2026-02-10 00:37:00 +08:00 · 2015-05-07 13:34:03 +02:00
parent 6b79e20c53
commit 41bcc9d0c0
12 changed files with 37 additions and 18 deletions
							
							
								
							
							
						
@@ -208,7 +208,7 @@ static int verify_krb5_constraints(struct gssapi_ctx_st *pctx, gss_OID mech_type
	return 0;
}
static int gssapi_auth_init(void **ctx, void *pool, const char *spnego, const char *ip)
static int gssapi_auth_init(void **ctx, void *pool, const char *spnego, const char *ip, unsigned pid)
{
	struct gssapi_ctx_st *pctx;
	OM_uint32 minor, flags, time;
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -141,7 +141,7 @@ wait:
	}
}
static int pam_auth_init(void** ctx, void *pool, const char* user, const char* ip)
static int pam_auth_init(void** ctx, void *pool, const char* user, const char* ip, unsigned pid)
{
int pret;
struct pam_ctx_st * pctx;
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -181,7 +181,7 @@ static int read_auth_pass(struct plain_ctx_st *pctx)
	return ret;
}
static int plain_auth_init(void **ctx, void *pool, const char *username, const char *ip)
static int plain_auth_init(void **ctx, void *pool, const char *username, const char *ip, unsigned pid)
{
	struct plain_ctx_st *pctx;
	int ret;
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -79,7 +79,7 @@ static void radius_global_deinit()
		rc_destroy(rh);
}
static int radius_auth_init(void **ctx, void *pool, const char *username, const char *ip)
static int radius_auth_init(void **ctx, void *pool, const char *username, const char *ip, unsigned id)
{
	struct radius_ctx_st *pctx;
	char *default_realm;
							
								
							
							
								
							
							
						
@@ -106,7 +106,7 @@ static int radius_auth_init(void **ctx, void *pool, const char *username, const
	} else {
		strcpy(pctx->username, username);
	}
	pctx->id = id;
	*ctx = pctx;
							
								
							
							
								
							
							
						
@@ -230,6 +230,17 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
		goto cleanup;
	}
	if (pctx->id) {
		service = pctx->id;
		if (rc_avpair_add(rh, &send, PW_NAS_PORT, &service, -1, 0) == NULL) {
			syslog(LOG_ERR,
			       "%s:%u: user '%s' auth error", __func__, __LINE__,
			       pctx->username);
			ret = ERR_AUTH_FAIL;
			goto cleanup;
		}
	}
	service = PW_ASYNC;
	if (rc_avpair_add(rh, &send, PW_NAS_PORT_TYPE, &service, -1, 0) == NULL) {
		syslog(LOG_ERR,
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -48,6 +48,7 @@ struct radius_ctx_st {
	const char *pass_msg;
	unsigned retries;
	unsigned id;
};
extern const struct auth_mod_st radius_auth_funcs;
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -732,7 +732,7 @@ static void ctl_handle_commands(main_server_st * s)
		goto cleanup;
	}
	ret = check_upeer_id("ctl", s->config->debug, cfd, 0, 0, NULL);
	ret = check_upeer_id("ctl", s->config->debug, cfd, 0, 0, NULL, NULL);
	if (ret < 0) {
		mslog(s, NULL, LOG_ERR, "ctl: unauthorized connection");
		goto cleanup;
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -711,7 +711,7 @@ int set_module(sec_mod_st * sec, client_entry_st *e, unsigned auth_type)
	return -1;
}
int handle_sec_auth_init(int cfd, sec_mod_st * sec, const SecAuthInitMsg * req)
int handle_sec_auth_init(int cfd, sec_mod_st * sec, const SecAuthInitMsg * req, pid_t pid)
{
	int ret = -1;
	client_entry_st *e;
							
							
							
								
							
						
@@ -735,7 +735,7 @@ int handle_sec_auth_init(int cfd, sec_mod_st * sec, const SecAuthInitMsg * req)
	if (e->module) {
		ret =
		    e->module->auth_init(&e->auth_ctx, e, req->user_name, req->ip);
		    e->module->auth_init(&e->auth_ctx, e, req->user_name, req->ip, pid);
		if (ret == ERR_AUTH_CONTINUE) {
			need_continue = 1;
		} else if (ret < 0) {
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -32,7 +32,7 @@ typedef struct auth_mod_st {
	unsigned int allows_retries; /* whether the module allows retries of the same password */
	void (*global_init)(void *pool, void* additional);
	void (*global_deinit)(void);
	int (*auth_init)(void** ctx, void *pool, const char* username, const char* ip);
	int (*auth_init)(void** ctx, void *pool, const char* username, const char* ip, unsigned id);
	int (*auth_msg)(void* ctx, void *pool, char** msg);
	int (*auth_pass)(void* ctx, const char* pass, unsigned pass_len);
	int (*auth_group)(void* ctx, const char *suggested, char *groupname, int groupname_size);
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -188,7 +188,7 @@ static int handle_op(void *pool, int cfd, sec_mod_st * sec, uint8_t type, uint8_
}
static
int process_packet(void *pool, int cfd, sec_mod_st * sec, cmd_request_t cmd,
int process_packet(void *pool, int cfd, pid_t pid, sec_mod_st * sec, cmd_request_t cmd,
		   uint8_t * buffer, size_t buffer_size)
{
	unsigned i;
							
