File pegasus-local-or-remote-auth.patch of Package tog-pegasus
Based on RH's pegasus-2.6.1-local-or-remote-auth.patch
+ added support for IPv6 (recognizes both ::1 and ::ffff:127.x.x.x as local)
+ support the new privilege separation feature.
---
src/Executor/Messages.h | 1
src/Executor/PAMAuth.h | 69 +++++++---
src/Executor/Parent.c | 3
src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c | 2
src/Pegasus/Common/AuthenticationInfo.h | 16 ++
src/Pegasus/Common/AuthenticationInfoRep.cpp | 13 +
src/Pegasus/Common/AuthenticationInfoRep.h | 8 +
src/Pegasus/Common/Executor.cpp | 17 +-
src/Pegasus/Common/Executor.h | 3
src/Pegasus/Common/HTTPConnection.cpp | 44 ++++++
src/Pegasus/Common/HTTPMessage.cpp | 3
src/Pegasus/Common/HTTPMessage.h | 1
src/Pegasus/Common/tests/Executor/TestExecutor.cpp | 4
src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp | 3
src/Pegasus/Security/Authentication/BasicAuthenticator.h | 3
src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h | 3
src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp | 3
src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp | 5
src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp | 2
src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp | 3
20 files changed, 172 insertions(+), 34 deletions(-)
--- src/Pegasus/Common/AuthenticationInfo.h.orig
+++ src/Pegasus/Common/AuthenticationInfo.h
@@ -356,6 +356,22 @@ public:
return _rep->getRemotePrivilegedUserAccessChecked();
}
+ /** Indicate whether the user is Remote
+ */
+ Boolean isRemoteUser() const
+ {
+ CheckRep(_rep);
+ return _rep->isRemoteUser();
+ }
+
+ /** Set the Remote User flag
+ */
+ void setRemoteUser(Boolean remoteUser)
+ {
+ CheckRep(_rep);
+ _rep->setRemoteUser(remoteUser);
+ }
+
private:
AuthenticationInfo(AuthenticationInfoRep* rep) : _rep(rep)
--- src/Pegasus/Common/AuthenticationInfoRep.cpp.orig
+++ src/Pegasus/Common/AuthenticationInfoRep.cpp
@@ -46,7 +46,8 @@ const String AuthenticationInfoRep::AUTH
AuthenticationInfoRep::AuthenticationInfoRep(Boolean flag)
: _connectionAuthenticated(false),
- _wasRemotePrivilegedUserAccessChecked(false)
+ _wasRemotePrivilegedUserAccessChecked(false),
+ _remoteUser(true)
{
PEG_METHOD_ENTER(
TRC_AUTHENTICATION, "AuthenticationInfoRep::AuthenticationInfoRep");
@@ -169,4 +170,14 @@ void AuthenticationInfoRep::setClientCer
PEG_METHOD_EXIT();
}
+void AuthenticationInfoRep::setRemoteUser(Boolean remoteUser)
+{
+ PEG_METHOD_ENTER(TRC_AUTHENTICATION,
+ "AuthenticationInfoRep::setRemoteUser");
+
+ _remoteUser = remoteUser;
+
+ PEG_METHOD_EXIT();
+}
+
PEGASUS_NAMESPACE_END
--- src/Pegasus/Common/AuthenticationInfoRep.h.orig
+++ src/Pegasus/Common/AuthenticationInfoRep.h
@@ -167,6 +167,13 @@ public:
return _wasRemotePrivilegedUserAccessChecked;
}
+ Boolean isRemoteUser() const
+ {
+ return _remoteUser;
+ }
+
+ void setRemoteUser(Boolean remoteUser);
+
private:
/** Constructors */
@@ -192,6 +199,7 @@ private:
Boolean _wasRemotePrivilegedUserAccessChecked;
Array<SSLCertificateInfo*> _clientCertificate;
+ Boolean _remoteUser;
};
PEGASUS_NAMESPACE_END
--- src/Pegasus/Common/HTTPConnection.cpp.orig
+++ src/Pegasus/Common/HTTPConnection.cpp
@@ -2039,6 +2039,50 @@ void HTTPConnection::_handleReadEvent()
_incomingBuffer).get()));
}
+ // Allow authenticators to differentiate Remote and Local users:
+ struct sockaddr_in6 sin_peer, sin_svr;
+ socklen_t slen1=sizeof(sin_peer), slen2=sizeof(sin_svr);
+ uint32_t sock = _socket.get()->getSocket() ;
+ memset(&sin_peer,'\0',slen1);
+ memset(&sin_svr, '\0',slen2);
+ if (::getpeername( sock, (struct sockaddr*)&sin_peer, &slen1) == 0 ||
+ ::getsockname( sock, (struct sockaddr*)&sin_svr, &slen2) == 0)
+ {
+ if (sin_peer.sin6_family == AF_INET)
+ {
+ struct sockaddr_in sin;
+ memcpy(&sin, &sin_peer, sizeof(sin));
+ if ((ntohl(sin.sin_addr.s_addr) >> 24) & 0xff == 127)
+ // message was sent FROM localhost interface
+ message->fromRemoteHost = false;
+ }
+ if (sin_svr.sin6_family == AF_INET)
+ {
+ struct sockaddr_in sin;
+ memcpy(&sin, &sin_svr, sizeof(sin));
+ if ((ntohl( sin.sin_addr.s_addr) >> 24) & 0xff == 127)
+ // message was sent TO localhost interface
+ message->fromRemoteHost = false;
+ }
+ if (sin_peer.sin6_family == AF_INET6)
+ {
+ // ::ffff:127.x.x.x
+ static char ipv4_localhost[] =
+ {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 127};
+ if (memcmp(&sin_peer.sin6_addr, ipv4_localhost,
+ sizeof(ipv4_localhost)) == 0)
+ {
+ message->fromRemoteHost = false;
+ }
+ // ::1
+ if (memcmp(&sin_peer.sin6_addr, &in6addr_loopback,
+ sizeof(struct in6_addr)) == 0)
+ {
+ message->fromRemoteHost = false;
+ }
+ }
+ }
+
//
// increment request count
//
--- src/Pegasus/Common/HTTPMessage.cpp.orig
+++ src/Pegasus/Common/HTTPMessage.cpp
@@ -120,7 +120,8 @@ HTTPMessage::HTTPMessage(
queueId(queueId_),
authInfo(0),
acceptLanguagesDecoded(false),
- contentLanguagesDecoded(false)
+ contentLanguagesDecoded(false),
+ fromRemoteHost(true)
{
if (cimException_)
cimException = *cimException_;
--- src/Pegasus/Common/HTTPMessage.h.orig
+++ src/Pegasus/Common/HTTPMessage.h
@@ -75,6 +75,7 @@ public:
ContentLanguageList contentLanguages;
Boolean acceptLanguagesDecoded;
Boolean contentLanguagesDecoded;
+ Boolean fromRemoteHost;
CIMException cimException;
void parse(
--- src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp.orig
+++ src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp
@@ -164,7 +164,8 @@ Boolean BasicAuthenticationHandler::auth
}
authInfo->setRemotePrivilegedUserAccessChecked();
- authenticated = _basicAuthenticator->authenticate(userName, password);
+ authenticated = _basicAuthenticator->authenticate(userName, password,
+ authInfo->isRemoteUser());
// Log audit message.
PEG_AUDIT_LOG(logBasicAuthentication(
--- src/Pegasus/Security/Authentication/BasicAuthenticator.h.orig
+++ src/Pegasus/Security/Authentication/BasicAuthenticator.h
@@ -67,7 +67,8 @@ public:
*/
virtual Boolean authenticate(
const String& userName,
- const String& password) = 0;
+ const String& password,
+ Boolean isRemoteUser) = 0;
/** Construct and return the HTTP Basic authentication challenge header
@return A string containing the authentication challenge header.
--- src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h.orig
+++ src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h
@@ -55,7 +55,8 @@ public:
Boolean authenticate(
const String& userName,
- const String& password);
+ const String& password,
+ Boolean isRemoteUser);
Boolean validateUser(const String& userName);
--- src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp.orig
+++ src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp
@@ -85,7 +85,8 @@ PAMBasicAuthenticator::~PAMBasicAuthenti
Boolean PAMBasicAuthenticator::authenticate(
const String& userName,
- const String& password)
+ const String& password,
+ Boolean isRemoteUser)
{
PEG_METHOD_ENTER(TRC_AUTHENTICATION,
"PAMBasicAuthenticator::authenticate()");
--- src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.orig
+++ src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp
@@ -72,13 +72,14 @@ PAMBasicAuthenticator::~PAMBasicAuthenti
Boolean PAMBasicAuthenticator::authenticate(
const String& userName,
- const String& password)
+ const String& password,
+ Boolean isRemoteUser)
{
PEG_METHOD_ENTER(TRC_AUTHENTICATION,
"PAMBasicAuthenticator::authenticate()");
if (Executor::authenticatePassword(
- userName.getCString(), password.getCString()) != 0)
+ userName.getCString(), password.getCString(), isRemoteUser) != 0)
{
return false;
}
--- src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp.orig
+++ src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp
@@ -403,6 +403,9 @@ void HTTPAuthenticatorDelegator::handleH
Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE,
"HTTPAuthenticatorDelegator - Authentication processing start"));
+ // Let Authenticators know whether this user is Local or Remote:
+ httpMessage->authInfo->setRemoteUser( httpMessage->fromRemoteHost );
+
//
// Handle authentication:
//
--- src/Executor/PAMAuth.h.orig
+++ src/Executor/PAMAuth.h
@@ -47,6 +47,7 @@
#include <stdio.h>
#include <errno.h>
#include <string.h>
+#include <syslog.h>
#include <Executor/Strlcpy.h>
#include <Executor/Strlcat.h>
#include <security/pam_appl.h>
@@ -397,35 +398,66 @@ static int PAMValidateUserCallback(
*/
static int PAMAuthenticateInProcess(
- const char* username, const char* password)
+ const char* username, const char* password, int isRemoteUser)
{
PAMData data;
struct pam_conv pconv;
- pam_handle_t* handle;
+ pam_handle_t* phandle;
+ int retcode;
+ const char *pam_tty_val = isRemoteUser ? "wbemNetwork" : "wbemLocal";
data.password = password;
pconv.conv = PAMAuthenticateCallback;
pconv.appdata_ptr = &data;
- if (pam_start("wbem", username, &pconv, &handle) != PAM_SUCCESS)
- return -1;
+ // NOTE: if any pam call should log anything, our syslog socket will
+ // be redirected to the AUTH facility, so we need to redirect it
+ // back after each pam call.
