Main Page   Modules   Data Structures   File List   Data Fields   Globals   Related Pages  

lcmaps_posix.c

Go to the documentation of this file.
00001 /*
00002  * Copyright (c) 2001 EU DataGrid.                                                                             
00003  * For license conditions see http://www.eu-datagrid.org/license.html                                          
00004  *
00005  * Copyright (c) 2001, 2002 by 
00006  *     Martijn Steenbakkers <martijn@nikhef.nl>,
00007  *     David Groep <davidg@nikhef.nl>,
00008  *     NIKHEF Amsterdam, the Netherlands
00009  */
00010 
00112 /*****************************************************************************
00113                             Include header files
00114 ******************************************************************************/
00115 #include <stdio.h>
00116 #include <stdlib.h>
00117 #include <string.h>
00118 #include <pwd.h>
00119 #include <grp.h>
00120 #include <ctype.h>
00121 
00122 #include "lcmaps_config.h"
00123 #include "lcmaps_modules.h"
00124 #include "lcmaps_arguments.h"
00125 #include "lcmaps_cred_data.h"
00126 /******************************************************************************
00127                                 Definitions
00128 ******************************************************************************/
00129 
00130 #define MAX_UNDEFINED ((int)(-1))
00131 
00132 #ifndef NGROUPS
00133     #ifdef NGROUPS_MAX
00134         #define NGROUPS NGROUPS_MAX
00135     #else
00136         #define NGROUPS 32 
00137     #endif
00138 #endif
00139 
00140 /* 
00141  * MAX_NGROUPS has also been used. I couldn't see in the source if it was
00142  * a self made define in the code or that it was OS specific.
00143  */
00144 
00145 #ifndef MAX_LOG_BUFFER_SIZE
00146     #define MAX_LOG_BUFFER_SIZE 500
00147 #endif
00148 
00149 /******************************************************************************
00150                           Module specific prototypes
00151 ******************************************************************************/
00152 
00153 static int log_cred (
00154     char  *dn, 
00155     uid_t *uid, 
00156     int    cntUid, 
00157     gid_t *priGid, 
00158     int    cntPriGid, 
00159     gid_t *secGid, 
00160     int    cntSecGid
00161 );
00162 
00163 
00164 /******************************************************************************
00165                        Define module specific variables
00166 ******************************************************************************/
00167 
00168 static int maxuid  = MAX_UNDEFINED;
00169 static int maxpgid = MAX_UNDEFINED;
00170 static int maxsgid = MAX_UNDEFINED;
00171 static int set_only_euid = 0;
00172 static int set_only_egid = 0;
00173 
00174 
00175 
00176 /******************************************************************************
00177 Function:   log_cred
00178 Description:
00179     Makes a log of the Enforceable credential data
00180 Parameters:
00181     *dn        : Distinghuished Name
00182     *uid       : list of uid_t
00183     cntUid     : amount of uids (ussually only one)
00184     *priGid    : list of primary gid_t
00185     cntPriGid  : amount of primary gids (usually only one)
00186     *secGid    : list of secondary gid_t
00187     cntSecGid  : amount of secondary gids (0 to (NGROUPS || 32))
00188 
00189 Returns:
00190     0: succes
00191     1: failure
00192 ******************************************************************************/
00193 static int log_cred (char  *dn,
00194                      uid_t *uid,
00195                      int    cntUid,
00196                      gid_t *priGid,
00197                      int    cntPriGid,
00198                      gid_t *secGid,
00199                      int    cntSecGid)
00200 {
00201     char * logstr = "    lcmaps_plugin_posix_enf-log_cred()";
00202 
00203     struct passwd *  user_info = NULL;
00204     struct group  *  grp_info = NULL;
00205   
00206     char *           logbuf = NULL;
00207     int              i;
00208     int              ngroups;
00209     gid_t *          list = NULL;
00210 
00211     char *           bufptr = NULL;
00212     int              buflen = 0;
00213     int              totalchars = 0;
00214 
00215     // Log Enforced Credential Data
00216     logbuf = malloc(MAX_LOG_BUFFER_SIZE * sizeof(char));
00217 
00218     bufptr=logbuf;
00219     buflen=MAX_LOG_BUFFER_SIZE;
00220 
00221     // First the uid
00222     totalchars=snprintf(bufptr,(size_t)buflen,"uid=");
00223     if ( (totalchars+1) > buflen )
00224     {
00225         lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00226         lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00227         return 1;
00228     }
00229     else if ( totalchars < 0 )
