/[pdpsoft]/trunk/grid-mw-security/ees/plugin_examples/posix_enf/src/posix_enf.c
ViewVC logotype

Contents of /trunk/grid-mw-security/ees/plugin_examples/posix_enf/src/posix_enf.c

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1569 - (show annotations) (download) (as text)
Tue Mar 16 17:35:17 2010 UTC (11 years, 10 months ago) by aramv
File MIME type: text/x-chdr
File size: 6124 byte(s)
Re-added AOS cleaning, so reduced memory leaks by quite a bit
1 #include <unistd.h>
2 #include <stdio.h>
3 #include <grp.h>
4 #include <pwd.h>
5 #include <sys/types.h>
6 #include "eef_plugin.h"
7
8 #define MAX_UNDEFINED -1
9 #ifdef NGROUPS_MAX
10 #define NGROUPS NGROUPS_MAX
11 #else
12 #define NGROUPS 32
13 #endif
14
15 static int _maxuid;
16 static int _maxpgid;
17 static int _maxsgid;
18
19 uid_t _real_uid;
20 uid_t _saved_uid;
21
22 static int _set_only_euid;
23 static int _set_only_egid;
24 static int _do_uid_check;
25 static char *_plugin_name;
26
27 EES_RC printPasswordEntry(uid_t target_uid);
28 EES_RC downgradeEffectiveToRealUid (uid_t* real_uid, uid_t* saved_uid);
29 EES_RC upgradeEffectiveToRealUid (uid_t* real_uid, uid_t* saved_uid);
30
31 EES_PL_RC plugin_initialize(int argc, char* argv[]){
32 static struct option long_options[] =
33 {
34 {"maxuid", required_argument, 0, 'u'},
35 {"maxpgid", required_argument, 0, 'p'},
36 {"maxsgid", required_argument, 0, 's'},
37 {"set_only_euid", required_argument, 0, 'e'},
38 {"set_only_egid", required_argument, 0, 'g'},
39 {"check_uid", no_argument, 0, 'c'}
40 };
41 int option_index, c;
42
43 _maxuid = MAX_UNDEFINED;
44 _maxpgid = MAX_UNDEFINED;
45 _maxsgid = MAX_UNDEFINED;
46 _real_uid = -1;
47 _saved_uid = geteuid();
48
49 _set_only_euid = 0;
50 _set_only_egid = 0;
51 _do_uid_check = 0;
52 _plugin_name = "posix_enf";
53
54 eef_log(LOG_DEBUG, "%s: Initializing posix enforcement plugin!\n", _plugin_name);
55
56 /* parse options */
57 while(1){
58 c = getopt_long_only(argc, argv, "u:p:s:e:g:c", long_options, &option_index);
59 if(c == -1){
60 break;
61 }
62 switch(c){
63 case 'u':
64 _maxuid = atoi(optarg);
65 break;
66 case 'p':
67 _maxpgid = atoi(optarg);
68 break;
69 case 's':
70 _maxsgid = atoi(optarg);
71 break;
72 case 'e':
73 if(strncmp(optarg,"yes", 4) == 0){
74 _set_only_euid = 1;
75 }
76 break;
77 case 'g':
78 if(strncmp(optarg, "yes", 4) == 0){
79 _set_only_egid = 1;
80 }
81 break;
82 case 'c':
83 _do_uid_check = 1;
84 break;
85 }
86 }
87
88 /* sanity checks */
89 if(_maxsgid > NGROUPS){
90 eef_log(LOG_ERR, "%s: Option -_maxsgid %i exceeds the system limit of %i", _plugin_name, _maxsgid, NGROUPS);
91 return EES_PL_FAILURE;
92 } else if(_maxsgid == MAX_UNDEFINED){
93 _maxsgid = NGROUPS;
94 eef_log(LOG_NOTICE, "%s: Option -maxsgid defaulted to maximum %i", _plugin_name, NGROUPS);
95 }
96
97 eef_log(LOG_INFO, "%s: Initialized plugin posix_enf with options:\n", _plugin_name);
98 eef_log(LOG_INFO, "%s: _maxuid: %i\n", _plugin_name, _maxuid);
99 eef_log(LOG_INFO, "%s: _maxpgid: %i\n", _plugin_name, _maxpgid);
100 eef_log(LOG_INFO, "%s: _maxsgid: %i\n", _plugin_name, _maxsgid);
101
102 eef_log(LOG_INFO, "%s: _set_only_euid: %i\n", _plugin_name, _set_only_euid);
103 eef_log(LOG_INFO, "%s: _set_only_egid: %i\n", _plugin_name, _set_only_egid);
104
