Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:kernel-2.6.32
tog-pegasus
pegasus-local-or-remote-auth.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File pegasus-local-or-remote-auth.patch of Package tog-pegasus
Based on RH's pegasus-2.6.1-local-or-remote-auth.patch + added support for IPv6 (recognizes both ::1 and ::ffff:127.x.x.x as local) + support the new privilege separation feature. --- src/Executor/Messages.h | 1 src/Executor/PAMAuth.h | 69 +++++++--- src/Executor/Parent.c | 3 src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c | 2 src/Pegasus/Common/AuthenticationInfo.h | 16 ++ src/Pegasus/Common/AuthenticationInfoRep.cpp | 13 + src/Pegasus/Common/AuthenticationInfoRep.h | 8 + src/Pegasus/Common/Executor.cpp | 17 +- src/Pegasus/Common/Executor.h | 3 src/Pegasus/Common/HTTPConnection.cpp | 44 ++++++ src/Pegasus/Common/HTTPMessage.cpp | 3 src/Pegasus/Common/HTTPMessage.h | 1 src/Pegasus/Common/tests/Executor/TestExecutor.cpp | 4 src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp | 3 src/Pegasus/Security/Authentication/BasicAuthenticator.h | 3 src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h | 3 src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp | 3 src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp | 5 src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp | 2 src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp | 3 20 files changed, 172 insertions(+), 34 deletions(-) --- src/Pegasus/Common/AuthenticationInfo.h.orig +++ src/Pegasus/Common/AuthenticationInfo.h @@ -356,6 +356,22 @@ public: return _rep->getRemotePrivilegedUserAccessChecked(); } + /** Indicate whether the user is Remote + */ + Boolean isRemoteUser() const + { + CheckRep(_rep); + return _rep->isRemoteUser(); + } + + /** Set the Remote User flag + */ + void setRemoteUser(Boolean remoteUser) + { + CheckRep(_rep); + _rep->setRemoteUser(remoteUser); + } + private: AuthenticationInfo(AuthenticationInfoRep* rep) : _rep(rep) --- src/Pegasus/Common/AuthenticationInfoRep.cpp.orig +++ src/Pegasus/Common/AuthenticationInfoRep.cpp @@ -46,7 +46,8 @@ const String AuthenticationInfoRep::AUTH AuthenticationInfoRep::AuthenticationInfoRep(Boolean flag) : _connectionAuthenticated(false), - _wasRemotePrivilegedUserAccessChecked(false) + _wasRemotePrivilegedUserAccessChecked(false), + _remoteUser(true) { PEG_METHOD_ENTER( TRC_AUTHENTICATION, "AuthenticationInfoRep::AuthenticationInfoRep"); @@ -169,4 +170,14 @@ void AuthenticationInfoRep::setClientCer PEG_METHOD_EXIT(); } +void AuthenticationInfoRep::setRemoteUser(Boolean remoteUser) +{ + PEG_METHOD_ENTER(TRC_AUTHENTICATION, + "AuthenticationInfoRep::setRemoteUser"); + + _remoteUser = remoteUser; + + PEG_METHOD_EXIT(); +} + PEGASUS_NAMESPACE_END --- src/Pegasus/Common/AuthenticationInfoRep.h.orig +++ src/Pegasus/Common/AuthenticationInfoRep.h @@ -167,6 +167,13 @@ public: return _wasRemotePrivilegedUserAccessChecked; } + Boolean isRemoteUser() const + { + return _remoteUser; + } + + void setRemoteUser(Boolean remoteUser); + private: /** Constructors */ @@ -192,6 +199,7 @@ private: Boolean _wasRemotePrivilegedUserAccessChecked; Array<SSLCertificateInfo*> _clientCertificate; + Boolean _remoteUser; }; PEGASUS_NAMESPACE_END --- src/Pegasus/Common/HTTPConnection.cpp.orig +++ src/Pegasus/Common/HTTPConnection.cpp @@ -2039,6 +2039,50 @@ void HTTPConnection::_handleReadEvent() _incomingBuffer).get())); } + // Allow authenticators to differentiate Remote and Local users: + struct sockaddr_in6 sin_peer, sin_svr; + socklen_t slen1=sizeof(sin_peer), slen2=sizeof(sin_svr); + uint32_t sock = _socket.get()->getSocket() ; + memset(&sin_peer,'\0',slen1); + memset(&sin_svr, '\0',slen2); + if (::getpeername( sock, (struct sockaddr*)&sin_peer, &slen1) == 0 || + ::getsockname( sock, (struct sockaddr*)&sin_svr, &slen2) == 0) + { + if (sin_peer.sin6_family == AF_INET) + { + struct sockaddr_in sin; + memcpy(&sin, &sin_peer, sizeof(sin)); + if ((ntohl(sin.sin_addr.s_addr) >> 24) & 0xff == 127) + // message was sent FROM localhost interface + message->fromRemoteHost = false; + } + if (sin_svr.sin6_family == AF_INET) + { + struct sockaddr_in sin; + memcpy(&sin, &sin_svr, sizeof(sin)); + if ((ntohl( sin.sin_addr.s_addr) >> 24) & 0xff == 127) + // message was sent TO localhost interface + message->fromRemoteHost = false; + } + if (sin_peer.sin6_family == AF_INET6) + { + // ::ffff:127.x.x.x + static char ipv4_localhost[] = + {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 127}; + if (memcmp(&sin_peer.sin6_addr, ipv4_localhost, + sizeof(ipv4_localhost)) == 0) + { + message->fromRemoteHost = false; + } + // ::1 + if (memcmp(&sin_peer.sin6_addr, &in6addr_loopback, + sizeof(struct in6_addr)) == 0) + { + message->fromRemoteHost = false; + } + } + } + // // increment request count // --- src/Pegasus/Common/HTTPMessage.cpp.orig +++ src/Pegasus/Common/HTTPMessage.cpp @@ -120,7 +120,8 @@ HTTPMessage::HTTPMessage( queueId(queueId_), authInfo(0), acceptLanguagesDecoded(false), - contentLanguagesDecoded(false) + contentLanguagesDecoded(false), + fromRemoteHost(true) { if (cimException_) cimException = *cimException_; --- src/Pegasus/Common/HTTPMessage.h.orig +++ src/Pegasus/Common/HTTPMessage.h @@ -75,6 +75,7 @@ public: ContentLanguageList contentLanguages; Boolean acceptLanguagesDecoded; Boolean contentLanguagesDecoded; + Boolean fromRemoteHost; CIMException cimException; void parse( --- src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp.orig +++ src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp @@ -164,7 +164,8 @@ Boolean BasicAuthenticationHandler::auth } authInfo->setRemotePrivilegedUserAccessChecked(); - authenticated = _basicAuthenticator->authenticate(userName, password); + authenticated = _basicAuthenticator->authenticate(userName, password, + authInfo->isRemoteUser()); // Log audit message. PEG_AUDIT_LOG(logBasicAuthentication( --- src/Pegasus/Security/Authentication/BasicAuthenticator.h.orig +++ src/Pegasus/Security/Authentication/BasicAuthenticator.h @@ -67,7 +67,8 @@ public: */ virtual Boolean authenticate( const String& userName, - const String& password) = 0; + const String& password, + Boolean isRemoteUser) = 0; /** Construct and return the HTTP Basic authentication challenge header @return A string containing the authentication challenge header. --- src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h.orig +++ src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h @@ -55,7 +55,8 @@ public: Boolean authenticate( const String& userName, - const String& password); + const String& password, + Boolean isRemoteUser); Boolean validateUser(const String& userName); --- src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp.orig +++ src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp @@ -85,7 +85,8 @@ PAMBasicAuthenticator::~PAMBasicAuthenti Boolean PAMBasicAuthenticator::authenticate( const String& userName, - const String& password) + const String& password, + Boolean isRemoteUser) { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "PAMBasicAuthenticator::authenticate()"); --- src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.orig +++ src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp @@ -72,13 +72,14 @@ PAMBasicAuthenticator::~PAMBasicAuthenti Boolean PAMBasicAuthenticator::authenticate( const String& userName, - const String& password) + const String& password, + Boolean isRemoteUser) { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "PAMBasicAuthenticator::authenticate()"); if (Executor::authenticatePassword( - userName.getCString(), password.getCString()) != 0) + userName.getCString(), password.getCString(), isRemoteUser) != 0) { return false; } --- src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp.orig +++ src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp @@ -403,6 +403,9 @@ void HTTPAuthenticatorDelegator::handleH Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE, "HTTPAuthenticatorDelegator - Authentication processing start")); + // Let Authenticators know whether this user is Local or Remote: + httpMessage->authInfo->setRemoteUser( httpMessage->fromRemoteHost ); + // // Handle authentication: // --- src/Executor/PAMAuth.h.orig +++ src/Executor/PAMAuth.h @@ -47,6 +47,7 @@ #include <stdio.h> #include <errno.h> #include <string.h> +#include <syslog.h> #include <Executor/Strlcpy.h> #include <Executor/Strlcat.h> #include <security/pam_appl.h> @@ -397,35 +398,66 @@ static int PAMValidateUserCallback( */ static int PAMAuthenticateInProcess( - const char* username, const char* password) + const char* username, const char* password, int isRemoteUser) { PAMData data; struct pam_conv pconv; - pam_handle_t* handle; + pam_handle_t* phandle; + int retcode; + const char *pam_tty_val = isRemoteUser ? "wbemNetwork" : "wbemLocal"; data.password = password; pconv.conv = PAMAuthenticateCallback; pconv.appdata_ptr = &data; - if (pam_start("wbem", username, &pconv, &handle) != PAM_SUCCESS) - return -1; + // NOTE: if any pam call should log anything, our syslog socket will + // be redirected to the AUTH facility, so we need to redirect it + // back after each pam call. - if (pam_authenticate(handle, 0) != PAM_SUCCESS) + if ((retcode = pam_start("wbem", username, &pconv, &phandle)) != PAM_SUCCESS) { - pam_end(handle, 0); + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_start failed: %s", pam_strerror(phandle, retcode)); return -1; } - - if (pam_acct_mgmt(handle, 0) != PAM_SUCCESS) + if ((retcode = pam_set_item(phandle, PAM_TTY, pam_tty_val)) != PAM_SUCCESS ) { - pam_end(handle, 0); + pam_end(phandle, 0); + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_set_item(PAM_TTY=%s) failed: %s", pam_tty_val, + pam_strerror(phandle, retcode)); return -1; } - pam_end(handle, 0); + if ((retcode = pam_authenticate(phandle, 0)) != PAM_SUCCESS) + { + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_authenticate failed: %s", + pam_strerror(phandle, retcode)); + goto auth_failed; + } + + if (pam_acct_mgmt(phandle, 0) != PAM_SUCCESS) + { + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_acct_mgmt failed: %s", + pam_strerror(phandle, retcode)); + goto auth_failed; + } + pam_end(phandle, 0); return 0; + +auth_failed: + pam_end(phandle, 0); + syslog(LOG_ERR, "PAM authentication failed for %s user: %s", + isRemoteUser ? "remote" : "local", username); + return -1; } /* @@ -443,15 +475,23 @@ static int PAMValidateUserInProcess(cons PAMData data; struct pam_conv pconv; pam_handle_t* phandle; + int retcode; pconv.conv = PAMValidateUserCallback; pconv.appdata_ptr = &data; - if (pam_start("wbem", username, &pconv, &phandle) != PAM_SUCCESS) + if ((retcode = pam_start("wbem", username, &pconv, &phandle)) != PAM_SUCCESS) + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_start failed: %s", pam_strerror(phandle, retcode)); return -1; - if (pam_acct_mgmt(phandle, 0) != PAM_SUCCESS) + if ((retcode = pam_acct_mgmt(phandle, 0)) != PAM_SUCCESS) { + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_acct_mgmt failed: %s", + pam_strerror(phandle, retcode)); pam_end(phandle, 0); return -1; } @@ -471,12 +511,13 @@ static int PAMValidateUserInProcess(cons **============================================================================== */ -static int PAMAuthenticate(const char* username, const char* password) +static int PAMAuthenticate(const char* username, const char* password, + int isRemoteUser) { #ifdef PEGASUS_USE_PAM_STANDALONE_PROC return CimserveraProcessOperation("authenticate", username, password); #else - return PAMAuthenticateInProcess(username, password); + return PAMAuthenticateInProcess(username, password, isRemoteUser); #endif } --- src/Executor/Parent.c.orig +++ src/Executor/Parent.c @@ -658,7 +658,8 @@ static void HandleAuthenticatePasswordRe #if defined(PEGASUS_PAM_AUTHENTICATION) - if (PAMAuthenticate(request.username, request.password) != 0) + if (PAMAuthenticate(request.username, request.password, + request.isRemoteUser) != 0) { status = -1; break; --- src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c.orig +++ src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c @@ -51,7 +51,7 @@ int main() sprintf(prompt, "Enter password for %s: ", PEGASUS_CIMSERVERMAIN_USER); pw = getpass(prompt); - if (PAMAuthenticate(PEGASUS_CIMSERVERMAIN_USER, pw) == 0) + if (PAMAuthenticate(PEGASUS_CIMSERVERMAIN_USER, pw, 0) == 0) printf("Correct password\n"); else printf("Wrong password\n"); --- src/Pegasus/Common/Executor.cpp.orig +++ src/Pegasus/Common/Executor.cpp @@ -122,7 +122,8 @@ public: virtual int authenticatePassword( const char* username, - const char* password) = 0; + const char* password, + Boolean isRemoteUser) = 0; virtual int validateUser( const char* username) = 0; @@ -476,10 +477,11 @@ public: virtual int authenticatePassword( const char* username, - const char* password) + const char* password, + Boolean isRemoteUser) { #if defined(PEGASUS_PAM_AUTHENTICATION) - return PAMAuthenticate(username, password); + return PAMAuthenticate(username, password, isRemoteUser); #else // ATTN: not handled so don't call in this case. return -1; @@ -818,7 +820,8 @@ public: virtual int authenticatePassword( const char* username, - const char* password) + const char* password, + Boolean isRemoteUser) { AutoMutex autoMutex(_mutex); @@ -836,6 +839,7 @@ public: memset(&request, 0, sizeof(request)); Strlcpy(request.username, username, EXECUTOR_BUFFER_SIZE); Strlcpy(request.password, password, EXECUTOR_BUFFER_SIZE); + request.isRemoteUser = isRemoteUser; if (SendBlock(_sock, &request, sizeof(request)) != sizeof(request)) return -1; @@ -1086,10 +1090,11 @@ int Executor::reapProviderAgent( int Executor::authenticatePassword( const char* username, - const char* password) + const char* password, + Boolean isRemoteUser) { once(&_executorImplOnce, _initExecutorImpl); - return _executorImpl->authenticatePassword(username, password); + return _executorImpl->authenticatePassword(username, password, isRemoteUser); } int Executor::validateUser( --- src/Pegasus/Common/Executor.h.orig +++ src/Pegasus/Common/Executor.h @@ -184,7 +184,8 @@ public: */ static int authenticatePassword( const char* username, - const char* password); + const char* password, + Boolean isRemoteUser); /** Check whether the given user is valid for the underlying authentcation mechanism. --- src/Pegasus/Common/tests/Executor/TestExecutor.cpp.orig +++ src/Pegasus/Common/tests/Executor/TestExecutor.cpp @@ -80,7 +80,7 @@ void testExecutorLoopbackImpl() #endif PEGASUS_TEST_ASSERT(Executor::authenticatePassword( - "xnonexistentuserx", "wrongpassword") == -1); + "xnonexistentuserx", "wrongpassword", 0) == -1); PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") == -1); char challengeFilePath[EXECUTOR_BUFFER_SIZE]; @@ -119,7 +119,7 @@ void testExecutorSocketImpl() PEGASUS_TEST_ASSERT(Executor::reapProviderAgent(123) == 0); PEGASUS_TEST_ASSERT(Executor::authenticatePassword( - "xnonexistentuserx", "wrongpassword") == -1); + "xnonexistentuserx", "wrongpassword", 0) == -1); PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") == -1); char challengeFilePath[EXECUTOR_BUFFER_SIZE]; --- src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp.orig +++ src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp @@ -193,7 +193,7 @@ Boolean SecureBasicAuthenticator::authen if (Executor::detectExecutor() == 0) { if (Executor::authenticatePassword( - userName.getCString(), password.getCString()) == 0) + userName.getCString(), password.getCString(), 0) == 0) { authenticated = true; } --- src/Executor/Messages.h.orig +++ src/Executor/Messages.h @@ -200,6 +200,7 @@ struct ExecutorAuthenticatePasswordReque { char username[EXECUTOR_BUFFER_SIZE]; char password[EXECUTOR_BUFFER_SIZE]; + int isRemoteUser; }; struct ExecutorAuthenticatePasswordResponse
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor