osaf/services/saf/immsv/immnd/immnd_evt.c | 48 +++++++++++++++++++++--------- 1 files changed, 34 insertions(+), 14 deletions(-)
The local immnd enforces access control for saImmOmAdminOwnerClear if access-control is enabled. In addition, a minor change of code is done for immnd_fevs_local_checks. The fix for ticket #938, changeset 5648:bc8d57d94f9f added a parameter 'sinfo' to immnd_fevs_local_checks. This is a pointer parameter and it turns out that the sinfo struct is not available to all contexts where immnd_fevs_local_checks is invoked. This caused coverity complaints and these where justified because the code in immnd_fevs_local_checks using sinfo did not guard for NULL. Instead of adding such code, this patch changes the parameter to 'uid_t uid'. The uid is what is actually used in this function. It will be set to zero for cases where the message is generated internally by the local IMMND. This matches the semantics of the parameter. Even if the IMMNDs are not executing as root, they need the root priviliges enforced by the IMM access control. diff --git a/osaf/services/saf/immsv/immnd/immnd_evt.c b/osaf/services/saf/immsv/immnd/immnd_evt.c --- a/osaf/services/saf/immsv/immnd/immnd_evt.c +++ b/osaf/services/saf/immsv/immnd/immnd_evt.c @@ -38,7 +38,7 @@ #define IMMND_SEARCH_BUNDLE_SIZE ((MDS_DIRECT_BUF_MAXSIZE / 100) * 90) #define IMMND_MAX_SEARCH_RESULT (IMMND_SEARCH_BUNDLE_SIZE / 300) -static SaAisErrorT immnd_fevs_local_checks(IMMND_CB *cb, IMMSV_FEVS *fevsReq, const IMMSV_SEND_INFO *sinfo); +static SaAisErrorT immnd_fevs_local_checks(IMMND_CB *cb, IMMSV_FEVS *fevsReq, uid_t uid); static uint32_t immnd_evt_proc_cb_dump(IMMND_CB *cb); static uint32_t immnd_evt_proc_imm_init(IMMND_CB *cb, IMMND_EVT *evt, IMMSV_SEND_INFO *sinfo, SaBoolT isOm); static uint32_t immnd_evt_proc_imm_finalize(IMMND_CB *cb, IMMND_EVT *evt, IMMSV_SEND_INFO *sinfo, SaBoolT isOm); @@ -2835,7 +2835,7 @@ static uint32_t immnd_evt_proc_fevs_forw } if(newMsg) { - error = immnd_fevs_local_checks(cb, &(evt->info.fevsReq), sinfo); + error = immnd_fevs_local_checks(cb, &(evt->info.fevsReq), (sinfo)?(sinfo->uid):0); if(error != SA_AIS_OK) { /*Fevs request will NOT be forwarded to IMMD. Return directly with error or OK for idempotent requests. @@ -3048,8 +3048,7 @@ static uint32_t immnd_evt_proc_fevs_forw nodes and not propagated over fevs, because sync clients may not yet have synced the implementer setting and thus reject the idempotent case. */ -static SaAisErrorT immnd_fevs_local_checks(IMMND_CB *cb, IMMSV_FEVS *fevsReq, - const IMMSV_SEND_INFO *sinfo) +static SaAisErrorT immnd_fevs_local_checks(IMMND_CB *cb, IMMSV_FEVS *fevsReq, uid_t uid) { SaAisErrorT error = SA_AIS_OK; osafassert(fevsReq); @@ -3105,20 +3104,21 @@ static SaAisErrorT immnd_fevs_local_chec switch (frwrd_evt.info.immnd.type) { case IMMND_EVT_A2ND_OBJ_MODIFY: - if ((strcmp(frwrd_evt.info.immnd.info.objModify.objectName.buf, OPENSAF_IMM_OBJECT_DN) == 0) || - (strcmp(frwrd_evt.info.immnd.info.objModify.objectName.buf, "safRdn=immManagement,safApp=safImmService") == 0)) + if((strcmp(frwrd_evt.info.immnd.info.objModify.objectName.buf, OPENSAF_IMM_OBJECT_DN) == 0) || + (strcmp(frwrd_evt.info.immnd.info.objModify.objectName.buf, "safRdn=immManagement,safApp=safImmService") == 0)) { /* Modifications to: - opensafImm=opensafImm,safApp=safImmService + opensafImm=opensafImm,safApp=safImmService or: - safRdn=immManagement,safApp=safImmService - are only allowed for root users. + safRdn=immManagement,safApp=safImmService + are only allowed for root users. */ - if (sinfo->uid != 0) { - struct passwd *pwd = getpwuid(sinfo->uid); - if (pwd != NULL) + if(uid) { + struct passwd *pwd = getpwuid(uid); + if (pwd != NULL) { syslog(LOG_AUTH, "Modifications to imm service objects denied for %s(uid=%d)", - pwd->pw_name, sinfo->uid); + pwd->pw_name, uid); + } error = SA_AIS_ERR_ACCESS_DENIED; goto done; } @@ -3339,9 +3339,29 @@ static SaAisErrorT immnd_fevs_local_chec error = SA_AIS_ERR_LIBRARY; break; + case IMMND_EVT_A2ND_ADMO_CLEAR: + if ((immModel_accessControlMode(cb) == ACCESS_CONTROL_ENFORCING)) { + /* + The om API downcall 'saImmOmAdminOwnerClear(...)' is special in that + it forces the removal of adminownership set up by some other user/handle. + It is only needed to 'clean up' after an application has terminated + without releaseing admin-owner and with releaseOnFinalize set to false. + Because of the very special and powerful nature of this operation, only + root users should be allowed to use it, when acces control is enabled. + */ + if(uid) { + struct passwd *pwd = getpwuid(uid); + if (pwd != NULL) { + syslog(LOG_AUTH, "saImmOmAdminOwnerClear denied for %s(uid=%d)", + pwd->pw_name, uid); + } + error = SA_AIS_ERR_ACCESS_DENIED; + goto done; + } + } + /* intentional fall through. */ case IMMND_EVT_A2ND_ADMO_SET: case IMMND_EVT_A2ND_ADMO_RELEASE: - case IMMND_EVT_A2ND_ADMO_CLEAR: if(fevsReq->sender_count != 0x1) { LOG_WA("ERR_LIBRARY: IMMND_EVT_A2ND_ADMO_XXX(%u) fevsReq->sender_count != 0x1", frwrd_evt.info.immnd.type); ------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk _______________________________________________ Opensaf-devel mailing list Opensaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opensaf-devel