00230     {
00231         lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00232         return 1;
00233     }
00234     else
00235     {
00236         bufptr+=totalchars;
00237         buflen-=totalchars;
00238     }
00239     uid_t found_uid=-1;
00240 
00241     if (set_only_euid)
00242         found_uid = geteuid();
00243     else
00244         found_uid = getuid();
00245     user_info = getpwuid(found_uid);
00246 
00247     if (user_info != NULL)
00248         totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_uid, user_info->pw_name);
00249     else
00250         totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_uid, "n\\a");
00251     if ( (totalchars+1) > buflen )
00252     {
00253         lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00254         lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00255         return 1;
00256     }
00257     else if ( totalchars < 0 )
00258     {
00259         lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00260             return 1;
00261     }
00262     else
00263     {
00264         bufptr+=totalchars;
00265         buflen-=totalchars;
00266     }
00267  
00268     // Then the primary gid
00269     // Ok, we do something strange. If cntPriGid==1 then we fetch the gid from the process,
00270     // otherwise if e.g. cntPriGid>1 (should never happen) then we just print out the list of
00271     // primary gids.
00272     totalchars=snprintf(bufptr,(size_t)buflen,":pgid=");
00273     if ( (totalchars+1) > buflen )
00274     {
00275         lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00276         lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00277         return 1;
00278     }
00279     else if ( totalchars < 0 )
00280     {
00281         lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00282         return 1;
00283     }
00284     else
00285     {
00286         bufptr+=totalchars;
00287         buflen-=totalchars;
00288     }
00289     if (cntPriGid == 1)
00290     {
00291         gid_t found_gid=-1;
00292 
00293         if (set_only_egid)
00294             found_gid = getegid();
00295         else
00296             found_gid = getgid();
00297         grp_info = getgrgid(found_gid);
00298 
00299         if (grp_info != NULL)
00300         {
00301             totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_gid, grp_info->gr_name);
00302         }
00303         else
00304         {
00305             totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_gid, "n\\a");
00306         }
00307         if ( (totalchars+1) > buflen )
00308         {
00309             lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00310             lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00311             return 1;
00312         }
00313         else if ( totalchars < 0 )
00314         {
00315             lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00316             return 1;
00317         }
00318         else
00319         {
00320             bufptr+=totalchars;
00321             buflen-=totalchars;
00322         }    
00323     }
00324     else
00325     {
00326         for (i = 0; i < cntPriGid; i++)
00327         {
00328             gid_t found_gid=priGid[i];
00329 
00330             grp_info = getgrgid(found_gid);
00331             if (grp_info != NULL)
00332             {
00333                 if (i == 0)
00334                     totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_gid, grp_info->gr_name);
00335                 else
00336                     totalchars=snprintf(bufptr,(size_t)buflen,",%d(%s)", found_gid, grp_info->gr_name);
00337             }
00338             else
00339             {
00340                 if (i == 0)
00341                     totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_gid, "n\\a");
00342                 else
00343                     totalchars=snprintf(bufptr,(size_t)buflen,",%d(%s)", found_gid, "n\\a");
00344             }
00345             if ( (totalchars+1) > buflen )
00346             {
00347                 lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00348                 lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00349                 return 1;
00350             }
00351             else if ( totalchars < 0 )
00352             {
00353                 lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00354                 return 1;
00355             }
00356             else
00357             {
00358                 bufptr+=totalchars;
00359                 buflen-=totalchars;
00360             }    
00361         }
00362     }
00363 
00364     // Finally the secondary gids
00365     // Now we only print the groups from getgroups().
00366     // NOTE: These may contain also effective/real primary gids !
