cgul/unixprivs/unixpriv.c

/****************************************************
C-GUL

 Generate random characters

****************************************************/


/*  When the proxy is located on an NFS mount and on the server side the root squash
 *  option has been enabled, the effective uid is mapped to user 'nobody' which should
 *  not be able to read the proxy file. To work around this problem, the effective
 *  uid of the process is changed to that of the calling user and once glexec is done,
 *  the saved uid is used to restore the identity of the process,
 */
#if 0
Example:
    uid_t stored_real_uid = -1;
    uid_t stored_eff_uid  = -1;

    /* Downgrade effective privileges to cope with NFS mounted file systems with root squashing */
    downgradeEffectiveToRealUid (&stored_real_uid, &stored_eff_uid);

    /* Read PEM string */
    fopen(proxyfile, "r");

    /* Restore privileges to previous state */
    upgradeEffectiveToRealUid (stored_real_uid, stored_eff_uid);
#endif
int downgradeEffectiveToRealUid (uid_t * real_uid, uid_t * saved_uid)
{
    *real_uid = getuid();
    if (*real_uid != 0)
    {
        /* Save it */
        *saved_uid = geteuid();
        if (seteuid(*real_uid))
        {
            fprintf (stderr, "Error on downsizing with seteuid()\n");
            return 1;
        }
    }
    return 0;
}

int upgradeEffectiveToRealUid (uid_t real_uid, uid_t saved_uid)
{
    /*  Do not forget to put back the original effective uid on the process. */
    if (real_uid != 0)
    {
        if (seteuid(saved_uid))
        {
            fprintf (stderr, "Error on returning seteuid()\n");
            return 1;
        }
    }
    return 0;
}


/******************************************************************************
Function:   get_gidlist()

Description:
    Finds the list of gids for user in the group file (/etc/group)
    Returns a list of gid_t which should be freed by calling program.

Parameters:
    username:   the name of the user
    ngroups:    ptr to int which will be filled with the number of gids.
    group_list: ptr to an array of gid_t.

Returns:
    0 on success. 
    -1 on realloc failure
    -2 on getgrent failure
    1 on failure
******************************************************************************/
int get_gidlist(
        const char * username,
        int * ngroups,
        gid_t ** group_list
    )
{
    struct group        * group_info = NULL;
    gid_t               * groups = NULL;
    gid_t               * newgroups = NULL;
    int                   i = 0;

    /* rewind the file pointer to the beginning of the /etc/group file */
    setgrent();

    lcmaps_log_debug(2, "\tlcmaps_get_gidlist(): looping through group file\n");
    *ngroups = 0;
    while ( ( group_info = getgrent() ) )
    {
        char ** pgr_mem = group_info->gr_mem;
        char *  gr_mem = NULL;

        lcmaps_log_debug(4, "\tlcmaps_get_gidlist(): group %s\n", group_info->gr_name);
        while ( (gr_mem = *pgr_mem) )
        {
            lcmaps_log_debug(4, "\tlcmaps_get_gidlist(): \tgroup member %s\n", gr_mem);
            if (strncmp(username, gr_mem, strlen(username))==0)
            {
                lcmaps_log_debug(2, "\tlcmaps_get_gidlist(): \t\tfound group %s for %s\n",
                    group_info->gr_name, username);
                (*ngroups)++;
                newgroups = (gid_t *) realloc(groups, ((*ngroups) * sizeof(gid_t)));
                if (newgroups == NULL)
                {
                    lcmaps_log(1, "lcmaps_get_gidlist(): cannot realloc\n");
                    free(groups);
                    return -1;
                }
                groups=newgroups;
                groups[(*ngroups)-1] = group_info->gr_gid;
            }
            ++pgr_mem;
        }
    }
    if (errno==ENOMEM)
    {
        lcmaps_log(1, "lcmaps_get_gidlist(): Cannot read the group file, %s\n", strerror(errno));
        free(groups);
        groups=NULL;
        /* Close the group file */
        endgrent();
        return -2;
    }
    *group_list=groups;
    lcmaps_log_debug(4,"\tlcmaps_get_gidlist(): %d groups found for %s\n", *ngroups, username);
    for (i = 0; i < *ngroups; i++)
    {
        lcmaps_log_debug(4,"\tlcmaps_get_gidlist(): group nr %d ==> gid_t %d\n", i+1, groups[i]);
    }
    /* Close the group file */
    endgrent();
    return 0;
}


