/[pdpsoft]/trunk/grid-mw-security/ees/plugin_examples/posix_enf/src/posix_enf.c
ViewVC logotype

Diff of /trunk/grid-mw-security/ees/plugin_examples/posix_enf/src/posix_enf.c

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 1397 by aramv, Wed Jan 13 10:49:06 2010 UTC revision 1398 by aramv, Tue Jan 19 16:33:01 2010 UTC
# Line 1  Line 1 
1    #include <unistd.h>
2  #include <stdio.h>  #include <stdio.h>
3  #include <grp.h>  #include <grp.h>
4    #include <pwd.h>
5  #include "plugin.h"  #include "plugin.h"
6    
7  #define MAX_UNDEFINED -1  #define MAX_UNDEFINED -1
# Line 14  static int       maxpgid       = MAX_UND Line 16  static int       maxpgid       = MAX_UND
16  static int       maxsgid       = MAX_UNDEFINED;  static int       maxsgid       = MAX_UNDEFINED;
17  static int       set_only_euid = 0;  static int       set_only_euid = 0;
18  static int       set_only_egid = 0;  static int       set_only_egid = 0;
19    static int       do_uid_check  = 0;
20  static char      *plugin_name  = "posix_enf";  static char      *plugin_name  = "posix_enf";
21    struct passwd    pwd           = NULL;
22    
23  aos_context_t    *context      = NULL;  aos_context_t    *context      = NULL;
24  aos_attribute_t  *attribute    = NULL;  aos_attribute_t  *attribute    = NULL;
25    uid_t            _real_uid     = NULL;
26    uid_t            _saved_uid    = NULL;
27    
28    EES_RC downgradeEffectiveToRealUid (uid_t real_uid, uid_t saved_uid);
29    EES_RC upgradeEffectiveToRealUid (uid_t real_uid, uid_t saved_uid);
30    
31  EES_PL_RC plugin_initialize(int argc, char* argv[]){  EES_PL_RC plugin_initialize(int argc, char* argv[]){
32    static struct option long_options[] =    static struct option long_options[] =
# Line 25  EES_PL_RC plugin_initialize(int argc, ch Line 35  EES_PL_RC plugin_initialize(int argc, ch
35      {"maxpgid",       required_argument, 0, 'p'},      {"maxpgid",       required_argument, 0, 'p'},
36      {"maxsgid",       required_argument, 0, 's'},      {"maxsgid",       required_argument, 0, 's'},
37      {"set_only_euid", required_argument, 0, 'e'},      {"set_only_euid", required_argument, 0, 'e'},
38      {"set_only_egid", required_argument, 0, 'g'}      {"set_only_egid", required_argument, 0, 'g'},
39        {"check_uid",     no_argument,       0, 'c'}
40    };    };
41    int option_index, c;    int option_index, c;
42      _saved_uid = geteuid();
43      do_uid_check = 0;
44    
45          eef_log(LOG_ERR, "%s: Initializing posix enforcement plugin!\n", plugin_name);          eef_log(LOG_ERR, "%s: Initializing posix enforcement plugin!\n", plugin_name);
46    
# Line 57  EES_PL_RC plugin_initialize(int argc, ch Line 70  EES_PL_RC plugin_initialize(int argc, ch
70            set_only_egid = 1;            set_only_egid = 1;
71          }          }
72          break;          break;
73          case 'c':
74            do_uid_check = 1;
75            break;
76      }      }
77    }    }
78    
# Line 88  EES_PL_RC plugin_run(){ Line 104  EES_PL_RC plugin_run(){
104        while((attribute = getNextAttribute(context))){        while((attribute = getNextAttribute(context))){
105          if(strncmp(getAttributeId(attribute), "posix-uid", strlen("posix-uid")) == 0){          if(strncmp(getAttributeId(attribute), "posix-uid", strlen("posix-uid")) == 0){
106            printf("Got UID: %s\n", getAttributeId(attribute));            printf("Got UID: %s\n", getAttributeId(attribute));
107              _real_uid = getAttributeValueAsInt(attribute);
108          } else if(strncmp(getAttributeId(attribute), "posix-gid", strlen("posix-gid")) == 0){          } else if(strncmp(getAttributeId(attribute), "posix-gid", strlen("posix-gid")) == 0){
109            printf("Got primary GID: %s\n", getAttributeId(attribute));            printf("Got primary GID: %s\n", getAttributeId(attribute));
110          }          }
111        }        }
112      }      }
113    }    }
114    
115      if(do_uid_check){
116        if(getpwuid()){
117          
118        }
119      }
120      downgradeEffectiveToRealUid(_real_uid, _saved_uid);
121      endpwent();
122    
123          return 0;          return 0;
124  }  }
125    
126  EES_PL_RC plugin_terminate(){  EES_PL_RC plugin_terminate(){
127    eef_log(LOG_NOTICE, "plugin poxix_enf terminated\n");    eef_log(LOG_NOTICE, "plugin poxix_enf terminated\n");
128      upgradeEffectiveToRealUid(_real_uid, _saved_uid);
129    return 0;    return 0;
130  }  }
131    /*  When the proxy is located on an NFS mount and on the server side the root squash
132     *  option has been enabled, the effective uid is mapped to user 'nobody' which should
133     *  not be able to read the proxy file. To work around this problem, the effective
134     *  uid of the process is changed to that of the calling user and once glexec is done,
135     *  the saved uid is used to restore the identity of the process,
136     */
137    EES_RC downgradeEffectiveToRealUid (uid_t real_uid, uid_t saved_uid){    
138      real_uid = getuid();
139      if (real_uid != 0){
140        /* Save it */
141        saved_uid = geteuid();
142        printf("Set uid to: %i\n", real_uid);
143        if (seteuid(real_uid)){
144          eef_log(LOG_ERR, "Error on downsizing with seteuid()\n");
145          return EES_PL_FAILURE;
146        }    
147      }    
148      return EES_PL_SUCCESS;
149    }    
150        
151    EES_RC upgradeEffectiveToRealUid (uid_t real_uid, uid_t saved_uid){  
152      /*  Do not forget to put back the original effective uid on the process. */
153      if (real_uid != 0){
154        if (seteuid(saved_uid)){
155          eef_log(LOG_ERR, "Error on returning seteuid()\n");
156          return EES_PL_FAILURE;
157        }
158      }
159      return EES_PL_SUCCESS;
160    }

Legend:
Removed from v.1397  
changed lines
  Added in v.1398

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28