[torquedev] really patch: gssapi: use pam_open_session for AFS PAG and tokens

Sergio Gelato Sergio.Gelato at astro.su.se
Wed May 30 06:46:08 MDT 2007


Oops! I forgot to actually attach the patches. Here they are...
-------------- next part --------------
diff -ru gssapi-1301/configure.ac new/configure.ac
--- gssapi-1301/configure.ac	2007-02-16 20:41:27.000000000 +0100
+++ new/configure.ac	2007-05-30 14:27:51.942115877 +0200
@@ -1017,8 +1017,12 @@
 AC_DEFINE_UNQUOTED(pam_get_user_2nd_arg_t, $tac_pam_get_user_2nd_arg,
                         [type to use for 2nd arg of pam_get_user])
 
-
-
+dnl check for PAM library
+AC_CHECK_LIB(pam, pam_set_item, 
+	[LIBPAM="-lpam"
+	 AC_CHECK_LIB(dl, dlopen, [LIBPAM="$LIBPAM -dl"])
+	])
+AC_SUBST(LIBPAM)
 
 
 
diff -ru gssapi-1301/src/include/pbsgss.h new/src/include/pbsgss.h
--- gssapi-1301/src/include/pbsgss.h	2007-02-08 21:49:57.000000000 +0100
+++ new/src/include/pbsgss.h	2007-05-30 14:27:51.943115946 +0200
@@ -1,9 +1,18 @@
 #ifndef _PBSGSS_H_
 #define _PBSGSS_H_
 
+#include "pbs_config.h"
+
+#ifdef HAVE_GSSAPI_GSSAPI_H
 #include <gssapi/gssapi.h>
+#endif
+#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H
 #include <gssapi/gssapi_generic.h>
+#endif
+#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H
 #include <gssapi/gssapi_krb5.h>
+#endif
+
 #include <stdio.h>
 
 extern gss_buffer_t empty_token;
@@ -39,7 +48,7 @@
 		       char *ccname);
 
 char *ccname_for_job(char *jobnamem, char *prefix);
-int authenticate_as_job(char *jobname,int setpag);
+int authenticate_as_job(char *username,char *jobname,int setpag);
 int pbsgss_renew_creds (char *jobname, char *prefix);
 
 /* Token types */
diff -ru gssapi-1301/src/lib/Libgss/Makefile.am new/src/lib/Libgss/Makefile.am
--- gssapi-1301/src/lib/Libgss/Makefile.am	2007-02-16 20:41:15.000000000 +0100
+++ new/src/lib/Libgss/Makefile.am	2007-05-30 14:27:51.943115946 +0200
@@ -3,4 +3,4 @@
 lib_LTLIBRARIES = libtorquegss.la
 
 libtorquegss_la_SOURCES = pbsgss.c
-
+libtorquegss_la_LIBADD = @LIBPAM@
diff -ru gssapi-1301/src/lib/Libgss/pbsgss.c new/src/lib/Libgss/pbsgss.c
--- gssapi-1301/src/lib/Libgss/pbsgss.c	2007-05-22 08:50:46.000000000 +0200
+++ new/src/lib/Libgss/pbsgss.c	2007-05-30 14:27:51.943115946 +0200
@@ -75,6 +75,11 @@
 #include "dis.h"
 #include "dis_init.h"
 
+#ifdef HAVE_SECURITY_PAM_APPL_H
+#include <security/pam_appl.h>
+#define USE_PAM
+#endif
+
 static int retry = 0;
 
 gss_buffer_desc empty_token_buf = { 0, (void *) "" };
@@ -838,17 +843,59 @@
   return ccname;
 }
 
+#ifdef USE_PAM
+static int pbs_pam_conv(int num_msg,
+		        const struct pam_message **msg,
+			struct pam_response **resp,
+			void *appdata_ptr) {
+  return PAM_CONV_ERR; /* for now */
+}
+#endif
+
 /* assumes it's running as the mom, because server doesn't need to call aklog */
-int authenticate_as_job(char *ccname,
+int authenticate_as_job(char *username,
+		        char *ccname,
 			int setpag) {
+#ifdef USE_PAM
+  int rc;
+  struct pam_conv conv;
+  char *ccvar;
+  pam_handle_t *handle;
+#endif
+
   if (setenv("KRB5CCNAME",ccname,1) != 0) {
     return -1;
   }
+
+#ifdef USE_PAM
+  conv.conv = pbs_pam_conv;
+  conv.appdata_ptr = NULL;
+  rc = pam_start("pbs_mom", username, &conv, &handle);
+  if (rc != PAM_SUCCESS)
+    return -2;
+  if (ccname) {
+    ccvar = malloc(sizeof("KRB5CCNAME=")+strlen(ccname));
+    if (!ccvar) {
+      pam_end(handle, rc);
+      return -3;
+    }
+    strcpy(ccvar, "KRB5CCNAME=");
+    strcat(ccvar, ccname);
+    rc = pam_putenv(handle, ccvar);
+    free(ccvar);
+  }
+  if (rc == PAM_SUCCESS)
+    rc = pam_open_session(handle, 0);
+  pam_end(handle, rc);
+  if (rc != PAM_SUCCESS)
+    return -4;
+#else
   if (setpag) {
     system("/usr/bin/aklog -setpag");   
   } else {
     system("/usr/bin/aklog");
   }
+#endif
   return 0;
 }
 