- if (pam_authenticate(handle, 0) != PAM_SUCCESS)
+ if ((retcode = pam_start("wbem", username, &pconv, &phandle)) != PAM_SUCCESS)
{
- pam_end(handle, 0);
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog(LOG_ERR, "pam_start failed: %s", pam_strerror(phandle, retcode));
return -1;
}
-
- if (pam_acct_mgmt(handle, 0) != PAM_SUCCESS)
+ if ((retcode = pam_set_item(phandle, PAM_TTY, pam_tty_val)) != PAM_SUCCESS )
{
- pam_end(handle, 0);
+ pam_end(phandle, 0);
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog(LOG_ERR, "pam_set_item(PAM_TTY=%s) failed: %s", pam_tty_val,
+ pam_strerror(phandle, retcode));
return -1;
}
- pam_end(handle, 0);
+ if ((retcode = pam_authenticate(phandle, 0)) != PAM_SUCCESS)
+ {
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog(LOG_ERR, "pam_authenticate failed: %s",
+ pam_strerror(phandle, retcode));
+ goto auth_failed;
+ }
+
+ if (pam_acct_mgmt(phandle, 0) != PAM_SUCCESS)
+ {
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog(LOG_ERR, "pam_acct_mgmt failed: %s",
+ pam_strerror(phandle, retcode));
+ goto auth_failed;
+ }
+ pam_end(phandle, 0);
return 0;
+
+auth_failed:
+ pam_end(phandle, 0);
+ syslog(LOG_ERR, "PAM authentication failed for %s user: %s",
+ isRemoteUser ? "remote" : "local", username);
+ return -1;
}
/*
@@ -443,15 +475,23 @@ static int PAMValidateUserInProcess(cons
PAMData data;
struct pam_conv pconv;
pam_handle_t* phandle;
+ int retcode;
pconv.conv = PAMValidateUserCallback;
pconv.appdata_ptr = &data;
- if (pam_start("wbem", username, &pconv, &phandle) != PAM_SUCCESS)
+ if ((retcode = pam_start("wbem", username, &pconv, &phandle)) != PAM_SUCCESS)
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog(LOG_ERR, "pam_start failed: %s", pam_strerror(phandle, retcode));
return -1;
- if (pam_acct_mgmt(phandle, 0) != PAM_SUCCESS)
+ if ((retcode = pam_acct_mgmt(phandle, 0)) != PAM_SUCCESS)
{
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog(LOG_ERR, "pam_acct_mgmt failed: %s",
+ pam_strerror(phandle, retcode));
pam_end(phandle, 0);
return -1;
}
@@ -471,12 +511,13 @@ static int PAMValidateUserInProcess(cons
**==============================================================================
*/
-static int PAMAuthenticate(const char* username, const char* password)
+static int PAMAuthenticate(const char* username, const char* password,
+ int isRemoteUser)
{
#ifdef PEGASUS_USE_PAM_STANDALONE_PROC
return CimserveraProcessOperation("authenticate", username, password);
#else
- return PAMAuthenticateInProcess(username, password);
+ return PAMAuthenticateInProcess(username, password, isRemoteUser);
#endif
}
--- src/Executor/Parent.c.orig
+++ src/Executor/Parent.c
@@ -658,7 +658,8 @@ static void HandleAuthenticatePasswordRe
#if defined(PEGASUS_PAM_AUTHENTICATION)
- if (PAMAuthenticate(request.username, request.password) != 0)
+ if (PAMAuthenticate(request.username, request.password,
+ request.isRemoteUser) != 0)
{
status = -1;
break;
--- src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c.orig
+++ src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c
@@ -51,7 +51,7 @@ int main()
sprintf(prompt, "Enter password for %s: ", PEGASUS_CIMSERVERMAIN_USER);
pw = getpass(prompt);
- if (PAMAuthenticate(PEGASUS_CIMSERVERMAIN_USER, pw) == 0)
+ if (PAMAuthenticate(PEGASUS_CIMSERVERMAIN_USER, pw, 0) == 0)
printf("Correct password\n");
else
printf("Wrong password\n");
