From b9923919909cb976ddf42002c56a42b1893e3547 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 26 Mar 2010 10:11:22 +0100 Subject: Revert "Add better checks on PAM socket" This reverts commit 5a88e963744e5da453e88b5c36499f04712df097. --- src/external/platform.m4 | 12 --- src/responder/common/responder.h | 4 - src/responder/common/responder_common.c | 137 +------------------------------- src/sss_client/common.c | 126 +---------------------------- 4 files changed, 5 insertions(+), 274 deletions(-) diff --git a/src/external/platform.m4 b/src/external/platform.m4 index ee009378..71b4f2c8 100644 --- a/src/external/platform.m4 +++ b/src/external/platform.m4 @@ -27,15 +27,3 @@ fi AM_CONDITIONAL([HAVE_FEDORA], [test x"$osname" == xfedora]) AM_CONDITIONAL([HAVE_REDHAT], [test x"$osname" == xredhat]) AM_CONDITIONAL([HAVE_SUSE], [test x"$osname" == xsuse]) - -AC_CHECK_MEMBERS([struct ucred.pid, struct ucred.uid, struct ucred.gid], , , - [[#define _GNU_SOURCE - #include ]]) - -if test x"$ac_cv_member_struct_ucred_pid" = xyes -a \ - x"$ac_cv_member_struct_ucred_uid" = xyes -a \ - x"$ac_cv_member_struct_ucred_gid" = xyes ; then - AC_DEFINE([HAVE_UCRED], [1], [Define if struct ucred is available]) -else - AC_MSG_WARN([struct ucred is not available]) -fi diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h index 6391fcf7..ea6ba583 100644 --- a/src/responder/common/responder.h +++ b/src/responder/common/responder.h @@ -101,10 +101,6 @@ struct cli_ctx { struct cli_request *creq; struct cli_protocol_version *cli_protocol_version; int priv; - int creds_exchange_done; - int client_uid; - int client_gid; - int client_pid; }; struct sss_cmd_table { diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c index 501c3520..ff27f62c 100644 --- a/src/responder/common/responder_common.c +++ b/src/responder/common/responder_common.c @@ -19,9 +19,6 @@ along with this program. If not, see . */ -/* for struct ucred */ -#define _GNU_SOURCE - #include #include #include @@ -32,8 +29,7 @@ #include #include #include -#include -#include "config.h" +#include "popt.h" #include "util/util.h" #include "db/sysdb.h" #include "confdb/confdb.h" @@ -148,134 +144,12 @@ static void client_recv(struct cli_ctx *cctx) return; } -static void cred_handler(struct cli_ctx *cctx, char action) -{ -#ifdef HAVE_UCRED - int ret; - int fd; - struct msghdr msg; - struct iovec iov; - struct cmsghdr *cmsg; - struct ucred *creds; - /* buf must be aligned on some architectures. */ - union ubuf { - int align; - char buf[CMSG_SPACE(sizeof(struct ucred))]; - } u; - char dummy='s'; - int enable=1; - - if (cctx->creds_exchange_done != 0) { - DEBUG(1, ("cred_handler called, but creds are already exchanged.\n")); - goto failed; - } - - fd = cctx->cfd; - - iov.iov_base = &dummy; - iov.iov_len = 1; - - memset (&msg, 0, sizeof(msg)); - - msg.msg_name = NULL; - msg.msg_namelen = 0; - msg.msg_iov = &iov; - msg.msg_iovlen = 1; - - msg.msg_control = u.buf; - msg.msg_controllen = sizeof(u.buf); - - switch (action) { - case 'r': - ret = setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &enable, sizeof(int)); - if (ret == -1) { - DEBUG(1, ("setsockopt failed: [%d][%s].