diff -ru gssapi-1301/src/resmom/requests.c new/src/resmom/requests.c
--- gssapi-1301/src/resmom/requests.c	2007-02-16 20:41:09.000000000 +0100
+++ new/src/resmom/requests.c	2007-05-30 14:27:51.945116084 +0200
@@ -2753,7 +2753,8 @@
 #ifdef GSSAPI
   ccname = ccname_for_job(preq->rq_ind.rq_cpyfile.rq_jobid,path_creds);
   if (ccname) {
-    if (authenticate_as_job(ccname,1) != 0) {
+    char *username = preq->rq_ind.rq_cpyfile.rq_user;
+    if (authenticate_as_job(username,ccname,1) != 0) {
       sprintf(log_buffer,"Couldn't authenticate as job %s",preq->rq_ind.rq_cpyfile.rq_jobid);
       log_err(0,"req_cpyfile",log_buffer);
     }
diff -ru gssapi-1301/src/resmom/start_exec.c new/src/resmom/start_exec.c
--- gssapi-1301/src/resmom/start_exec.c	2007-05-22 08:50:45.000000000 +0200
+++ new/src/resmom/start_exec.c	2007-05-30 14:27:51.946116153 +0200
@@ -1786,10 +1786,19 @@
 #ifdef GSSAPI
     ccname = ccname_for_job(((job *)TJE->pjob)->ji_qs.ji_jobid,path_creds);
     if (ccname) {
-      if (authenticate_as_job(ccname,1)) {
+      char *username = TJE->pwdp ? ((struct passwd *)TJE->pwdp)->pw_name : NULL;
+      struct grpcache *gc = ((job *)TJE->pjob)->ji_grpcache;
+      if (authenticate_as_job(username,ccname,1)) {
+	free(ccname);
 	return FAILURE;
       }
       free(ccname);
+      gc->gc_ngroup = init_groups(username,
+		                  ((job *)TJE->pjob)->ji_qs.ji_un.ji_momt.ji_exgid,
+				  NGROUPS_MAX,
+				  gc->gc_groups);
+      if (gc->gc_ngroup < 0)
+        return FAILURE;
     }
 
 #endif
-------------- next part --------------
diff -ru old/src/include/job.h new/src/include/job.h
--- old/src/include/job.h	2007-02-16 20:40:47.000000000 +0100
+++ new/src/include/job.h	2007-05-30 14:29:14.290787729 +0200
@@ -168,7 +168,7 @@
 #ifdef NGROUPS_MAX
 struct grpcache {
   int    gc_ngroup;	/* number of active supplementary groups */
-  int    gc_groups[NGROUPS_MAX];
+  GETGROUPS_T gc_groups[NGROUPS_MAX];
   char   gc_homedir[1];	/* more space allocated as part of this	 */
 			/* structure following here		 */
   };
diff -ru old/src/include/mom_func.h new/src/include/mom_func.h
--- old/src/include/mom_func.h	2007-02-08 21:49:57.000000000 +0100
+++ new/src/include/mom_func.h	2007-05-30 14:29:14.291787798 +0200
@@ -137,7 +137,7 @@
 extern pid_t fork_me A_((int sock));
 extern int   get_la A_((double *));
 extern void  init_abort_jobs A_((int));
-extern int   init_groups A_((char *, int, int, int *));
+extern int   init_groups A_((char *, int, int, GETGROUPS_T *));
 extern int   kill_job A_((job *, int sig));
 extern void  mom_deljob A_((job *));
 extern void  mom_freenodes A_((job *));
diff -ru old/src/resmom/mom_main.c new/src/resmom/mom_main.c
--- old/src/resmom/mom_main.c	2007-05-22 08:50:45.000000000 +0200
+++ new/src/resmom/mom_main.c	2007-05-30 14:29:14.293787936 +0200
@@ -6042,6 +6042,7 @@
   static	char id[] = "mom_main";
 
   int	 	errflg, c;
+  GETGROUPS_T   g;
   FILE		*dummyfile;
   task		*ptask;
   char		*ptr;                   /* local tmp variable */
@@ -6366,9 +6367,9 @@
     exit(1);
     }
 