105 return EES_PL_SUCCESS;
106 }
107
108 EES_PL_RC plugin_run(){
109 uid_t _target_uid = -1;
110 gid_t _target_gid = -1;
111
112 aos_context_t *_context = NULL;
113 aos_attribute_t *_attribute = NULL;
114
115 rewindContexts(NULL);
116 while((_context = getNextContext(OBLIGATION, NULL))){
117 if(strncmp(getContextObligationId(_context), "uidgid", strlen("uidgid")) == 0){
118 rewindAttributes(_context);
119 while((_attribute = getNextAttribute(_context))){
120 if(strncmp(getAttributeId(_attribute), "posix-uid", strlen("posix-uid")) == 0){
121 _target_uid = strtol(getAttributeValueAsString(_attribute), NULL, 10);
122 } else if(strncmp(getAttributeId(_attribute), "posix-gid", strlen("posix-gid")) == 0){
123 _target_gid = strtol(getAttributeValueAsString(_attribute), NULL, 10);
124 }
125 }
126 }
127 }
128
129 eef_log(LOG_DEBUG, "Got target UID: %i\n", _target_uid);
130 eef_log(LOG_DEBUG, "Got target primary GID: %i\n", _target_uid);
131
132 if(_do_uid_check){
133 printPasswordEntry(_target_uid);
134 }
135 downgradeEffectiveToRealUid(&_real_uid, &_saved_uid);
136 endpwent();
137
138 return EES_PL_SUCCESS;
139 }
140
141 /* terminate plugin */
142 EES_PL_RC plugin_terminate(){
143 eef_log(LOG_INFO, "plugin poxix_enf terminated\n");
144 upgradeEffectiveToRealUid(&_real_uid, &_saved_uid);
145 return 0;
146 }
147
148 EES_RC printPasswordEntry(uid_t target_uid){
149 struct passwd _pw_entry;
150 struct passwd *_pw_entry_p = &_pw_entry;
151 struct passwd *_tmp_pw_entry_p = NULL;
152 char _pw_buffer[200];
153 size_t _pw_size = sizeof(_pw_buffer);
154
155 eef_log(LOG_DEBUG, "Checking uid %i\n", target_uid);
156 if(getpwuid_r(target_uid, _pw_entry_p, _pw_buffer, _pw_size, &_tmp_pw_entry_p) == 0){
157 eef_log(LOG_DEBUG, "User name %s\n", _pw_entry.pw_name );
158 eef_log(LOG_DEBUG, "Uid %i\n", _pw_entry.pw_uid );
159 eef_log(LOG_DEBUG, "Gid %i\n", _pw_entry.pw_gid );
160 eef_log(LOG_DEBUG, "Initial dir %s\n", _pw_entry.pw_dir );
161 eef_log(LOG_DEBUG, "Shell %s\n", _pw_entry.pw_shell );
162 }
163
164 return EES_PL_SUCCESS;
165 }
166
167 /* When the proxy is located on an NFS mount and on the server side the root squash
168 * option has been enabled, the effective uid is mapped to user 'nobody' which should
169 * not be able to read the proxy file. To work around this problem, the effective
170 * uid of the process is changed to that of the calling user and once glexec is done,
171 * the saved uid is used to restore the identity of the process,
172 */
173 EES_RC downgradeEffectiveToRealUid (uid_t* real_uid, uid_t* saved_uid){
174 *real_uid = getuid();
175 if (*real_uid != 0){
176 /* Save it */
177 *saved_uid = geteuid();
178 eef_log(LOG_DEBUG, "Set uid to: %i\n", *real_uid);
179 if (seteuid(*real_uid)){
180 eef_log(LOG_ERR, "Error on downsizing with seteuid()\n");
181 return EES_PL_FAILURE;
182 }
183 }
184 return EES_PL_SUCCESS;
185 }
186
187 EES_RC upgradeEffectiveToRealUid (uid_t* real_uid, uid_t* saved_uid){
188 /* Do not forget to put back the original effective uid on the process. */
189 if (*real_uid != 0){
190 if (seteuid(*saved_uid)){
191 eef_log(LOG_ERR, "Error on returning seteuid()\n");
192 return EES_PL_FAILURE;
193 }
194 }
195 return EES_PL_SUCCESS;
196 }

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28