00367     if ((ngroups=getgroups(0, NULL)) > 0)
00368     {
00369         if (ngroups != cntSecGid)
00370         {
00371             lcmaps_log_debug(1,"%s: something strange going on, the number of sec. gids from getgroups() (%d)\n",logstr,ngroups);
00372             lcmaps_log_debug(1,"%s: differs from the number of gids set (cntSecGid=%d)\n",logstr,cntSecGid);
00373         }
00374         if (ngroups < 0)
00375         {
00376             lcmaps_log(0,"%s: error in getgroups() (failure)\n",logstr);
00377             return 1;
00378         }
00379         list = (gid_t *) malloc(ngroups * sizeof(gid_t));
00380         if (getgroups(ngroups, list) > 0)
00381         {
00382             totalchars=snprintf(bufptr,(size_t)buflen,":sgid=");
00383             if ( (totalchars+1) > buflen )
00384             {
00385                 lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00386                 lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00387                 return 1;
00388             }
00389             else if ( totalchars < 0 )
00390             {
00391                 lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00392                 return 1;
00393             }
00394             else
00395             {
00396                 bufptr+=totalchars;
00397                 buflen-=totalchars;
00398             }
00399             for (i = 0; i < ngroups; i++)
00400             {
00401                 grp_info = getgrgid(list[i]);
00402 
00403                 if (grp_info != NULL)
00404                 {
00405                     if (i == 0)
00406                         totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", (list[i]), grp_info->gr_name);
00407                     else
00408                         totalchars=snprintf(bufptr,(size_t)buflen,",%d(%s)", (list[i]), grp_info->gr_name);
00409                 }
00410                 else
00411                 {
00412                     if (i == 0)
00413                         totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", (list[i]), "n\\a");
00414                     else
00415                         totalchars=snprintf(bufptr,(size_t)buflen,",%d(%s)", (list[i]), "n\\a");
00416                 }
00417                 if ( (totalchars+1) > buflen )
00418                 {
00419                     lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00420                     lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00421                     return 1;
00422                 }
00423                 else if ( totalchars < 0 )
00424                 {
00425                     lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00426                     return 1;
00427                 }
00428                 else
00429                 {
00430                     bufptr+=totalchars;
00431                     buflen-=totalchars;
00432                 }
00433             }
00434         }
00435         if (list != NULL)
00436         {
00437             free(list);
00438             list = NULL;
00439         }
00440     }
00441     lcmaps_log_debug(5,"%s: At the end we still have %d spaces left in the buffer\n", logstr, buflen);
00442 
00443     lcmaps_log_time(LOG_INFO, "%s: %s\n", logstr, logbuf);
00444 
00445     // End Log Credential Data 
00446 
00447     if (logbuf != NULL)
00448     {
00449         free(logbuf);
00450         logbuf = NULL;
00451     }
00452     return 0;
00453 }
00454 
00455 
00456 
00457 /******************************************************************************
00458 Function:   plugin_initialize
00459 Description:
00460     Initialize plugin
00461 Parameters:
00462     argc, argv
00463     argv[0]: the name of the plugin
00464 Returns:
00465     LCMAPS_MOD_SUCCESS : succes
00466     LCMAPS_MOD_FAIL    : failure
00467     LCMAPS_MOD_NOFILE  : db file not found (will halt LCMAPS initialization)
00468 ******************************************************************************/
00469 int plugin_initialize(
00470         int argc,
00471         char ** argv
00472 )
00473 {
00474     int i, j;
00475     char * logstr = "\tlcmaps_plugin_posix_enf-plugin_initialize()";  
00476 
00477  
00478     lcmaps_log_debug(1,"%s: passed arguments:\n", logstr);
00479     for (i=0; i < argc; i++)
00480     {
00481        lcmaps_log_debug(2,"%s: arg %d is %s\n", logstr, i, argv[i]);
00482     }
00483 
00484     /*
00485      * Parse arguments, argv[0] = name of plugin, so start with i = 1
00486      */
