[torquedev] patch: gssapi: check permissions on server_priv/creds/

Sergio Gelato Sergio.Gelato at astro.su.se
Sun Feb 25 15:55:43 MST 2007 

I've now started modifying (hopefully improving) the GSSAPI code. I'll
submit patches as they mature. Here is a simple one to create the
server_priv/creds directory (where credentials are cached for jobs
in the queue) with the right permissions, and chk_file_sec() accordingly.

The changes to src/lib/Liblog/chk_file_sec.c and src/tools/chk_tree.c
may be worth applying to the trunk right away. Those to
buildutils/pbs_mkdirs.in and src/server/pbsd_init.c, on the other hand,
are specific to the gssapi branch.

Other gssapi patches in the works or planned:
* keep the GSS security context around for the duration of the
  associated connection; this is needed for gss_wrap() support.
  This patch is now being tested; you should see it soon.
* add support for sending the context establishment tokens as
  DIS request/reply data; this is meant to replace the current
  pbsgss_{send,recv}_token() implementation. I don't like those
  retry loops.
* sanity checks on ret_flags. Just because the context setup succeeded
  doesn't mean that we got all the options we asked for.
* the gss_wrap() support proper.
* make the service principal name for pbs_server configurable. I'd
  rather not use the host service principal for this since I see
  no real fundamental reason why pbs_server should run with root
  privileges (at least not once GSS will have replaced low-numbered
  ports as the authentication method). Same thing for pbs_sched.
-------------- next part --------------
#! /bin/sh /usr/share/dpatch/dpatch-run
## 02_path_creds.dpatch by Sergio Gelato <Sergio.Gelato at astro.su.se>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Create server_priv/creds directory and check its permissions.

@DPATCH@
diff -urNad torque-2.1.99+r1247/buildutils/pbs_mkdirs.in /tmp/dpep.gFzfbd/torque-2.1.99+r1247/buildutils/pbs_mkdirs.in
--- torque-2.1.99+r1247/buildutils/pbs_mkdirs.in	2007-02-08 21:49:33.000000000 +0100
+++ /tmp/dpep.gFzfbd/torque-2.1.99+r1247/buildutils/pbs_mkdirs.in	2007-02-25 22:23:40.572844188 +0100
@@ -233,6 +233,7 @@
 
 	install_dir $PBS_SERVER_HOME/spool 1777 || return 1
 	install_dir $PBS_SERVER_HOME/server_priv 750 || return 1
+	@INCLUDE_GSSAPI_TRUE@ install_dir $PBS_SERVER_HOME/server_priv/creds 700 || return 1
 	install_dir $PBS_SERVER_HOME/server_priv/jobs 750 || return 1
 	install_dir $PBS_SERVER_HOME/server_priv/queues 750 || return 1
 	install_dir $PBS_SERVER_HOME/server_priv/acl_svr 750 || return 1
@@ -255,6 +256,7 @@
 		$PBS_SERVER_HOME/server_priv/acl_groups \
 		$PBS_SERVER_HOME/server_priv/accounting \
 		$PBS_SERVER_HOME/server_logs || return 1
+	@INCLUDE_GSSAPI_TRUE@ chk_tree_wrap -d -n -u 077 $PBS_SERVER_HOME/server/priv/creds || return 1
 	chk_tree_wrap -d -n -s $PBS_SERVER_HOME/spool || return 1
 	chk_tree_wrap -n $PBS_ENVIRON || return 1
 }
@@ -318,6 +320,7 @@
 		$PBS_SERVER_HOME/server_priv/acl_groups \
 		$PBS_SERVER_HOME/server_priv/accounting \
 		$PBS_SERVER_HOME/server_logs || return 1
+	@INCLUDE_GSSAPI_TRUE@ chk_tree_wrap -d -u 077 $PBS_SERVER_HOME/server/priv/creds || return 1
 	chk_tree_wrap -d $PBS_SERVER_HOME/checkpoint \
 		$PBS_SERVER_HOME/mom_priv/jobs \
 		$PBS_SERVER_HOME/mom_logs || return 1
diff -urNad torque-2.1.99+r1247/src/lib/Liblog/chk_file_sec.c /tmp/dpep.gFzfbd/torque-2.1.99+r1247/src/lib/Liblog/chk_file_sec.c
--- torque-2.1.99+r1247/src/lib/Liblog/chk_file_sec.c	2007-02-25 22:23:40.302825683 +0100
+++ /tmp/dpep.gFzfbd/torque-2.1.99+r1247/src/lib/Liblog/chk_file_sec.c	2007-02-25 22:29:13.056630142 +0100
@@ -250,6 +250,12 @@
         rc = EACCES;
         }
       }
+
+    /* check any remaining bits */
+
+    if (i & disallow & ~(S_IWGRP|S_IWOTH))
+      rc = EACCES;
+
     }
 
