File 0250-bnc444403-access_control.patch of Package sblim-sfcb

Overview Repositories Revisions Requests Users Attributes Meta

File 0250-bnc444403-access_control.patch of Package sblim-sfcb

diff -up ./httpAdapter.c.0250-bnc444403-access_control.patch ./httpAdapter.c
--- ./httpAdapter.c.0250-bnc444403-access_control.patch	2008-12-09 10:05:44.000000000 -0700
+++ ./httpAdapter.c	2008-12-09 10:07:53.000000000 -0700
@@ -53,11 +53,15 @@
 #include <sys/types.h>
 #include <sys/ipc.h>
 #include <sys/sem.h>
+#include <sys/fsuid.h>
 
 #include "httpComm.h"
 #include "sfcVersion.h"
 #include "control.h"
 
+#include <grp.h>
+#include <sys/stat.h>
+
 unsigned long exFlags = 0;
 static char *name;
 static int debug;
@@ -846,13 +850,14 @@ static int doHttpRequest(CommHndl conn_f
 
    int authorized = 0; 
    if (!discardInput && doUdsAuth) {
-	   struct ucred cr; 
-	   socklen_t cl = sizeof(cr); 
-	   if (getsockopt(conn_fd.socket, SOL_SOCKET, SO_PEERCRED, &cr, &cl) == 0) {
-		   if (cr.uid == 0) {
-			   authorized = 1;
-		   }
-	   }
+       struct sockaddr_un sun; 
+       sun.sun_family = 0; 
+       socklen_t cl = sizeof(sun); 
+       int rc = getpeername(conn_fd.socket, (struct sockaddr*)&sun, &cl); 
+       if (rc == 0 && sun.sun_family == AF_UNIX) {
+           /* Already authenticated via permissions on unix socket */
+           authorized = 1;
+       }
    }
    if (!authorized && !discardInput && doBa) {
      if (!(inBuf.authorization && baValidate(inBuf.authorization,&inBuf.principal))) {
@@ -1596,12 +1601,30 @@ int httpDaemon(int argc, char *argv[], i
   }
   if (udsListenFd >= 0) {
      unlink(udsPath); 
+
+     size_t gbuflen = sysconf(_SC_GETGR_R_SIZE_MAX); 
+     char gbuf[gbuflen]; 
+     struct group* pgrp = NULL; 
+     struct group grp; 
+	 gid_t oldfsgid = 0; 
+
+     int rc = getgrnam_r("sfcb", &grp, gbuf, gbuflen, &pgrp); 
+	 if (rc == 0 && pgrp)
+     {
+         oldfsgid = setfsgid(pgrp->gr_gid); 
+     }
+     mode_t oldmask = umask(0007); 
      if (bind(udsListenFd, (struct sockaddr *) &sun, sun_len) ||
              listen(udsListenFd, 10)) {
             mlogf(M_ERROR,M_SHOW,"--- Cannot listen on unix socket %s (%s)\n", udsPath, strerror(errno));
             sleep(1);
             kill(sfcbPid,3);
      }
+     umask(oldmask); 
+     if (pgrp)
+     {
+         setfsgid(oldfsgid); 
+     }
   }
 
   if (!debug) {
diff -up ./pam/sfcb.0250-bnc444403-access_control.patch ./pam/sfcb
--- ./pam/sfcb.0250-bnc444403-access_control.patch	2007-02-15 07:07:23.000000000 -0700
+++ ./pam/sfcb	2008-12-09 10:05:44.000000000 -0700
@@ -1,4 +1,5 @@
 # Sample PAM Configuration for Small Footprint CIM Broker
+auth       required     pam_succeed_if.so quiet user ingroup sfcb
 auth       required     pam_unix.so
 account    required     pam_unix.so
 password   required     pam_unix.so

Places

File 0250-bnc444403-access_control.patch of Package sblim-sfcb

Places