00487     for (i = 1; i < argc; i++)
00488     {
00489         // setting maxuid parameter from init plugin arguments
00490         if ( (((strcmp(argv[i], "-maxuid") == 0) ||
00491              (strcmp(argv[i], "-MAXUID") == 0)) &&
00492              (maxuid == MAX_UNDEFINED))
00493              && (i + 1 < argc) )
00494         {
00495             if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
00496             {
00497                  lcmaps_log_debug(2,"%s: Checking if argument behind \"-maxuid\" is a number\n", logstr);
00498                  for (j = 0; j < strlen(argv[i + 1]); j++)
00499                  { 
00500                      if (!isdigit((argv[i + 1])[j]))
00501                      {
00502                          lcmaps_log(0,"%s\tError: maybe found some digits, but there is at least one char corrupting this parameter: %s\n", logstr, argv[i + 1]);
00503                          maxuid = -1;
00504                          goto fail_posix;
00505                      }
00506                  }
00507                  maxuid = atoi(argv[i + 1]);
00508             }
00509             else
00510             {
00511                 lcmaps_log(0,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
00512                 goto fail_posix;
00513             }
00514             i++;
00515         }        
00516 
00517         // setting maxpgid parameter from init plugin arguments
00518         else if ( (((strcmp(argv[i], "-maxpgid") == 0) ||
00519              (strcmp(argv[i], "-MAXPGID") == 0)) &&
00520              (maxpgid == MAX_UNDEFINED))
00521              && (i + 1 < argc) )
00522         {
00523             if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
00524             {
00525                  lcmaps_log_debug(2,"%s: Checking if argument behind \"-maxpgid\" is a number\n", logstr);
00526                  for (j = 0; j < strlen(argv[i + 1]); j++)
00527                  {
00528                      if (!isdigit((argv[i + 1])[j]))
00529                      {
00530                          lcmaps_log(0,"%s\tError: maybe found some digits, but there is at least one char corrupting this parameter: %s\n", logstr, argv[i + 1]);
00531                          maxpgid = -1;
00532                          goto fail_posix;
00533                      }
00534                  }
00535                  maxpgid = atoi(argv[i + 1]);
00536             }
00537             else
00538             {
00539                 lcmaps_log(0,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
00540                 goto fail_posix;
00541             }
00542             i++;
00543         }
00544 
00545         // setting maxsgid parameter from init plugin arguments
00546         else if  ( (((strcmp(argv[i], "-maxsgid") == 0) ||
00547              (strcmp(argv[i], "-MAXSGID") == 0)) &&
00548              (maxsgid == MAX_UNDEFINED))
00549              && (i + 1 < argc) )
00550         {
00551             if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
00552             {
00553                  lcmaps_log_debug(2,"%s: Checking if argument behind \"-maxsgid\" is a number\n", logstr);
00554                  for (j = 0; j < strlen(argv[i + 1]); j++)
00555                  {
00556                      if (!isdigit((argv[i + 1])[j]))
00557                      {
00558                          lcmaps_log(0,"%s\tError: maybe found some digits, but there is atleast one char corrupting this parameter: %s\n", logstr, argv[i + 1]);
00559                          maxsgid = -1;
00560                          goto fail_posix;
00561                      }
00562                  }
00563                  maxsgid = atoi(argv[i + 1]);
00564             }
00565             else
00566             {
00567                 lcmaps_log(0,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
00568                 goto fail_posix;
00569             }
00570             i++;
00571         }
00572         else if  ( (strcmp(argv[i], "-set_only_euid") == 0)
00573              && (i + 1 < argc) )
00574         {
00575             if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
00576             {
00577                  if (strcmp(argv[i+1],"yes") == 0)
00578                  {
00579                      set_only_euid = 1;
00580                  }
00581                  else if (strcmp(argv[i+1],"no") == 0)
00582                  {
00583                      set_only_euid = 0;
00584                  }
00585                  else
00586                  {