-  c = getgid();
+  g = getgid();
 
-  setgroups(1,(gid_t *)&c);	/* secure suppl. groups */
+  setgroups(1,&g);	/* secure suppl. groups */
 
   c = sysconf(_SC_OPEN_MAX);
 
diff -ru old/src/resmom/prolog.c new/src/resmom/prolog.c
--- old/src/resmom/prolog.c	2007-02-16 20:41:09.000000000 +0100
+++ new/src/resmom/prolog.c	2007-05-30 14:29:14.293787936 +0200
@@ -493,7 +493,7 @@
       {
       setgroups(
         pjob->ji_grpcache->gc_ngroup,
-        (gid_t *)pjob->ji_grpcache->gc_groups);
+        pjob->ji_grpcache->gc_groups);
 
       setgid(pjob->ji_qs.ji_un.ji_momt.ji_exgid);
 
diff -ru old/src/resmom/requests.c new/src/resmom/requests.c
--- old/src/resmom/requests.c	2007-05-30 14:27:51.000000000 +0200
+++ new/src/resmom/requests.c	2007-05-30 14:29:14.295788074 +0200
@@ -170,7 +170,7 @@
 static uid_t  useruid;
 static gid_t  usergid;
 static int    ngroup;
-static int   *groups;
+static GETGROUPS_T *groups;
 static char  *output_retained = "Output retained on that host in: ";
 static char   rcperr[MAXPATHLEN];	/* file to contain rcp error */
 
@@ -249,7 +249,7 @@
   pid_t           pid;
   job            *pjob;
   struct passwd  *pwdp;
-  static int      fgrp[NGROUPS_MAX];
+  static GETGROUPS_T fgrp[NGROUPS_MAX];
 
   char           *idir;
 
@@ -460,7 +460,7 @@
 
   if (SetUID == TRUE)
     {
-    setgroups(ngroup,(gid_t *)groups);
+    setgroups(ngroup,groups);
 
     setgid(usergid);
     setuid(useruid);   /* run as the user */
@@ -2193,7 +2193,7 @@
       {
       /* NOTE:  if routine called as user, all of the following may silently fail */
 
-      setgroups(ngroup,(gid_t *)groups);
+      setgroups(ngroup,groups);
       
       setgid(usergid);
       setuid(useruid);   /* run as the user */
diff -ru old/src/resmom/start_exec.c new/src/resmom/start_exec.c
--- old/src/resmom/start_exec.c	2007-05-30 14:27:51.000000000 +0200
+++ new/src/resmom/start_exec.c	2007-05-30 14:29:14.296788143 +0200
@@ -3036,7 +3036,7 @@
 
   setgroups(
     pjob->ji_grpcache->gc_ngroup,
-    (gid_t *)pjob->ji_grpcache->gc_groups);
+    pjob->ji_grpcache->gc_groups);
 
   setgid(pjob->ji_qs.ji_un.ji_momt.ji_exgid);
 
@@ -4150,7 +4150,7 @@
   /* become the user and  execv the shell and become the real job */
 
   setgroups(pjob->ji_grpcache->gc_ngroup,
-    (gid_t *)pjob->ji_grpcache->gc_groups);
+            pjob->ji_grpcache->gc_groups);
 
   setgid(pjob->ji_qs.ji_un.ji_momt.ji_exgid);
   setuid(pjob->ji_qs.ji_un.ji_momt.ji_exuid);
@@ -5399,7 +5399,7 @@
   char *pwname,   /* I User's name */
   int   pwgrp,    /* I User's group from pw entry */
   int   groupsize,/* I size of the array, following argument */
-  int  *groups)   /* O ptr to group array, list build there */
+  GETGROUPS_T *groups)   /* O ptr to group array, list build there */
 
   {
   /* DJH Jan 2004. The original implementation looped over all groups
@@ -5414,7 +5414,7 @@
   char id[]="init_groups";
   extern sigset_t allsigs; /* set up at the start of mom_main */
   sigset_t savedset;
-  gid_t *savedgroups;
+  GETGROUPS_T *savedgroups;
   int n, nsaved;
 
 
@@ -5424,16 +5424,21 @@
   /* save current group access because we're about to overwrite it */
 
   nsaved = getgroups(0,savedgroups);
-  savedgroups = malloc(sizeof(gid_t) * (nsaved + 2));
+  if (nsaved < 0) 
+    {
+    log_err(errno,id,"getgroups");
+    return(-1);
+    }
+  savedgroups = malloc(sizeof(GETGROUPS_T) * (nsaved + 1));
   if (!savedgroups) {
     sprintf(log_buffer,"Couldn't malloc memory to save groups\n");
     log_err(errno,id,log_buffer);
     return -1;
   }
-  if (nsaved < 0) 
+  nsaved = getgroups(nsaved,savedgroups);
+  if (nsaved < 0)
     {
     log_err(errno,id,"getgroups");
-    free(savedgroups);
     return(-1);
     }
 
