48 int upgradeEffectiveToRealUid (uid_t real_uid, uid_t saved_uid)
49 {
50 /* Do not forget to put back the original effective uid on the process. */
51 if (real_uid != 0)
52 {
53 if (seteuid(saved_uid))
54 {
55 fprintf (stderr, "Error on returning seteuid()\n");
56 return 1;
57 }
58 }
59 return 0;
60 }
61
62
63
64 /******************************************************************************
65 Function: get_gidlist()
66
67 Description:
68 Finds the list of gids for user in the group file (/etc/group)
69 Returns a list of gid_t which should be freed by calling program.
70
71 Parameters:
72 username: the name of the user
73 ngroups: ptr to int which will be filled with the number of gids.
74 group_list: ptr to an array of gid_t.
75
76 Returns:
77 0 on success.
78 -1 on realloc failure
79 -2 on getgrent failure
80 1 on failure
81 ******************************************************************************/
82 int get_gidlist(
83 const char * username,
84 int * ngroups,
85 gid_t ** group_list
86 )
87 {
88 struct group * group_info = NULL;
89 gid_t * groups = NULL;
90 gid_t * newgroups = NULL;
91 int i = 0;
92
93 /* rewind the file pointer to the beginning of the /etc/group file */
94 setgrent();
95
96 lcmaps_log_debug(2, "\tlcmaps_get_gidlist(): looping through group file\n");
97 *ngroups = 0;
98 while ( ( group_info = getgrent() ) )
99 {
100 char ** pgr_mem = group_info->gr_mem;
101 char * gr_mem = NULL;
102
103 lcmaps_log_debug(4, "\tlcmaps_get_gidlist(): group %s\n", group_info->gr_name);
104 while ( (gr_mem = *pgr_mem) )
105 {
106 lcmaps_log_debug(4, "\tlcmaps_get_gidlist(): \tgroup member %s\n", gr_mem);
107 if (strncmp(username, gr_mem, strlen(username))==0)
108 {
109 lcmaps_log_debug(2, "\tlcmaps_get_gidlist(): \t\tfound group %s for %s\n",
110 group_info->gr_name, username);
111 (*ngroups)++;
112 newgroups = (gid_t *) realloc(groups, ((*ngroups) * sizeof(gid_t)));
113 if (newgroups == NULL)
114 {
115 lcmaps_log(1, "lcmaps_get_gidlist(): cannot realloc\n");
116 free(groups);
117 return -1;
118 }
119 groups=newgroups;
120 groups[(*ngroups)-1] = group_info->gr_gid;
121 }
122 ++pgr_mem;
123 }
124 }
125 if (errno==ENOMEM)
126 {
127 lcmaps_log(1, "lcmaps_get_gidlist(): Cannot read the group file, %s\n", strerror(errno));
128 free(groups);
129 groups=NULL;
130 /* Close the group file */
131 endgrent();
132 return -2;
133 }
134 *group_list=groups;
135 lcmaps_log_debug(4,"\tlcmaps_get_gidlist(): %d groups found for %s\n", *ngroups, username);
136 for (i = 0; i < *ngroups; i++)
137 {
138 lcmaps_log_debug(4,"\tlcmaps_get_gidlist(): group nr %d ==> gid_t %d\n", i+1, groups[i]);
139 }
140 /* Close the group file */
141 endgrent();
142 return 0;
143 }
144
145

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28