00587                      lcmaps_log(0,"%s: use \"yes\" or \"no\" for option %s\n", logstr, argv[i]);
00588                      goto fail_posix;
00589                  }
00590             }
00591             else
00592             {
00593                 lcmaps_log(0,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
00594                 goto fail_posix;
00595             }
00596             i++;
00597         }
00598         else if  ( (strcmp(argv[i], "-set_only_egid") == 0)
00599              && (i + 1 < argc) )
00600         {
00601             if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
00602             {
00603                  if (strcmp(argv[i+1],"yes") == 0)
00604                  {
00605                      set_only_egid = 1;
00606                  }
00607                  else if (strcmp(argv[i+1],"no") == 0)
00608                  {
00609                      set_only_egid = 0;
00610                  }
00611                  else
00612                  {
00613                      lcmaps_log(0,"%s: use \"yes\" or \"no\" for option %s\n", logstr, argv[i]);
00614                      goto fail_posix;
00615                  }
00616             }
00617             else
00618             {
00619                 lcmaps_log(0,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
00620                 goto fail_posix;
00621             }
00622             i++;
00623         }
00624     }
00625 
00626     if (maxsgid > NGROUPS)
00627     {
00628         lcmaps_log(0,"%s\tError: The prefered set maximum of %d Secondary Gid's exceeds the system maximum of NGROUPS witch is set to %d on this system\n", logstr, maxsgid, NGROUPS);
00629         goto fail_posix;
00630     }
00631     else if (maxsgid == MAX_UNDEFINED)
00632     {
00633         lcmaps_log(0,"%s\tAuto set maximum Secondary Gid's to system maximum of NGROUPS witch is set to %d on this system\n", logstr, NGROUPS);
00634     }
00635 
00636 
00637     lcmaps_log_debug(2,"%s: Summary init maxuid  : %d\n", logstr, maxuid);
00638     lcmaps_log_debug(2,"%s: Summary init maxpgid : %d\n", logstr, maxpgid);
00639     lcmaps_log_debug(2,"%s: Summary init maxsgid : %d\n", logstr, maxsgid);
00640 
00641     return LCMAPS_MOD_SUCCESS;
00642 
00643 
00644  fail_posix:
00645     return LCMAPS_MOD_FAIL; 
00646 } 
00647 
00648 /******************************************************************************
00649 Function:   plugin_introspect
00650 Description:
00651     return list of required arguments
00652 Parameters:
00653 
00654 Returns:
00655     LCMAPS_MOD_SUCCESS : succes
00656     LCMAPS_MOD_FAIL    : failure
00657 ******************************************************************************/
00658 int plugin_introspect(
00659         int * argc,
00660         lcmaps_argument_t ** argv
00661 )
00662 {
00663     char * logstr = "\tlcmaps_plugin_posix_enf-plugin_introspect()";  
00664 
00665     static lcmaps_argument_t argList[] = {
00666         {NULL           ,       NULL            , -1,   NULL}
00667     };
00668 
00669     lcmaps_log_debug(1,"%s: introspecting\n", logstr);
00670 
00671     *argv = argList;
00672     *argc = lcmaps_cntArgs(argList);
00673     lcmaps_log_debug(1,"%s: address first argument: 0x%x\n", logstr, argList);
00674 
00675     return LCMAPS_MOD_SUCCESS;
00676 }
00677 
00678 
00679 /******************************************************************************
00680 Function:   plugin_run
00681 Description:
00682     Gather credentials for LCMAPS
00683 Parameters:
00684     argc: number of arguments
00685     argv: list of arguments
00686 Returns:
00687     LCMAPS_MOD_SUCCESS: authorization succeeded
00688     LCMAPS_MOD_FAIL   : authorization failed
00689 ******************************************************************************/
00690 int plugin_run(
00691         int argc,
00692         lcmaps_argument_t * argv
00693 )
00694 {
00695     char * logstr = "\tlcmaps_plugin_posix_enf-plugin_run()";  
00696     int                 i, t; 
00697     gid_t *             list        = NULL;
00698     int                 ngroups     = 0;
00699  
00700     char  *             dn          = NULL;
00701     uid_t *             uid         = NULL;
00702     int                 cntUid;
00703     gid_t *             priGid      = NULL;
00704     int                 cntPriGid;
00705     gid_t *             secGid      = NULL;
00706     int                 cntSecGid;
00707     struct passwd *     root_info   = NULL;
00708 
00709     /*
00710      * The beginning
00711      */