 chkerr:
diff -urNad torque-2.1.99+r1247/src/server/pbsd_init.c /tmp/dpep.gFzfbd/torque-2.1.99+r1247/src/server/pbsd_init.c
--- torque-2.1.99+r1247/src/server/pbsd_init.c	2007-02-25 22:23:40.392831851 +0100
+++ /tmp/dpep.gFzfbd/torque-2.1.99+r1247/src/server/pbsd_init.c	2007-02-25 22:23:40.573844257 +0100
@@ -448,6 +448,10 @@
   rc |= chk_file_sec(path_acct,	 1,0,S_IWGRP|S_IWOTH,0);
   rc |= chk_file_sec(PBS_ENVIRON,0,0,S_IWGRP|S_IWOTH,1);
 
+#ifdef GSSAPI
+  rc |= chk_file_sec(path_creds, 1,0,S_IRWXG|S_IRWXO,0);
+#endif
+
   if (rc) 
     {
     return(3);
diff -urNad torque-2.1.99+r1247/src/tools/chk_tree.c /tmp/dpep.gFzfbd/torque-2.1.99+r1247/src/tools/chk_tree.c
--- torque-2.1.99+r1247/src/tools/chk_tree.c	2007-02-08 21:49:37.000000000 +0100
+++ /tmp/dpep.gFzfbd/torque-2.1.99+r1247/src/tools/chk_tree.c	2007-02-25 22:23:40.573844257 +0100
@@ -107,11 +107,12 @@
 	int dir = 0;
 	int no_err = 0;
 	int sticky = 0;
+	int umask = S_IWGRP | S_IWOTH;
 	extern int optind;
 
         chk_file_sec_stderr=1;
 
-	while ((i = getopt(argc, argv, "dns")) != EOF) {
+	while ((i = getopt(argc, argv, "dnsu")) != EOF) {
 	    switch (i) {
 		case 'd': dir = 1;
 			  break;
@@ -119,17 +120,19 @@
 			  break;
 		case 's': sticky = 1;
 			  break;
+		case 'u': umask = strtol(optarg, NULL, 8);
+			  break;
 		default: err = 1;
 	    }
 	}
 
 	if (err || (optind == argc)) {
-		fprintf(stderr, "Usage %s -d -s -n path ...\n\twhere:\t-d indicates directory (file otherwise)\n\t\t-s indicates world write allowed if sticky set\n\t\t-n indicates do not return the error status, exit with 0\n", argv[0]);
+		fprintf(stderr, "Usage %s -d -s -n [-u mask] path ...\n\twhere:\t-d indicates directory (file otherwise)\n\t\t-s indicates world write allowed if sticky set\n\t\t-n indicates do not return the error status, exit with 0\n\t\t-u mask overrides the default umask (022)\n", argv[0]);
 		return 1;
 	}
 
 	for (i=optind; i < argc; ++i)
-		if ((j=chk_file_sec(argv[i], dir, sticky, S_IWGRP|S_IWOTH, 1))) {
+		if ((j=chk_file_sec(argv[i], dir, sticky, umask, 1))) {
 			err=1;
 		}

More information about the torquedev mailing list