\n", errno, - strerror(errno))); - goto failed; - } - - ret = recvmsg(fd, &msg, 0); - if (ret == -1) { - DEBUG(1, ("recvmsg failed.[%d][%s]\n", errno, strerror(errno))); - goto failed; - } - - cmsg = CMSG_FIRSTHDR(&msg); - - if (cmsg->cmsg_level == SOL_SOCKET && - cmsg->cmsg_type == SCM_CREDENTIALS) { - creds = (struct ucred *) CMSG_DATA(cmsg); - DEBUG(1, ("creds: [%d][%d][%d]\n",creds->uid, creds->gid, - creds->pid)); - cctx->client_uid = creds->uid; - cctx->client_gid = creds->gid; - cctx->client_pid = creds->pid; - } - - TEVENT_FD_WRITEABLE(cctx->cfde); - - return; - break; - case 's': - cmsg = CMSG_FIRSTHDR(&msg); - cmsg->cmsg_level = SOL_SOCKET; - cmsg->cmsg_type = SCM_CREDENTIALS; - cmsg->cmsg_len = CMSG_LEN(sizeof(struct ucred)); - - creds = (struct ucred *) CMSG_DATA(cmsg); - - creds->uid = geteuid(); - creds->gid = getegid(); - creds->pid = getpid(); - - msg.msg_controllen = cmsg->cmsg_len; - - ret = sendmsg(fd, &msg, 0); - if (ret == -1) { - DEBUG(1, ("sendmsg failed.[%d][%s]\n", errno, strerror(errno))); - goto failed; - } - DEBUG(4, ("Send creds to the client succesfully.\n")); - cctx->creds_exchange_done = 1; - - TEVENT_FD_NOT_WRITEABLE(cctx->cfde); - return; - default: - DEBUG(1, ("Unknown action [%c].\n", action)); - goto failed; - } - -failed: - talloc_free(cctx); - return; - -#else - - DEBUG(9, ("Credential exchange not available over socket, " - "continuing without.\n")); - cctx->creds_exchange_done = 1; - return; - -#endif -} - static void client_fd_handler(struct tevent_context *ev, struct tevent_fd *fde, uint16_t flags, void *ptr) { struct cli_ctx *cctx = talloc_get_type(ptr, struct cli_ctx); - if (cctx->creds_exchange_done == 0) { - if (flags & TEVENT_FD_READ) { - cred_handler(cctx, 'r'); - return; - } - if (flags & TEVENT_FD_WRITE) { - cred_handler(cctx, 's'); - return; - } - } - if (flags & TEVENT_FD_READ) { client_recv(cctx); return; @@ -339,10 +213,6 @@ static void accept_priv_fd_handler(struct tevent_context *ev, } cctx->priv = 1; - cctx->creds_exchange_done = 0; - cctx->client_uid = -1; - cctx->client_gid = -1; - cctx->client_pid = -1; cctx->cfde = tevent_add_fd(ev, cctx, cctx->cfd, TEVENT_FD_READ, client_fd_handler, cctx); @@ -395,11 +265,6 @@ static void accept_fd_handler(struct tevent_context *ev, return; } - cctx->creds_exchange_done = 0; - cctx->client_uid = -1; - cctx->client_gid = -1; - cctx->client_pid = -1; - cctx->cfde = tevent_add_fd(ev, cctx, cctx->cfd, TEVENT_FD_READ, client_fd_handler, cctx); if (!cctx->cfde) { diff --git a/src/sss_client/common.c b/src/sss_client/common.c index 07b9d0d9..6732c24f 100644 --- a/src/sss_client/common.c +++ b/src/sss_client/common.c @@ -23,9 +23,6 @@ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ -/* for struct ucred */ -#define _GNU_SOURCE - #include #include #include @@ -39,8 +36,6 @@ #include #include #include - -#include "config.h" #include "sss_cli.h" /* common functions */ @@ -55,108 +50,6 @@ static void sss_cli_close_socket(void) } } -static int exchange_credentials(void) -{ -#ifdef HAVE_UCRED - int ret; - struct msghdr msg; - struct cmsghdr *cmsg; - struct iovec iov; - char dummy='a'; - /* buf