00712     lcmaps_log_debug(1,"%s\n", logstr);
00713 
00714     uid    = getCredentialData(UID,     &cntUid);
00715     priGid = getCredentialData(PRI_GID, &cntPriGid);
00716     secGid = getCredentialData(SEC_GID, &cntSecGid);
00717     lcmaps_log_debug(2,"%s: number of uids: %d, priGids: %d, secGids: %d\n", logstr, cntUid,cntPriGid,cntSecGid);
00718     
00719     // Check amount of uid's, pri-gid's and sec-gid's with the set maximum
00720     if (maxuid != MAX_UNDEFINED)
00721     {
00722         lcmaps_log_debug(2,"%s: max number of uids: %d\n", logstr, maxuid);
00723         if (cntUid > maxuid)
00724         {
00725             lcmaps_log(0, "%s:\tError: The set amount of uid's gathered exceeds the maximum of %d uid('s) by %d\n", logstr, maxuid, (cntUid - maxuid));
00726             goto fail_posix;
00727         }
00728     }
00729     if (maxpgid != MAX_UNDEFINED)
00730     {
00731         lcmaps_log_debug(2,"%s: max number of primary gid('s): %d\n", logstr, maxpgid);
00732         if (cntPriGid > maxpgid)
00733         {
00734             lcmaps_log(0, "%s:\tError: The set amount of primary gid's gathered exceeds the maximum of %d primary gid('s) by %d\n", logstr, maxpgid, (cntPriGid - maxpgid));
00735             goto fail_posix;
00736         }
00737     }
00738     if (maxsgid != MAX_UNDEFINED)
00739     {
00740         lcmaps_log_debug(2,"%s: max number of secondary gid's: %d\n", logstr, maxsgid);
00741         if (cntSecGid > maxsgid)
00742         {
00743             lcmaps_log(0, "%s:\tError: The set amount of secondary gid's gathered exceeds the maximum of %d secunadary gid's by %d\n", logstr, maxsgid, (cntSecGid - maxsgid));
00744             goto fail_posix;
00745         }
00746     }
00747 
00748 
00749     // Je moet ROOT zijn
00750     if (getuid() != 0)
00751     {
00752         lcmaps_log(0, "%s: The service did not initialize with Root! -> %d\n", logstr, getuid());
00753         goto fail_posix;
00754     }
00755 
00756     // Only done to get name of root (normally "root")
00757     if ((root_info=getpwuid(0)) == NULL)
00758     {
00759         lcmaps_log(0, "%s: cannot get passwd info for root\n", logstr);
00760         if (errno==ENOMEM)
00761             lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00762         goto fail_posix;
00763     }
00764     lcmaps_log_debug(3,"%s: Name of root: %s\n", logstr, root_info->pw_name);
00765     lcmaps_log_debug(3,"%s: Je real      GID  was  -> %d\n", logstr, getgid());
00766     lcmaps_log_debug(3,"%s: Je effective GID  was  -> %d\n", logstr, getegid());
00767 
00768     // Set new primary group ID
00769     if (cntPriGid > 0)
00770     {
00771         if (set_only_egid)
00772             if (setregid(-1, priGid[0]) != 0)
00773             {
00774                 lcmaps_log(0, "%s: cannot set effective gid by setregid()\n", logstr);
00775                 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00776             }
00777             else
00778             {
00779                 lcmaps_log_debug(1,"%s: Setting only effective primary gid to %d\n", logstr, (int) priGid[0]);
00780             }
00781         else
00782             if (setregid(priGid[0], priGid[0]) != 0)
00783             {
00784                 lcmaps_log(0, "%s: cannot set real and effective setregid()\n", logstr);
00785                 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00786             }
00787     }
00788     else
00789     {
00790         lcmaps_log(0, "%s: No primary group IDs found, need at least 1 !\n", logstr);
00791         goto fail_posix;
00792     }
00793         
00794     lcmaps_log_debug(3,"%s: Je real      GID is nu -> %d\n", logstr, getgid());
00795     lcmaps_log_debug(3,"%s: Je effective GID is nu -> %d\n", logstr, getegid());
00796 
00797     // Initialize group access list for root
00798     if (initgroups(root_info->pw_name, root_info->pw_gid)!=0)
00799     {
00800         lcmaps_log(0, "%s: error in initgroups() call\n", logstr);
00801         lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00802         goto fail_posix;
00803     }
00804 
00805     // Get the number of secondary group IDs for root
00806     if ((ngroups=getgroups(0, NULL)) < 0)
00807     {
00808         lcmaps_log(0, "%s: error in getgroups() call\n", logstr);
00809         lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00810         goto fail_posix;
00811     }
00812     lcmaps_log_debug(3,"%s: found %d sec group IDs initially\n", logstr, ngroups);