--- src/Pegasus/Common/Executor.cpp.orig
+++ src/Pegasus/Common/Executor.cpp
@@ -122,7 +122,8 @@ public:
virtual int authenticatePassword(
const char* username,
- const char* password) = 0;
+ const char* password,
+ Boolean isRemoteUser) = 0;
virtual int validateUser(
const char* username) = 0;
@@ -476,10 +477,11 @@ public:
virtual int authenticatePassword(
const char* username,
- const char* password)
+ const char* password,
+ Boolean isRemoteUser)
{
#if defined(PEGASUS_PAM_AUTHENTICATION)
- return PAMAuthenticate(username, password);
+ return PAMAuthenticate(username, password, isRemoteUser);
#else
// ATTN: not handled so don't call in this case.
return -1;
@@ -818,7 +820,8 @@ public:
virtual int authenticatePassword(
const char* username,
- const char* password)
+ const char* password,
+ Boolean isRemoteUser)
{
AutoMutex autoMutex(_mutex);
@@ -836,6 +839,7 @@ public:
memset(&request, 0, sizeof(request));
Strlcpy(request.username, username, EXECUTOR_BUFFER_SIZE);
Strlcpy(request.password, password, EXECUTOR_BUFFER_SIZE);
+ request.isRemoteUser = isRemoteUser;
if (SendBlock(_sock, &request, sizeof(request)) != sizeof(request))
return -1;
@@ -1086,10 +1090,11 @@ int Executor::reapProviderAgent(
int Executor::authenticatePassword(
const char* username,
- const char* password)
+ const char* password,
+ Boolean isRemoteUser)
{
once(&_executorImplOnce, _initExecutorImpl);
- return _executorImpl->authenticatePassword(username, password);
+ return _executorImpl->authenticatePassword(username, password, isRemoteUser);
}
int Executor::validateUser(
--- src/Pegasus/Common/Executor.h.orig
+++ src/Pegasus/Common/Executor.h
@@ -184,7 +184,8 @@ public:
*/
static int authenticatePassword(
const char* username,
- const char* password);
+ const char* password,
+ Boolean isRemoteUser);
/** Check whether the given user is valid for the underlying authentcation
mechanism.
--- src/Pegasus/Common/tests/Executor/TestExecutor.cpp.orig
+++ src/Pegasus/Common/tests/Executor/TestExecutor.cpp
@@ -80,7 +80,7 @@ void testExecutorLoopbackImpl()
#endif
PEGASUS_TEST_ASSERT(Executor::authenticatePassword(
- "xnonexistentuserx", "wrongpassword") == -1);
+ "xnonexistentuserx", "wrongpassword", 0) == -1);
PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") == -1);
char challengeFilePath[EXECUTOR_BUFFER_SIZE];
@@ -119,7 +119,7 @@ void testExecutorSocketImpl()
PEGASUS_TEST_ASSERT(Executor::reapProviderAgent(123) == 0);
PEGASUS_TEST_ASSERT(Executor::authenticatePassword(
- "xnonexistentuserx", "wrongpassword") == -1);
+ "xnonexistentuserx", "wrongpassword", 0) == -1);
PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") == -1);
char challengeFilePath[EXECUTOR_BUFFER_SIZE];
--- src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp.orig
+++ src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp
@@ -193,7 +193,7 @@ Boolean SecureBasicAuthenticator::authen
if (Executor::detectExecutor() == 0)
{
if (Executor::authenticatePassword(
- userName.getCString(), password.getCString()) == 0)
+ userName.getCString(), password.getCString(), 0) == 0)
{
authenticated = true;
}
--- src/Executor/Messages.h.orig
+++ src/Executor/Messages.h
@@ -200,6 +200,7 @@ struct ExecutorAuthenticatePasswordReque
{
char username[EXECUTOR_BUFFER_SIZE];
char password[EXECUTOR_BUFFER_SIZE];
+ int isRemoteUser;
};
struct ExecutorAuthenticatePasswordResponse
