Hi Thiện, See my comment inline.
B.R/Thang -----Original Message----- From: thien.m.huynh <thien.m.hu...@dektech.com.au> Sent: Thursday, December 19, 2019 9:12 AM To: vu.m.ngu...@dektech.com.au Cc: opensaf-devel@lists.sourceforge.net Subject: [devel] [PATCH 1/1] imm: fix non-local user cannot access IMM when accessControlMode is in ENFORCED [#3043] --- src/base/osaf_secutil.c | 57 +++++++++++++++++++++++++++++++++++++- src/base/osaf_secutil.h | 2 +- src/imm/immnd/immnd_evt.c | 4 +-- src/log/logd/lgs_config.cc | 2 +- 4 files changed, 60 insertions(+), 5 deletions(-) diff --git a/src/base/osaf_secutil.c b/src/base/osaf_secutil.c index 0e175c915..ef27fdded 100644 --- a/src/base/osaf_secutil.c +++ b/src/base/osaf_secutil.c @@ -42,6 +42,8 @@ #include <pwd.h> #include <grp.h> #include <pthread.h> +#include <stdio.h> +#include <ctype.h> #include "base/osaf_poll.h" #include "base/logtrace.h" @@ -184,6 +186,53 @@ static void *auth_server_main(void *_fd) return 0; } +bool osaf_pid_is_member_of_group(pid_t pid, gid_t gid_auth) { + char path[50]; + bool state = false; + size_t line_buf_size = 0; + ssize_t line_size; + char *line_buf = NULL; + FILE *stream; + + if (!pid) + return false; + sprintf(path, "/proc/%d/status", pid); + stream = fopen(path, "r"); + if (!stream) { + LOG_ER("Error opening file"); + goto done; + } + + while ((line_size = getline(&line_buf, &line_buf_size, stream)) != -1) { + if (strstr(line_buf, "Groups") != NULL) { [Thang]: It will not catch correctly if the IMM OM binary name is "Groups" or something like that. Need catching more strictly. + char *pch; + for (ssize_t i = 0; i < line_size; i++) { + if (line_buf[i] == 0x09) { + line_buf[i] = 0x20; + break; + } + } + + pch = strtok(line_buf, " "); + while (pch != NULL && pch[0] != 0x0a) { + if (isdigit(pch[0]) != 0 && + (gid_t)atoi(pch) == gid_auth) { + state = true; + goto done; + } + pch = strtok(NULL, " "); + } + goto done; + } + } +done: + free(line_buf); + line_buf = NULL; + fclose(stream); + return state; +} + /*************** public interface follows*************************** */ int osaf_auth_server_create(const char *pathname, @@ -220,7 +269,7 @@ int osaf_auth_server_create(const char *pathname, } /* used by server, logging is OK */ -bool osaf_user_is_member_of_group(uid_t uid, const char *groupname) +bool osaf_user_is_member_of_group(uid_t uid, const char *groupname, +pid_t pid) { long grpmembufsize = sysconf(_SC_GETGR_R_SIZE_MAX); if (grpmembufsize < 0) @@ -263,6 +312,12 @@ bool osaf_user_is_member_of_group(uid_t uid, const char *groupname) return false; } + if (osaf_pid_is_member_of_group(pid, client_grp->gr_gid)) { + free(pwdmembuf); + free(grpmembuf); + return true; + } + // get password file entry for user struct passwd pbuf; struct passwd *client_pwd; diff --git a/src/base/osaf_secutil.h b/src/base/osaf_secutil.h index a2389241c..d60cafac7 100644 --- a/src/base/osaf_secutil.h +++ b/src/base/osaf_secutil.h @@ -86,7 +86,7 @@ int osaf_auth_server_create(const char *_pathname, * @param groupname * @return true if member */ -bool osaf_user_is_member_of_group(uid_t uid, const char *groupname); +bool osaf_user_is_member_of_group(uid_t uid, const char *groupname, +pid_t pid); /** * Get list of groups that a user belong to diff --git a/src/imm/immnd/immnd_evt.c b/src/imm/immnd/immnd_evt.c index 3bd56fe34..5e7c1fe5c 100644 --- a/src/imm/immnd/immnd_evt.c +++ b/src/imm/immnd/immnd_evt.c @@ -894,8 +894,8 @@ static uint32_t immnd_evt_proc_imm_init(IMMND_CB *cb, IMMND_EVT *evt, const char *authorized_group = immModel_authorizedGroup(immnd_cb); if ((authorized_group != NULL) && - (osaf_user_is_member_of_group(sinfo->uid, - authorized_group))) { + (osaf_user_is_member_of_group( + sinfo->uid, authorized_group, sinfo->pid))) { TRACE("configured group"); } else { if (mode == ACCESS_CONTROL_PERMISSIVE) { diff --git a/src/log/logd/lgs_config.cc b/src/log/logd/lgs_config.cc index 44e10b84d..0139db329 100644 --- a/src/log/logd/lgs_config.cc +++ b/src/log/logd/lgs_config.cc @@ -571,7 +571,7 @@ int lgs_cfg_verify_log_data_groupname(char *group_name) { rc = -1; } else { uid_t uid = getuid(); - if (osaf_user_is_member_of_group(uid, group_name) == false) { + if (osaf_user_is_member_of_group(uid, group_name, 0) == false) { LOG_WA("%s: osaf_user_is_member_of_group() Fail", __FUNCTION__); rc = -1; } -- 2.17.1 _______________________________________________ Opensaf-devel mailing list Opensaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opensaf-devel _______________________________________________ Opensaf-devel mailing list Opensaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opensaf-devel