/[pdpsoft]/trunk/grid-mw-security/ees/plugin_examples/posix_enf/src/posix_enf.c
ViewVC logotype

Contents of /trunk/grid-mw-security/ees/plugin_examples/posix_enf/src/posix_enf.c

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1583 - (show annotations) (download) (as text)
Fri Mar 19 17:29:41 2010 UTC (12 years, 6 months ago) by aramv
File MIME type: text/x-chdr
File size: 6360 byte(s)
Fixed a read error. Added signature for fork function
1 #include <unistd.h>
2 #include <stdio.h>
3 #include <grp.h>
4 #include <pwd.h>
5 #include <sys/types.h>
6 #include "eef_plugin.h"
7
8 #define MAX_UNDEFINED -1
9 #ifdef NGROUPS_MAX
10 #define NGROUPS NGROUPS_MAX
11 #else
12 #define NGROUPS 32
13 #endif
14
15 static int _maxuid;
16 static int _maxpgid;
17 static int _maxsgid;
18
19 uid_t _real_uid;
20 uid_t _saved_uid;
21
22 static int _set_only_euid;
23 static int _set_only_egid;
24 static int _do_uid_check;
25 static char *_plugin_name;
26
27 EES_RC printPasswordEntry(uid_t target_uid);
28 EES_RC downgradeEffectiveToRealUid (uid_t* real_uid, uid_t* saved_uid);
29 EES_RC upgradeEffectiveToRealUid (uid_t* real_uid, uid_t* saved_uid);
30
31 EES_PL_RC plugin_initialize(int argc, char* argv[]){
32 static struct option long_options[] =
33 {
34 {"maxuid", required_argument, 0, 'u'},
35 {"maxpgid", required_argument, 0, 'p'},
36 {"maxsgid", required_argument, 0, 's'},
37 {"set_only_euid", required_argument, 0, 'e'},
38 {"set_only_egid", required_argument, 0, 'g'},
39 {"check_uid", no_argument, 0, 'c'}
40 };
41 int option_index, c;
42
43 _maxuid = MAX_UNDEFINED;
44 _maxpgid = MAX_UNDEFINED;
45 _maxsgid = MAX_UNDEFINED;
46 _real_uid = -1;
47 _saved_uid = geteuid();
48
49 _set_only_euid = 0;
50 _set_only_egid = 0;
51 _do_uid_check = 0;
52 _plugin_name = "posix_enf";
53
54 eef_log(LOG_DEBUG, "%s: Initializing posix enforcement plugin!\n", _plugin_name);
55
56 /* parse options */
57 while(1){
58 c = getopt_long_only(argc, argv, "u:p:s:e:g:c", long_options, &option_index);
59 if(c == -1){
60 break;
61 }
62 switch(c){
63 case 'u':
64 _maxuid = atoi(optarg);
65 break;
66 case 'p':
67 _maxpgid = atoi(optarg);
68 break;
69 case 's':
70 _maxsgid = atoi(optarg);
71 break;
72 case 'e':
73 if(strncmp(optarg,"yes", 4) == 0){
74 _set_only_euid = 1;
75 }
76 break;
77 case 'g':
78 if(strncmp(optarg, "yes", 4) == 0){
79 _set_only_egid = 1;
80 }
81 break;
82 case 'c':
83 _do_uid_check = 1;
84 break;
85 }
86 }
87
88 /* sanity checks */
89 if(_maxsgid > NGROUPS){
90 eef_log(LOG_ERR, "%s: Option -maxsgid %i exceeds the system limit of %i", _plugin_name, _maxsgid, NGROUPS);
91 return EES_PL_FAILURE;
92 } else if(_maxsgid == MAX_UNDEFINED){
93 _maxsgid = NGROUPS;
94 eef_log(LOG_NOTICE, "%s: Option -maxsgid defaulted to maximum %i", _plugin_name, NGROUPS);
95 }
96
97 eef_log(LOG_INFO, "%s: Initialized plugin posix_enf with options:\n", _plugin_name);
98 eef_log(LOG_INFO, "%s: _maxuid: %i\n", _plugin_name, _maxuid);
99 eef_log(LOG_INFO, "%s: _maxpgid: %i\n", _plugin_name, _maxpgid);
100 eef_log(LOG_INFO, "%s: _maxsgid: %i\n", _plugin_name, _maxsgid);
101
102 eef_log(LOG_INFO, "%s: _set_only_euid: %i\n", _plugin_name, _set_only_euid);
103 eef_log(LOG_INFO, "%s: _set_only_egid: %i\n", _plugin_name, _set_only_egid);
104
105 return EES_PL_SUCCESS;
106 }
107
108 EES_PL_RC plugin_run(){
109 uid_t _target_uid = -1;
110 gid_t _target_gid = -1;