must be aligned on some architectures. */ - union ubuf { - int align; - char buf[CMSG_SPACE(sizeof(struct ucred))]; - } u; - struct ucred *creds; - int enable = 1; - struct pollfd pfd; - - ret = setsockopt(sss_cli_sd, SOL_SOCKET, SO_PASSCRED, &enable, sizeof(int)); - if (ret == -1) { - return errno; - } - - iov.iov_base = &dummy; - iov.iov_len = 1; - - memset(&msg, 0, sizeof(msg)); - - msg.msg_name = NULL; - msg.msg_namelen = 0; - msg.msg_iov = &iov; - msg.msg_iovlen = 1; - - msg.msg_control = u.buf; - msg.msg_controllen = sizeof(u.buf); - - cmsg = CMSG_FIRSTHDR(&msg); - cmsg->cmsg_level = SOL_SOCKET; - cmsg->cmsg_type = SCM_CREDENTIALS; - cmsg->cmsg_len = CMSG_LEN(sizeof(struct ucred)); - - creds = (struct ucred *) CMSG_DATA(cmsg); - - creds->uid = geteuid(); - creds->gid = getegid(); - creds->pid = getpid(); - - msg.msg_controllen = cmsg->cmsg_len; - - pfd.fd = sss_cli_sd; - pfd.events = POLLOUT; - ret = poll(&pfd, 1, SSS_CLI_SOCKET_TIMEOUT); - if (ret != 1 || !(pfd.revents & POLLOUT) ) { - return errno; - } - - ret = sendmsg(sss_cli_sd, &msg, 0); - if (ret == -1) { - return errno; - } - - memset(&msg, 0, sizeof(msg)); - - msg.msg_name = NULL; - msg.msg_namelen = 0; - msg.msg_iov = &iov; - msg.msg_iovlen = 1; - - msg.msg_control = u.buf; - msg.msg_controllen = sizeof(u.buf); - - pfd.fd = sss_cli_sd; - pfd.events = POLLIN; - ret = poll(&pfd, 1, SSS_CLI_SOCKET_TIMEOUT); - - if (ret != 1 || !(pfd.revents & POLLIN) ) { - return errno; - } - - ret = recvmsg(sss_cli_sd, &msg, 0); - if (ret == -1) { - return errno; - } - - cmsg = CMSG_FIRSTHDR(&msg); - - if (msg.msg_controllen != 0 && cmsg->cmsg_level == SOL_SOCKET && - cmsg->cmsg_type == SCM_CREDENTIALS) { - creds = (struct ucred *) CMSG_DATA(cmsg); - if (creds->uid != 0 || creds->gid!= 0) { - return SSS_STATUS_UNAVAIL; - } - } - - return SSS_STATUS_SUCCESS; - -#else - - return SSS_STATUS_SUCCESS; - -#endif -} - /* Requests: * * byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X) @@ -706,10 +599,9 @@ static enum sss_status sss_cli_check_socket(int *errnop, const char *socket_name sss_cli_sd = mysd; - if (exchange_credentials() == SSS_STATUS_SUCCESS) - if (sss_nss_check_version(socket_name) == NSS_STATUS_SUCCESS) { - return SSS_STATUS_SUCCESS; - } + if (sss_nss_check_version(socket_name) == NSS_STATUS_SUCCESS) { + return SSS_STATUS_SUCCESS; + } sss_cli_close_socket(); *errnop = EFAULT; @@ -761,22 +653,12 @@ int sss_pam_make_request(enum sss_cli_command cmd, if (ret != 0) return PAM_SERVICE_ERR; if ( ! (stat_buf.st_uid == 0 && stat_buf.st_gid == 0 && - S_ISSOCK(stat_buf.st_mode) && - (stat_buf.st_mode & ~S_IFMT) == 0600 )) { + (stat_buf.st_mode&(S_IFSOCK|S_IRUSR|S_IWUSR)) == stat_buf.st_mode)) { return PAM_SERVICE_ERR; } ret = sss_cli_check_socket(errnop, SSS_PAM_PRIV_SOCKET_NAME); } else { - ret = stat(SSS_PAM_SOCKET_NAME, &stat_buf); - if (ret != 0) return PAM_SERVICE_ERR; - if ( ! (stat_buf.st_uid == 0 && - stat_buf.st_gid == 0 && - S_ISSOCK(stat_buf.st_mode) && - (stat_buf.st_mode & ~S_IFMT) == 0666 )) { - return PAM_SERVICE_ERR; - } - ret = sss_cli_check_socket(errnop, SSS_PAM_SOCKET_NAME); } if (ret != NSS_STATUS_SUCCESS) { -- cgit