@@ -5493,7 +5498,7 @@
     } 
   else 
     {
-    n = getgroups(groupsize,(gid_t *)groups);
+    n = getgroups(groupsize,groups);
     }
 
   /* restore state */
@@ -5519,7 +5524,7 @@
   char *pwname,	   /* I User's name */
   int   pwgrp,	   /* I User's group from pw entry */
   int   groupsize, /* I size of the array, following argument */
-  int  *groups)	   /* O ptr to group array, list build there */
+  GETGROUPS_T  *groups)	   /* O ptr to group array, list build there */
 
   {
   struct group *grp;
diff -ru old/src/scheduler.basl/af_system.c new/src/scheduler.basl/af_system.c
--- old/src/scheduler.basl/af_system.c	2007-02-08 21:50:17.000000000 +0100
+++ new/src/scheduler.basl/af_system.c	2007-05-30 14:29:14.297788212 +0200
@@ -459,15 +459,16 @@
 static void secureEnv(void)
 {
 	int c;
+	GETGROUPS_T g;
 
         /* The following is code to reduce security risks                */
         /* start out with standard umask, system resource limit infinite */
 	umask(022);
         if (setup_env(PBS_ENVIRON) == -1)
                 exit(1);
-	c = getgid();
+	g = getgid();
 	/* secure suppl. group ids */
-	if( setgroups(1, (gid_t *)&c) == -1 ) {
+	if( setgroups(1, &g) == -1 ) {
 		perror("setgroups");
 		exit(1);
 	}
diff -ru old/src/scheduler.cc/pbs_sched.c new/src/scheduler.cc/pbs_sched.c
--- old/src/scheduler.cc/pbs_sched.c	2007-02-16 20:41:00.000000000 +0100
+++ new/src/scheduler.cc/pbs_sched.c	2007-05-30 14:29:14.297788212 +0200
@@ -683,6 +683,7 @@
 	char		*id = "main";
 	struct	hostent	*hp;
 	int		go, c, errflg = 0;
+	GETGROUPS_T	g;
 	int		lockfds;
 	int		t = 1;
 	pid_t		pid;
@@ -806,8 +807,8 @@
 	umask(022);
 	if (setup_env(PBS_ENVIRON)==-1)
 		exit(1);
-	c = getgid();
-	(void)setgroups(1, (gid_t *)&c);	/* secure suppl. groups */
+	g = getgid();
+	(void)setgroups(1, &g);	/* secure suppl. groups */
 	c = sysconf(_SC_OPEN_MAX);
 	while (--c > 2)
 		(void)close(c);	/* close any file desc left open by parent */
diff -ru old/src/scheduler.tcl/pbs_sched.c new/src/scheduler.tcl/pbs_sched.c
--- old/src/scheduler.tcl/pbs_sched.c	2007-02-08 21:49:36.000000000 +0100
+++ new/src/scheduler.tcl/pbs_sched.c	2007-05-30 14:29:14.298788281 +0200
@@ -613,6 +613,7 @@
 	int		code;
 	struct	hostent	*hp;
 	int		go, c, errflg = 0;
+	GETGROUPS_T	g;
 	int		lockfds;
 	int		t = 1;
 	char		*ptr;
@@ -740,8 +741,8 @@
 	umask(022);
 	if (setup_env(PBS_ENVIRON)==-1)
 		exit(1);
-	c = getgid();
-	(void)setgroups(1, (gid_t *)&c);	/* secure suppl. group ids */
+	g = getgid();
+	(void)setgroups(1, &g);	/* secure suppl. group ids */
 	c = sysconf(_SC_OPEN_MAX);
 	while (--c > 2)
 		(void)close(c);	/* close any file desc left open by parent */
diff -ru old/src/server/pbsd_init.c new/src/server/pbsd_init.c
--- old/src/server/pbsd_init.c	2007-05-22 08:50:46.000000000 +0200
+++ new/src/server/pbsd_init.c	2007-05-30 14:29:14.298788281 +0200
@@ -249,6 +249,7 @@
   int	 fd;
   int	 had;
   int	 i;
+  GETGROUPS_T g;
   static char id[] = "pbsd_init";
   char	*job_suffix = JOB_FILE_SUFFIX;
   int	 job_suf_len = strlen(job_suffix);
@@ -272,9 +273,9 @@
     return(-1);
     }
 
-  i = getgid();
+  g = getgid();
 
-  setgroups(1,(gid_t *)&i);	/* secure suppl. groups */
+  setgroups(1,&g);	/* secure suppl. groups */
 
   i = sysconf(_SC_OPEN_MAX);
 


More information about the torquedev mailing list