> -----Original Message----- > From: Neelakanta Reddy [mailto:reddy.neelaka...@oracle.com] > Sent: den 1 augusti 2014 17:57 > To: Hans Feldt; Anders Björnerstedt; ramesh.bet...@oracle.com; > mahesh.va...@oracle.com > Cc: opensaf-devel@lists.sourceforge.net > Subject: Re: [PATCH 3 of 3] immnd: add support for client authorization [#938] > > Hi Hans, > > Reviewed and tested the patch. > following are the comments: > > 1. IMM readme must be updated with the #938 functionality [Hans] sure > > 2. when IMMA client connects and if IMMA client exits ( before > MDS_INSTALL ) then > > if (mds_process_info_get(mds_dest) == NULL) { > + MDS_PROCESS_INFO *info = malloc(sizeof(MDS_PROCESS_INFO)); > > > allocated memory is not freed. [Hans] I don't see how this can be resolved, can we ignore it for now?
> > Regards, > Neel. > > On Thursday 03 July 2014 02:48 PM, Hans Feldt wrote: > > osaf/libs/agents/saf/imma/imma_init.c | 5 +++++ > > osaf/libs/common/immsv/include/immsv_evt.h | 3 +++ > > osaf/services/saf/immsv/immnd/immnd_cb.h | 2 +- > > osaf/services/saf/immsv/immnd/immnd_evt.c | 29 > > ++++++++++++++++++++++------- > > osaf/services/saf/immsv/immnd/immnd_main.c | 9 +++++++++ > > osaf/services/saf/immsv/immnd/immnd_mds.c | 3 +++ > > 6 files changed, 43 insertions(+), 8 deletions(-) > > > > > > This patch adds coarse grained (on/off) IMM access control. > > > > immnd configure MDS to enable the "secutil" server side feature. imma > > configures > > MDS to enable the "secutil" client side feature. > > > > This causes the server side to receive pid, gid & uid in all received > > messages > > from local clients. > > > > Authorization > > > > When handling the initialize message from either an OM or OI client, > > membership > > of a configured linux group is checked using a white list approach: > > > > 1) If the uid of the client is 0 (superuser) access is allowed. > > > > 2) If the gid of the client is the same as the immnd server process, access > > is > > allowed (for example other opensaf processes). > > > > 3) Otherwise the list of members of a configured group is scanned looking > > for a > > match with the client username. If the client is member of group, access is > > allowed and logic proceeds as normal. > > > > If not member, initialization returns SA_AIS_ERR_ACCESS_DENIED to the > > client. > > > > diff --git a/osaf/libs/agents/saf/imma/imma_init.c > > b/osaf/libs/agents/saf/imma/imma_init.c > > --- a/osaf/libs/agents/saf/imma/imma_init.c > > +++ b/osaf/libs/agents/saf/imma/imma_init.c > > @@ -24,6 +24,7 @@ > > > > ******************************************************************************/ > > > > #define _GNU_SOURCE > > +#include <configmake.h> > > #include <string.h> > > > > #include "imma.h" > > @@ -266,6 +267,10 @@ unsigned int imma_startup(NCSMDS_SVC_ID > > goto done; > > } > > > > + const char *name = PKGLOCALSTATEDIR "/immnd.sock"; > > + setenv("MDS_SOCK_SERVER_NAME", name, 1); > > + putenv("MDS_SOCK_SERVER_CONNECT=YES"); > > + > > if ((rc = ncs_agents_startup()) != NCSCC_RC_SUCCESS) { > > TRACE_3("Agents_startup failed"); > > goto done; > > diff --git a/osaf/libs/common/immsv/include/immsv_evt.h > > b/osaf/libs/common/immsv/include/immsv_evt.h > > --- a/osaf/libs/common/immsv/include/immsv_evt.h > > +++ b/osaf/libs/common/immsv/include/immsv_evt.h > > @@ -280,6 +280,9 @@ typedef struct immsv_send_info { > > MDS_SENDTYPES stype; /* Send type */ > > MDS_SYNC_SND_CTXT ctxt; /* MDS Opaque context */ > > uint8_t mSynReqCount; > > + pid_t pid; > > + uid_t uid; > > + gid_t gid; > > } IMMSV_SEND_INFO; > > > > typedef struct immsv_fevs { > > diff --git a/osaf/services/saf/immsv/immnd/immnd_cb.h > > b/osaf/services/saf/immsv/immnd/immnd_cb.h > > --- a/osaf/services/saf/immsv/immnd/immnd_cb.h > > +++ b/osaf/services/saf/immsv/immnd/immnd_cb.h > > @@ -48,7 +48,6 @@ typedef struct immnd_immom_client_node { > > SaImmHandleT imm_app_hdl; /* index for the client tree */ > > MDS_DEST agent_mds_dest; /* mds dest of the agent */ > > SaVersionT version; > > - SaUint32T client_pid; /*Used to recognize loader */ > > IMMSV_SEND_INFO tmpSinfo; /*needed for replying to > > syncronousrequests */ > > > > @@ -171,6 +170,7 @@ typedef struct immnd_cb_tag { > > NCS_SEL_OBJ usr1_sel_obj; /* Selection object for USR1 signal > > events */ > > SaSelectionObjectT amf_sel_obj; /* Selection Object for AMF events */ > > int nid_started; /* true if started by NID */ > > + const char *admin_group_name; // linux group name for admins > > } IMMND_CB; > > > > /* CB prototypes */ > > diff --git a/osaf/services/saf/immsv/immnd/immnd_evt.c > > b/osaf/services/saf/immsv/immnd/immnd_evt.c > > --- a/osaf/services/saf/immsv/immnd/immnd_evt.c > > +++ b/osaf/services/saf/immsv/immnd/immnd_evt.c > > @@ -25,6 +25,7 @@ > > > > ******************************************************************************/ > > > > #define _GNU_SOURCE > > +#include <osaf_secutil.h> > > #include "immnd.h" > > #include "immsv_api.h" > > #include "ncssysf_mem.h" > > @@ -715,15 +716,15 @@ static uint32_t immnd_evt_proc_imm_init( > > int pbe_pid = (!load_pid && (cb->pbePid > 0))?(cb->pbePid):0; > > > > if (load_pid > 0) { > > - if (evt->info.initReq.client_pid == load_pid) { > > + if (sinfo->pid == load_pid) { > > TRACE_2("Loader attached, pid: %u", load_pid); > > } else { > > TRACE_2("Rejecting OM client attach during loading, pid > > %u != %u", > > - evt->info.initReq.client_pid, load_pid); > > + sinfo->pid , load_pid); > > error = SA_AIS_ERR_TRY_AGAIN; > > goto agent_rsp; > > } > > - } else if (evt->info.initReq.client_pid == cb->preLoadPid) { > > + } else if (sinfo->pid == cb->preLoadPid) { > > LOG_IN("2PBE Pre-loader attached"); > > } else if (load_pid < 0) { > > TRACE_2("Rejecting OM client attach. Waiting for loading or > > sync to complete"); > > @@ -731,6 +732,22 @@ static uint32_t immnd_evt_proc_imm_init( > > goto agent_rsp; > > } > > > > + /* allow access using white list approach */ > > + if (sinfo->uid == 0) { > > + TRACE("superuser"); > > + } else if (getgid() == sinfo->gid) { > > + TRACE("same group"); > > + } else if ((immnd_cb->admin_group_name != NULL) && > > + (osaf_user_is_member_of_group(sinfo->uid, > > immnd_cb->admin_group_name) == true)) { > > + TRACE("configured group"); > > + } else { > > + syslog(LOG_AUTH, "access denied, uid:%d, pid:%d", sinfo->uid, > > sinfo->pid); > > + TRACE_2("access denied, uid:%d, pid:%d, group_name:%s", > > sinfo->uid, sinfo->pid, > > + immnd_cb->admin_group_name); > > + error = SA_AIS_ERR_ACCESS_DENIED; > > + goto agent_rsp; > > + } > > + > > cl_node = calloc(1, sizeof(IMMND_IMM_CLIENT_NODE)); > > if (cl_node == NULL) { > > LOG_ER("IMMND - Client Alloc Failed"); > > @@ -756,7 +773,6 @@ static uint32_t immnd_evt_proc_imm_init( > > > > cl_node->agent_mds_dest = sinfo->dest; > > cl_node->version = evt->info.initReq.version; > > - cl_node->client_pid = evt->info.initReq.client_pid; > > cl_node->sv_id = (isOm) ? NCSMDS_SVC_ID_IMMA_OM : NCSMDS_SVC_ID_IMMA_OI; > > > > if (immnd_client_node_add(cb, cl_node) != NCSCC_RC_SUCCESS) { > > @@ -769,10 +785,10 @@ static uint32_t immnd_evt_proc_imm_init( > > TRACE_2("Added client with id: %llx <node:%x, count:%u>", > > cl_node->imm_app_hdl, cb->node_id, (SaUint32T)clientId); > > > > - if (sync_pid && (cl_node->client_pid == sync_pid)) { > > + if (sync_pid && (sinfo->pid == sync_pid)) { > > TRACE_2("Sync agent attached, pid: %u", sync_pid); > > cl_node->mIsSync = 1; > > - } else if (pbe_pid && (cl_node->client_pid == pbe_pid) && !isOm && > > !(cl_node->mIsPbe)) { > > + } else if (pbe_pid && (sinfo->pid == pbe_pid) && !isOm && > > !(cl_node->mIsPbe)) { > > LOG_NO("Persistent Back End OI attached, pid: %u", pbe_pid); > > cl_node->mIsPbe = 1; > > } > > @@ -2042,7 +2058,6 @@ static uint32_t immnd_evt_proc_imm_resur > > cl_node->imm_app_hdl = m_IMMSV_PACK_HANDLE(clientId, cb->node_id); > > cl_node->agent_mds_dest=sinfo->dest; > > /*cl_node->version= .. TODO correct version (not used today)*/ > > - cl_node->client_pid = 0; /* TODO correct PID (not important here) */ > > cl_node->sv_id = (isOm)?NCSMDS_SVC_ID_IMMA_OM:NCSMDS_SVC_ID_IMMA_OI; > > > > if (immnd_client_node_add(cb,cl_node) != NCSCC_RC_SUCCESS) > > diff --git a/osaf/services/saf/immsv/immnd/immnd_main.c > > b/osaf/services/saf/immsv/immnd/immnd_main.c > > --- a/osaf/services/saf/immsv/immnd/immnd_main.c > > +++ b/osaf/services/saf/immsv/immnd/immnd_main.c > > @@ -115,11 +115,20 @@ static uint32_t immnd_initialize(char *p > > if (getenv("SA_AMF_COMPONENT_NAME") == NULL) > > immnd_cb->nid_started = 1; > > > > + const char *name = PKGLOCALSTATEDIR "/immnd.sock"; > > + setenv("MDS_SOCK_SERVER_NAME", name, 1); > > + putenv("MDS_SOCK_SERVER_CREATE=YES"); > > + > > if (ncs_agents_startup() != NCSCC_RC_SUCCESS) { > > LOG_ER("ncs_agents_startup FAILED"); > > goto done; > > } > > > > + /* unset so that forked processes (e.g. loader) does not create MDS > > server */ > > + unsetenv("MDS_SOCK_SERVER_CREATE"); > > + > > + immnd_cb->admin_group_name = getenv("IMM_ADMIN_GROUP_NAME"); > > + > > /* Initialize immnd control block */ > > immnd_cb->ha_state = SA_AMF_HA_ACTIVE; > > immnd_cb->cli_id_gen = 1; > > diff --git a/osaf/services/saf/immsv/immnd/immnd_mds.c > > b/osaf/services/saf/immsv/immnd/immnd_mds.c > > --- a/osaf/services/saf/immsv/immnd/immnd_mds.c > > +++ b/osaf/services/saf/immsv/immnd/immnd_mds.c > > @@ -507,6 +507,9 @@ static uint32_t immnd_mds_rcv(IMMND_CB * > > pEvt->sinfo.ctxt = rcv_info->i_msg_ctxt; > > pEvt->sinfo.dest = rcv_info->i_fr_dest; > > pEvt->sinfo.to_svc = rcv_info->i_fr_svc_id; > > + pEvt->sinfo.pid = rcv_info->pid; > > + pEvt->sinfo.uid = rcv_info->uid; > > + pEvt->sinfo.gid = rcv_info->gid; > > if (rcv_info->i_rsp_reqd) { > > pEvt->sinfo.stype = MDS_SENDTYPE_SNDRSP; > > } ------------------------------------------------------------------------------ _______________________________________________ Opensaf-devel mailing list Opensaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opensaf-devel