/[pdpsoft]/trunk/grid-mw-security/ees/plugin_examples/posix_enf/src/posix_enf.c
ViewVC logotype

Diff of /trunk/grid-mw-security/ees/plugin_examples/posix_enf/src/posix_enf.c

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 1568 by aramv, Tue Mar 16 13:24:33 2010 UTC revision 1569 by aramv, Tue Mar 16 17:35:17 2010 UTC
# Line 2  Line 2 
2  #include <stdio.h>  #include <stdio.h>
3  #include <grp.h>  #include <grp.h>
4  #include <pwd.h>  #include <pwd.h>
5    #include <sys/types.h>
6  #include "eef_plugin.h"  #include "eef_plugin.h"
7    
8  #define MAX_UNDEFINED -1  #define MAX_UNDEFINED -1
# Line 11  Line 12 
12    #define NGROUPS 32    #define NGROUPS 32
13  #endif  #endif
14    
15  static int       _maxuid        = MAX_UNDEFINED;  static int       _maxuid;
16  static int       _maxpgid       = MAX_UNDEFINED;  static int       _maxpgid;
17  static int       _maxsgid       = MAX_UNDEFINED;  static int       _maxsgid;
   
 static int       _set_only_euid = 0;  
 static int       _set_only_egid = 0;  
 static int       _do_uid_check  = 0;  
 static char      *_plugin_name  = "posix_enf";  
18    
 aos_context_t    *_context      = NULL;  
 aos_attribute_t  *_attribute    = NULL;  
   
 struct passwd    _pwd;  
19  uid_t            _real_uid;  uid_t            _real_uid;
20  uid_t            _saved_uid;  uid_t            _saved_uid;
 gid_t            _real_gid;  
 gid_t            _saved_gid;  
   
21    
22  EES_RC downgradeEffectiveToRealUid (uid_t real_uid, uid_t saved_uid);  static int       _set_only_euid;
23  EES_RC upgradeEffectiveToRealUid (uid_t real_uid, uid_t saved_uid);  static int       _set_only_egid;
24    static int       _do_uid_check;
25    static char      *_plugin_name;
26    
27    EES_RC printPasswordEntry(uid_t target_uid);
28    EES_RC downgradeEffectiveToRealUid (uid_t* real_uid, uid_t* saved_uid);
29    EES_RC upgradeEffectiveToRealUid (uid_t* real_uid, uid_t* saved_uid);
30    
31  EES_PL_RC plugin_initialize(int argc, char* argv[]){  EES_PL_RC plugin_initialize(int argc, char* argv[]){
32    static struct option long_options[] =    static struct option long_options[] =
# Line 44  EES_PL_RC plugin_initialize(int argc, ch Line 39  EES_PL_RC plugin_initialize(int argc, ch
39      {"check_uid",     no_argument,       0, 'c'}      {"check_uid",     no_argument,       0, 'c'}
40    };    };
41    int option_index, c;    int option_index, c;
   _saved_uid = geteuid();  
   _do_uid_check = 0;  
42    
43          eef_log(LOG_ERR, "%s: Initializing posix enforcement plugin!\n", _plugin_name);    _maxuid        = MAX_UNDEFINED;
44      _maxpgid       = MAX_UNDEFINED;
45      _maxsgid       = MAX_UNDEFINED;
46      _real_uid      = -1;
47      _saved_uid     = geteuid();
48    
49      _set_only_euid = 0;
50      _set_only_egid = 0;
51      _do_uid_check  = 0;
52      _plugin_name   = "posix_enf";
53    
54      eef_log(LOG_DEBUG, "%s: Initializing posix enforcement plugin!\n", _plugin_name);
55    
56    /* parse options */    /* parse options */
57    while(1){    while(1){
# Line 102  EES_PL_RC plugin_initialize(int argc, ch Line 106  EES_PL_RC plugin_initialize(int argc, ch
106  }  }
107    
108  EES_PL_RC plugin_run(){  EES_PL_RC plugin_run(){
109    struct passwd *_pw_entry = NULL;    uid_t            _target_uid      = -1;
110    struct passwd *_tmp_pw_entry_p = NULL;    gid_t            _target_gid      = -1;
111    char _pw_buffer[200];  
112    size_t _pw_size = sizeof(_pw_buffer);    aos_context_t    *_context        = NULL;
113      aos_attribute_t  *_attribute      = NULL;
114    
115    printf("Examining AOS\n");    rewindContexts(NULL);
116    while((_context = getNextContext(OBLIGATION, NULL))){    while((_context = getNextContext(OBLIGATION, NULL))){
     printf("Context: %s\n", getContextObligationId(_context));  
117      if(strncmp(getContextObligationId(_context), "uidgid", strlen("uidgid")) == 0){      if(strncmp(getContextObligationId(_context), "uidgid", strlen("uidgid")) == 0){
118          rewindAttributes(_context);
119        while((_attribute = getNextAttribute(_context))){        while((_attribute = getNextAttribute(_context))){
120          if(strncmp(getAttributeId(_attribute), "posix-uid", strlen("posix-uid")) == 0){          if(strncmp(getAttributeId(_attribute), "posix-uid", strlen("posix-uid")) == 0){
121            printf("Got UID: %s\n", getAttributeId(_attribute));            _target_uid = strtol(getAttributeValueAsString(_attribute), NULL, 10);
           _real_uid = getAttributeValueAsInt(_attribute);  
122          } else if(strncmp(getAttributeId(_attribute), "posix-gid", strlen("posix-gid")) == 0){          } else if(strncmp(getAttributeId(_attribute), "posix-gid", strlen("posix-gid")) == 0){
123            printf("Got primary GID: %s\n", getAttributeId(_attribute));            _target_gid = strtol(getAttributeValueAsString(_attribute), NULL, 10);
124          }          }
125        }        }
126      }      }
127    }    }
128    
129      eef_log(LOG_DEBUG, "Got target UID: %i\n", _target_uid);
130      eef_log(LOG_DEBUG, "Got target primary GID: %i\n", _target_uid);
131    
132    if(_do_uid_check){    if(_do_uid_check){
133      if(getpwuid_r(_real_uid, _pw_entry, _pw_buffer,  _pw_size, _tmp_pw_entry_p) == 0){      printPasswordEntry(_target_uid);
       printf("User name %s\n", _pw_entry->pw_name );  
       printf("Uid %s\n", _pw_entry->pw_uid );  
       printf("Gid %s\n", _pw_entry->pw_gid );  
       printf("Initial dir %s\n", _pw_entry->pw_dir );  
       printf("Shell %s\n", _pw_entry->pw_shell );  
     }  
134    }    }
135    downgradeEffectiveToRealUid(_real_uid, _saved_uid);    downgradeEffectiveToRealUid(&_real_uid, &_saved_uid);
136    endpwent();    endpwent();
137    
138          return EES_PL_SUCCESS;    return EES_PL_SUCCESS;
139  }  }
140    
141    /* terminate plugin */
142  EES_PL_RC plugin_terminate(){  EES_PL_RC plugin_terminate(){
143    eef_log(LOG_NOTICE, "plugin poxix_enf terminated\n");    eef_log(LOG_INFO, "plugin poxix_enf terminated\n");
144    upgradeEffectiveToRealUid(_real_uid, _saved_uid);    upgradeEffectiveToRealUid(&_real_uid, &_saved_uid);
145    return 0;    return 0;
146  }  }
147    
148    EES_RC printPasswordEntry(uid_t target_uid){
149      struct  passwd   _pw_entry;
150      struct  passwd   *_pw_entry_p     = &_pw_entry;
151      struct  passwd   *_tmp_pw_entry_p = NULL;
152      char             _pw_buffer[200];
153      size_t           _pw_size         = sizeof(_pw_buffer);
154    
155      eef_log(LOG_DEBUG, "Checking uid %i\n", target_uid);
156      if(getpwuid_r(target_uid, _pw_entry_p, _pw_buffer,  _pw_size, &_tmp_pw_entry_p) == 0){
157        eef_log(LOG_DEBUG, "User name %s\n", _pw_entry.pw_name );
158        eef_log(LOG_DEBUG, "Uid %i\n", _pw_entry.pw_uid );
159        eef_log(LOG_DEBUG, "Gid %i\n", _pw_entry.pw_gid );
160        eef_log(LOG_DEBUG, "Initial dir %s\n", _pw_entry.pw_dir );
161        eef_log(LOG_DEBUG, "Shell %s\n", _pw_entry.pw_shell );
162      }
163    
164      return EES_PL_SUCCESS;
165    }
166    
167  /*  When the proxy is located on an NFS mount and on the server side the root squash  /*  When the proxy is located on an NFS mount and on the server side the root squash
168   *  option has been enabled, the effective uid is mapped to user 'nobody' which should   *  option has been enabled, the effective uid is mapped to user 'nobody' which should
169   *  not be able to read the proxy file. To work around this problem, the effective   *  not be able to read the proxy file. To work around this problem, the effective
170   *  uid of the process is changed to that of the calling user and once glexec is done,   *  uid of the process is changed to that of the calling user and once glexec is done,
171   *  the saved uid is used to restore the identity of the process,   *  the saved uid is used to restore the identity of the process,
172   */   */
173  EES_RC downgradeEffectiveToRealUid (uid_t real_uid, uid_t saved_uid){      EES_RC downgradeEffectiveToRealUid (uid_t* real_uid, uid_t* saved_uid){    
174    real_uid = getuid();    *real_uid = getuid();
175    if (real_uid != 0){    if (*real_uid != 0){
176      /* Save it */      /* Save it */
177      saved_uid = geteuid();      *saved_uid = geteuid();
178      printf("Set uid to: %i\n", real_uid);      eef_log(LOG_DEBUG, "Set uid to: %i\n", *real_uid);
179      if (seteuid(real_uid)){      if (seteuid(*real_uid)){
180        eef_log(LOG_ERR, "Error on downsizing with seteuid()\n");        eef_log(LOG_ERR, "Error on downsizing with seteuid()\n");
181        return EES_PL_FAILURE;        return EES_PL_FAILURE;
182      }          }    
# Line 162  EES_RC downgradeEffectiveToRealUid (uid_ Line 184  EES_RC downgradeEffectiveToRealUid (uid_
184    return EES_PL_SUCCESS;    return EES_PL_SUCCESS;
185  }      }    
186            
187  EES_RC upgradeEffectiveToRealUid (uid_t real_uid, uid_t saved_uid){    EES_RC upgradeEffectiveToRealUid (uid_t* real_uid, uid_t* saved_uid){  
188    /*  Do not forget to put back the original effective uid on the process. */    /*  Do not forget to put back the original effective uid on the process. */
189    if (real_uid != 0){    if (*real_uid != 0){
190      if (seteuid(saved_uid)){      if (seteuid(*saved_uid)){
191        eef_log(LOG_ERR, "Error on returning seteuid()\n");        eef_log(LOG_ERR, "Error on returning seteuid()\n");
192        return EES_PL_FAILURE;        return EES_PL_FAILURE;
193      }      }

Legend:
Removed from v.1568  
changed lines
  Added in v.1569

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28