1	/****************************************************
2	C-GUL
3
4	Generate random characters
5
6	****************************************************/
7
8
9
10
11
12	/* When the proxy is located on an NFS mount and on the server side the root squash
13	* option has been enabled, the effective uid is mapped to user 'nobody' which should
14	* not be able to read the proxy file. To work around this problem, the effective
15	* uid of the process is changed to that of the calling user and once glexec is done,
16	* the saved uid is used to restore the identity of the process,
17	*/
18	#if 0
19	Example:
20	uid_t stored_real_uid = -1;
21	uid_t stored_eff_uid = -1;
22
23	/* Downgrade effective privileges to cope with NFS mounted file systems with root squashing */
24	downgradeEffectiveToRealUid (&stored_real_uid, &stored_eff_uid);
25
26	/* Read PEM string */
27	fopen(proxyfile, "r");
28
29	/* Restore privileges to previous state */
30	upgradeEffectiveToRealUid (stored_real_uid, stored_eff_uid);
31	#endif
32	int downgradeEffectiveToRealUid (uid_t * real_uid, uid_t * saved_uid)
33	{
34	*real_uid = getuid();
35	if (*real_uid != 0)
36	{
37	/* Save it */
38	*saved_uid = geteuid();
39	if (seteuid(*real_uid))
40	{
41	fprintf (stderr, "Error on downsizing with seteuid()\n");
42	return 1;
43	}
44	}
45	return 0;
46	}
47
48	int upgradeEffectiveToRealUid (uid_t real_uid, uid_t saved_uid)
49	{
50	/* Do not forget to put back the original effective uid on the process. */
51	if (real_uid != 0)
52	{
53	if (seteuid(saved_uid))
54	{
55	fprintf (stderr, "Error on returning seteuid()\n");
56	return 1;
57	}
58	}
59	return 0;
60	}
61
62
63
64	/******************************************************************************
65	Function: get_gidlist()
66
67	Description:
68	Finds the list of gids for user in the group file (/etc/group)
69	Returns a list of gid_t which should be freed by calling program.
70
71	Parameters:
72	username: the name of the user
73	ngroups: ptr to int which will be filled with the number of gids.
74	group_list: ptr to an array of gid_t.
75
76	Returns:
77	0 on success.
78	-1 on realloc failure
79	-2 on getgrent failure
80	1 on failure
81	******************************************************************************/
82	int get_gidlist(
83	const char * username,
84	int * ngroups,
85	gid_t ** group_list
86	)
87	{
88	struct group * group_info = NULL;
89	gid_t * groups = NULL;
90	gid_t * newgroups = NULL;
91	int i = 0;
92
93	/* rewind the file pointer to the beginning of the /etc/group file */
94	setgrent();
95
96	lcmaps_log_debug(2, "\tlcmaps_get_gidlist(): looping through group file\n");
97	*ngroups = 0;
98	while ( ( group_info = getgrent() ) )
99	{
100	char ** pgr_mem = group_info->gr_mem;
101	char * gr_mem = NULL;
102
103	lcmaps_log_debug(4, "\tlcmaps_get_gidlist(): group %s\n", group_info->gr_name);
104	while ( (gr_mem = *pgr_mem) )
105	{
106	lcmaps_log_debug(4, "\tlcmaps_get_gidlist(): \tgroup member %s\n", gr_mem);
107	if (strncmp(username, gr_mem, strlen(username))==0)
108	{
109	lcmaps_log_debug(2, "\tlcmaps_get_gidlist(): \t\tfound group %s for %s\n",
110	group_info->gr_name, username);
111	(*ngroups)++;
112	newgroups = (gid_t ) realloc(groups, ((ngroups) * sizeof(gid_t)));
113	if (newgroups == NULL)
114	{
115	lcmaps_log(1, "lcmaps_get_gidlist(): cannot realloc\n");
116	free(groups);
117	return -1;
118	}
119	groups=newgroups;
120	groups[(*ngroups)-1] = group_info->gr_gid;
121	}
122	++pgr_mem;
123	}
124	}
125	if (errno==ENOMEM)
126	{
127	lcmaps_log(1, "lcmaps_get_gidlist(): Cannot read the group file, %s\n", strerror(errno));
128	free(groups);
129	groups=NULL;
130	/* Close the group file */
131	endgrent();
132	return -2;
133	}
134	*group_list=groups;
135	lcmaps_log_debug(4,"\tlcmaps_get_gidlist(): %d groups found for %s\n", *ngroups, username);
136	for (i = 0; i < *ngroups; i++)
137	{
138	lcmaps_log_debug(4,"\tlcmaps_get_gidlist(): group nr %d ==> gid_t %d\n", i+1, groups[i]);
139	}
140	/* Close the group file */
141	endgrent();
142	return 0;
143	}
144
145
grid.support@nikhef.nl	ViewVC Help
Powered by ViewVC 1.1.28