00813     list = (gid_t *) malloc(ngroups * sizeof(gid_t));
00814 
00815     // Get the secondary group IDs for root
00816     if (getgroups(ngroups, list) < 0)
00817     {
00818         lcmaps_log(0, "%s: error in getgroups() call\n", logstr);
00819         lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00820         goto fail_posix;
00821     }
00822     for (t = 0; t < ngroups; t++)
00823     {
00824         lcmaps_log_debug(3,"%s: Je Sec. Gids waren     -> %d\n", logstr, list[t]);
00825     }
00826     if (list) free(list);
00827     list=(gid_t *) NULL;
00828 
00829     // Set the new secondary group IDs
00830     if (setgroups(cntSecGid, secGid)!=0)
00831     {
00832         switch (errno)
00833         {
00834             case EFAULT :
00835                 {
00836                     lcmaps_log_debug(1, "%s: Not that fatal but serious error\n", logstr);
00837                     lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00838                     goto fail_posix;
00839                     break;
00840                 }
00841             case EPERM :
00842                 {
00843                     lcmaps_log_debug(1, "%s: You are not ROOT\n", logstr);
00844                     lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00845                     goto fail_posix;
00846                     break;
00847                 }
00848             case EINVAL :
00849                 {
00850                     for (i = 0; i < cntSecGid; i++)
00851                     {
00852                         lcmaps_log_debug(1,"%s: > i = %d met %d\n", logstr, i, secGid[i]);
00853                     }
00854                     lcmaps_log_debug(1, "%s: Invalid GID list\n", logstr);
00855                     lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00856                     goto fail_posix;
00857                     break;
00858                 }
00859             default :
00860                 {
00861                     lcmaps_log_debug(1, "%s: Unspecified error in setgroups()\n", logstr);
00862                     goto fail_posix;
00863                 }
00864         }
00865     }
00866     // Get the new number of secondary group IDs
00867     if ((ngroups=getgroups(0, NULL)) < 0)
00868     {
00869         lcmaps_log(0, "%s: error in getgroups() call\n", logstr);
00870         lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00871         goto fail_posix;
00872     }
00873     lcmaps_log_debug(1,"%s: found %d sec gids after setgroups(), cntSecGid=%d\n", logstr, ngroups,cntSecGid);
00874     list = (gid_t *) malloc(ngroups * sizeof(gid_t));
00875 
00876     // Get the new secondary group IDs
00877     if (getgroups(ngroups, list) < 0)
00878     {
00879         lcmaps_log(0, "%s: error in getgroups() call\n", logstr);
00880         lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00881         goto fail_posix;
00882     }
00883     for (t = 0; t < ngroups; t++)
00884     {
00885         lcmaps_log_debug(2,"%s: Je Sec. Gid s zijn nu  -> %d\n", logstr, list[t]);
00886     }
00887 
00888     lcmaps_log_debug(2,"%s: Je was user            -> %d\n", logstr, getuid());
00889 
00890     // Set the new user ID
00891     if (cntUid > 0)
00892     {
00893         if (set_only_euid)
00894             if (setreuid(-1, uid[0]) != 0)
00895             {
00896                 lcmaps_log(0, "%s: cannot set effective uid by setreuid()\n", logstr);
00897                 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00898             }
00899             else
00900             {
00901                 lcmaps_log_debug(1,"%s: Setting only effective uid to %d\n", logstr, (int) uid[0]);
00902             }
00903         else
00904             if (setreuid(uid[0], uid[0]) != 0)
00905             {
00906                 lcmaps_log(0, "%s: cannot setreuid()\n", logstr);
00907                 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00908             }
00909     }
00910     else
00911     {
00912         lcmaps_log(0, "%s: No user IDs found, need at least 1 !\n", logstr);
00913         goto fail_posix;
00914     }
00915 
00916     lcmaps_log_debug(2,"%s: Je bent nu geworden    -> %d\n", logstr, getuid());
00917     lcmaps_log_debug(1,"%s: Je real      UID  is   -> %d\n", logstr, getuid());
00918     lcmaps_log_debug(1,"%s: Je effective UID  is   -> %d\n", logstr, geteuid());
00919 
00920 
00921     /* We should set the appropriate environment variables here (see globus gatekeeper)
00922      * (or before all setuid/setgid calls ?)