								
							
							
								
							
							
						
@@ -276,7 +276,7 @@ int process_packet(void *pool, int cfd, sec_mod_st * sec, cmd_request_t cmd,
				return -1;
			}
			ret = handle_sec_auth_init(cfd, sec, auth_init);
			ret = handle_sec_auth_init(cfd, sec, auth_init, pid);
			sec_auth_init_msg__free_unpacked(auth_init, &pa);
			return ret;
		}
							
								
							
							
								
							
							
						
@@ -453,7 +453,7 @@ int serve_request_main(sec_mod_st *sec, int cfd, uint8_t *buffer, unsigned buffe
}
static
int serve_request(sec_mod_st *sec, int cfd, uint8_t *buffer, unsigned buffer_size)
int serve_request(sec_mod_st *sec, int cfd, pid_t pid, uint8_t *buffer, unsigned buffer_size)
{
	int ret, e;
	unsigned cmd, length;
							
								
							
							
								
							
							
						
@@ -492,7 +492,7 @@ int serve_request(sec_mod_st *sec, int cfd, uint8_t *buffer, unsigned buffer_siz
		goto leave;
	}
	ret = process_packet(pool, cfd, sec, cmd, buffer, ret);
	ret = process_packet(pool, cfd, pid, sec, cmd, buffer, ret);
	if (ret < 0) {
		seclog(sec, LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret);
	}
							
								
							
							
								
							
							
						
@@ -543,6 +543,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
	sec_mod_st *sec;
	void *sec_mod_pool;
	fd_set rd_set;
	pid_t pid;
	sigset_t emptyset, blockset;
#ifdef DEBUG_LEAKS
							
								
							
							
								
							
							
						
@@ -747,7 +748,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
			/* do not allow unauthorized processes to issue commands
			 */
			ret = check_upeer_id("sec-mod", sec->config->debug, cfd, perm_config->uid, perm_config->gid, &uid);
			ret = check_upeer_id("sec-mod", sec->config->debug, cfd, perm_config->uid, perm_config->gid, &uid, &pid);
			if (ret < 0) {
				seclog(sec, LOG_INFO, "rejected unauthorized connection");
			} else {
							
							
							
								
							
						
@@ -756,7 +757,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
				if (buffer == NULL) {
					seclog(sec, LOG_ERR, "error in memory allocation");
				} else {
					serve_request(sec, cfd, buffer, buffer_size);
					serve_request(sec, cfd, pid, buffer, buffer_size);
					talloc_free(buffer);
				}
			}
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -123,7 +123,7 @@ void  seclog_hex(const struct sec_mod_st* sec, int priority,
void sec_auth_init(sec_mod_st *sec, struct perm_cfg_st *config);
void handle_sec_auth_ban_ip_reply(int cfd, sec_mod_st *sec, const BanIpReplyMsg *msg);
int handle_sec_auth_init(int cfd, sec_mod_st *sec, const SecAuthInitMsg * req);
int handle_sec_auth_init(int cfd, sec_mod_st *sec, const SecAuthInitMsg * req, pid_t pid);
int handle_sec_auth_cont(int cfd, sec_mod_st *sec, const SecAuthContMsg * req);
int handle_sec_auth_session_cmd(int cfd, sec_mod_st *sec, const SecAuthSessionMsg *req, unsigned cmd);
int handle_sec_auth_stats_cmd(sec_mod_st * sec, const CliStatsMsg * req);
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -64,7 +64,7 @@ SIGHANDLER_T ocsignal(int signum, SIGHANDLER_T handler)
/* Checks whether the peer in a socket has the expected @uid and @gid.
 * Returns zero on success.
 */
int check_upeer_id(const char *mod, int debug, int cfd, uid_t uid, uid_t gid, uid_t *ruid)
int check_upeer_id(const char *mod, int debug, int cfd, uid_t uid, uid_t gid, uid_t *ruid, pid_t *pid)
{
	int e, ret;
#if defined(SO_PEERCRED) && defined(HAVE_STRUCT_UCRED)
							
								
							
							
								
							
							
						
@@ -92,6 +92,9 @@ int check_upeer_id(const char *mod, int debug, int cfd, uid_t uid, uid_t gid, ui
	if (ruid)
		*ruid = cr.uid;
	if (pid)
		*pid = cr.pid;
	if (cr.uid != 0 && (cr.uid != uid || cr.gid != gid)) {
		syslog(LOG_ERR,
		       "%s: received unauthorized request from pid %u and uid %u",
							
							
							
								
							
						
@@ -114,6 +117,9 @@ int check_upeer_id(const char *mod, int debug, int cfd, uid_t uid, uid_t gid, ui
	if (ruid)
		*ruid = euid;
	if (pid)
		*pid = 0;
	if (debug >= 3)
		syslog(LOG_DEBUG,
		       "%s: received request from a processes with uid %u",
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -41,6 +41,6 @@ void kill_on_parent_kill(int sig);
SIGHANDLER_T ocsignal(int signum, SIGHANDLER_T handler);
int check_upeer_id(const char *mod, int debug, int cfg, uid_t uid, uid_t gid, uid_t *ruid);
int check_upeer_id(const char *mod, int debug, int cfg, uid_t uid, uid_t gid, uid_t *ruid, pid_t *pid);
#endif