Re: [devel] [PATCH 1/1] imm: fix non-local user cannot access IMM when accessControlMode is in ENFORCED [#3043]

Fri, 20 Dec 2019 02:17:09 -0800 

Hi Thiện,

See my comment inline.

B.R/Thang

-----Original Message-----
From: thien.m.huynh <thien.m.hu...@dektech.com.au> 
Sent: Thursday, December 19, 2019 9:12 AM
To: vu.m.ngu...@dektech.com.au
Cc: opensaf-devel@lists.sourceforge.net
Subject: [devel] [PATCH 1/1] imm: fix non-local user cannot access IMM when 
accessControlMode is in ENFORCED [#3043]

---
 src/base/osaf_secutil.c    | 57 +++++++++++++++++++++++++++++++++++++-
 src/base/osaf_secutil.h    |  2 +-
 src/imm/immnd/immnd_evt.c  |  4 +--
 src/log/logd/lgs_config.cc |  2 +-
 4 files changed, 60 insertions(+), 5 deletions(-)

diff --git a/src/base/osaf_secutil.c b/src/base/osaf_secutil.c index 
0e175c915..ef27fdded 100644
--- a/src/base/osaf_secutil.c
+++ b/src/base/osaf_secutil.c
@@ -42,6 +42,8 @@
 #include <pwd.h>
 #include <grp.h>
 #include <pthread.h>
+#include <stdio.h>
+#include <ctype.h>
 #include "base/osaf_poll.h"
 
 #include "base/logtrace.h"
@@ -184,6 +186,53 @@ static void *auth_server_main(void *_fd)
        return 0;
 }
 
+bool osaf_pid_is_member_of_group(pid_t pid, gid_t gid_auth) {
+       char path[50];
+       bool state = false;
+       size_t line_buf_size = 0;
+       ssize_t line_size;
+       char *line_buf = NULL;
+       FILE *stream;
+
+       if (!pid)
+               return false;
+       sprintf(path, "/proc/%d/status", pid);
+       stream = fopen(path, "r");
+       if (!stream) {
+               LOG_ER("Error opening file");
+               goto done;
+       }
+
+       while ((line_size = getline(&line_buf, &line_buf_size, stream)) != -1) {
+               if (strstr(line_buf, "Groups") != NULL) {
[Thang]: It will not catch correctly if the IMM OM binary name is "Groups" or 
something like that.
Need catching more strictly.

+                       char *pch;
+                       for (ssize_t i = 0; i < line_size; i++) {
+                               if (line_buf[i] == 0x09) {
+                                       line_buf[i] = 0x20;
+                                       break;
+                               }
+                       }
+
+                       pch = strtok(line_buf, " ");
+                       while (pch != NULL && pch[0] != 0x0a) {
+                               if (isdigit(pch[0]) != 0 &&
+                                   (gid_t)atoi(pch) == gid_auth) {
+                                       state = true;
+                                       goto done;
+                               }
+                               pch = strtok(NULL, " ");
+                       }
+                       goto done;
+               }
+       }
+done:
+       free(line_buf);
+       line_buf = NULL;
+       fclose(stream);
+       return state;
+}
+
 /*************** public interface follows*************************** */
 
 int osaf_auth_server_create(const char *pathname, @@ -220,7 +269,7 @@ int 
osaf_auth_server_create(const char *pathname,  }
 
 /* used by server, logging is OK */
-bool osaf_user_is_member_of_group(uid_t uid, const char *groupname)
+bool osaf_user_is_member_of_group(uid_t uid, const char *groupname, 
+pid_t pid)
 {
        long grpmembufsize = sysconf(_SC_GETGR_R_SIZE_MAX);
        if (grpmembufsize < 0)
@@ -263,6 +312,12 @@ bool osaf_user_is_member_of_group(uid_t uid, const char 
*groupname)
                return false;
        }
 
+       if (osaf_pid_is_member_of_group(pid, client_grp->gr_gid)) {
+               free(pwdmembuf);
+               free(grpmembuf);
+               return true;
+       }
+
        // get password file entry for user
        struct passwd pbuf;
        struct passwd *client_pwd;
diff --git a/src/base/osaf_secutil.h b/src/base/osaf_secutil.h index 
a2389241c..d60cafac7 100644
--- a/src/base/osaf_secutil.h
+++ b/src/base/osaf_secutil.h
@@ -86,7 +86,7 @@ int osaf_auth_server_create(const char *_pathname,
  * @param groupname
  * @return true if member
  */
-bool osaf_user_is_member_of_group(uid_t uid, const char *groupname);
+bool osaf_user_is_member_of_group(uid_t uid, const char *groupname, 
+pid_t pid);
 
 /**
  * Get list of groups that a user belong to diff --git 
a/src/imm/immnd/immnd_evt.c b/src/imm/immnd/immnd_evt.c index 
3bd56fe34..5e7c1fe5c 100644
--- a/src/imm/immnd/immnd_evt.c
+++ b/src/imm/immnd/immnd_evt.c
@@ -894,8 +894,8 @@ static uint32_t immnd_evt_proc_imm_init(IMMND_CB *cb, 
IMMND_EVT *evt,
                        const char *authorized_group =
                            immModel_authorizedGroup(immnd_cb);
                        if ((authorized_group != NULL) &&
-                           (osaf_user_is_member_of_group(sinfo->uid,
-                                                         authorized_group))) {
+                           (osaf_user_is_member_of_group(
+                               sinfo->uid, authorized_group, sinfo->pid))) {
                                TRACE("configured group");
                        } else {
                                if (mode == ACCESS_CONTROL_PERMISSIVE) { diff 
--git a/src/log/logd/lgs_config.cc b/src/log/logd/lgs_config.cc index 
44e10b84d..0139db329 100644
--- a/src/log/logd/lgs_config.cc
+++ b/src/log/logd/lgs_config.cc
@@ -571,7 +571,7 @@ int lgs_cfg_verify_log_data_groupname(char *group_name) {
     rc = -1;
   } else {
     uid_t uid = getuid();
-    if (osaf_user_is_member_of_group(uid, group_name) == false) {
+    if (osaf_user_is_member_of_group(uid, group_name, 0) == false) {
       LOG_WA("%s: osaf_user_is_member_of_group() Fail", __FUNCTION__);
       rc = -1;
     }
--
2.17.1



_______________________________________________
Opensaf-devel mailing list
Opensaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensaf-devel



_______________________________________________
Opensaf-devel mailing list
Opensaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensaf-devel

Reply via email to