00923      */
00924 
00925 
00926     /*
00927      * Do Not End This POSIX Enforment with ROOT privileges
00928      * (depending on the set_only_euid and set_only_egid options)
00929      */
00930     if ( (!set_only_euid) && ((getuid() == 0) || (geteuid() == 0)) )
00931     {
00932         lcmaps_log(0, "%s: real and or effective uid == 0, which is not allowed at this stage\n", logstr);
00933         goto fail_posix;
00934     }
00935     else if (geteuid() == 0)
00936     {
00937         lcmaps_log(0, "%s: effective uid == 0, which is not allowed at this stage\n", logstr);
00938         goto fail_posix;
00939     }
00940         
00941     if ( (!set_only_egid) && ((getgid() == 0) || (getegid() == 0)) )
00942     {
00943         lcmaps_log(0, "%s: real and or effective gid == 0, which is not allowed at this stage\n", logstr);
00944         goto fail_posix;
00945     }
00946     else if (getegid() == 0)
00947     {
00948         lcmaps_log(0, "%s: effective gid == 0, which is not allowed at this stage\n", logstr);
00949         goto fail_posix;
00950     }
00951         
00952 //    if ((getuid() == 0) || (getgid() == 0))
00953 //    {
00954 //        goto fail_posix;
00955 //    }
00956 
00957 
00958     // Log Enforced Credential Data
00959     if (log_cred(dn, uid, cntUid, priGid, cntPriGid, secGid, cntSecGid) != 0)
00960     {
00961         lcmaps_log(0, "%s: Something wrong in printing the logged credentials (failure)\n", logstr);
00962         goto fail_posix;
00963     }
00964 
00965 
00966     /* succes */
00967  success_posix:
00968     if (list) free(list);
00969     lcmaps_log_time(0,"%s: posix_enf plugin succeeded\n", logstr);
00970     return LCMAPS_MOD_SUCCESS;
00971 
00972  fail_posix:
00973     if (list) free(list);
00974     lcmaps_log_time(0,"%s: posix_enf plugin failed\n", logstr);
00975     return LCMAPS_MOD_FAIL;
00976 }
00977 
00978 /******************************************************************************
00979 Function:   plugin_terminate
00980 Description:
00981     Terminate plugin
00982 Parameters:
00983 
00984 Returns:
00985     LCMAPS_MOD_SUCCESS : succes
00986     LCMAPS_MOD_FAIL    : failure
00987 ******************************************************************************/
00988 int plugin_terminate()
00989 {
00990     char * logstr = "\tlcmaps_plugin_posix_enf-plugin_introspect()";
00991 
00992     lcmaps_log_debug(1,"%s: terminating\n", logstr);
00993     
00994     return LCMAPS_MOD_SUCCESS;
00995 }
00996 
00997 /******************************************************************************
00998 CVS Information:
00999     $Source: /local/reps/lcgware/fabric_mgt/gridification/lcmaps/modules/posix_enf/lcmaps_posix.c,v $
01000     $Date: 2004/10/01 15:17:30 $
01001     $Revision: 1.22 $
01002     $Author: maart $
01003 ******************************************************************************/

Generated on Sat Oct 2 02:18:26 2004 for edg-lcmaps by doxygen1.2.14 written by Dimitri van Heesch, © 1997-2002