111
112 aos_context_t *_context = NULL;
113 aos_attribute_t *_attribute = NULL;
114
115 rewindContexts(NULL);
116 while((_context = getNextContext(OBLIGATION, NULL))){
117 if(strncmp(getContextObligationId(_context), "uidgid", strlen("uidgid")) == 0){
118 rewindAttributes(_context);
119 while((_attribute = getNextAttribute(_context))){
120 /*printf("Attr: %s\n", getAttributeId(_attribute));*/
121 if(strncmp(getAttributeId(_attribute), "posix-uid", strlen("posix-uid")) == 0){
122 /*printf("UID: %s\n", getAttributeValueAsString(_attribute));*/
123 _target_uid = getAttributeValueAsInt(_attribute);
124 } else if(strncmp(getAttributeId(_attribute), "posix-gid", strlen("posix-gid")) == 0){
125 /*printf("GID: %s\n", getAttributeValueAsString(_attribute));*/
126 _target_gid = getAttributeValueAsInt(_attribute);
127 }
128 }
129 }
130 }
131
132 if(_target_uid > -1){
133 eef_log(LOG_DEBUG, "Got target UID: %i\n", _target_uid);
134 eef_log(LOG_DEBUG, "Got target primary GID: %i\n", _target_uid);
135
136 if(_do_uid_check){
137 printPasswordEntry(_target_uid);
138 }
139 downgradeEffectiveToRealUid(&_real_uid, &_saved_uid);
140 endpwent();
141 return EES_PL_SUCCESS;
142 }
143
144 return EES_PL_FAILURE;
145 }
146
147 /* terminate plugin */
148 EES_PL_RC plugin_terminate(){
149 eef_log(LOG_INFO, "plugin poxix_enf terminated\n");
150 upgradeEffectiveToRealUid(&_real_uid, &_saved_uid);
151 return 0;
152 }
153
154 EES_RC printPasswordEntry(uid_t target_uid){
155 struct passwd _pw_entry;
156 struct passwd *_pw_entry_p = &_pw_entry;
157 struct passwd *_tmp_pw_entry_p = NULL;
158 char _pw_buffer[200];
159 size_t _pw_size = sizeof(_pw_buffer);
160
161 eef_log(LOG_DEBUG, "Checking uid %i\n", target_uid);
162 if(getpwuid_r(target_uid, _pw_entry_p, _pw_buffer, _pw_size, &_tmp_pw_entry_p) == 0){
163 eef_log(LOG_DEBUG, "User name %s\n", _pw_entry.pw_name );
164 eef_log(LOG_DEBUG, "Uid %i\n", _pw_entry.pw_uid );
165 eef_log(LOG_DEBUG, "Gid %i\n", _pw_entry.pw_gid );
166 eef_log(LOG_DEBUG, "Initial dir %s\n", _pw_entry.pw_dir );
167 eef_log(LOG_DEBUG, "Shell %s\n", _pw_entry.pw_shell );
168 }
169
170 return EES_PL_SUCCESS;
171 }
172
173 /* When the proxy is located on an NFS mount and on the server side the root squash
174 * option has been enabled, the effective uid is mapped to user 'nobody' which should
175 * not be able to read the proxy file. To work around this problem, the effective
176 * uid of the process is changed to that of the calling user and once glexec is done,
177 * the saved uid is used to restore the identity of the process,
178 */
179 EES_RC downgradeEffectiveToRealUid (uid_t* real_uid, uid_t* saved_uid){
180 *real_uid = getuid();
181 if (*real_uid != 0){
182 /* Save it */
183 *saved_uid = geteuid();
184 eef_log(LOG_DEBUG, "Set uid to: %i\n", *real_uid);
185 if (seteuid(*real_uid)){
186 eef_log(LOG_ERR, "Error on downsizing with seteuid()\n");
187 return EES_PL_FAILURE;
188 }
189 }
190 return EES_PL_SUCCESS;
191 }
192
193 EES_RC upgradeEffectiveToRealUid (uid_t* real_uid, uid_t* saved_uid){
194 /* Do not forget to put back the original effective uid on the process. */
195 if (*real_uid != 0){
196 if (seteuid(*saved_uid)){
197 eef_log(LOG_ERR, "Error on returning seteuid()\n");
198 return EES_PL_FAILURE;
199 }
200 }
201 return EES_PL_SUCCESS;
202 }

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28