author | David Powell <david.e.powell@oracle.com> |
Tue, 07 Dec 2010 14:41:00 -0800 | |
changeset 612 | 670030d74969 |
parent 543 | aa62f8edcc3d |
child 646 | e1e91f5b0cb1 |
permissions | -rw-r--r-- |
391 | 1 |
/* |
2 |
* CDDL HEADER START |
|
3 |
* |
|
4 |
* The contents of this file are subject to the terms of the |
|
5 |
* Common Development and Distribution License (the "License"). |
|
6 |
* You may not use this file except in compliance with the License. |
|
7 |
* |
|
8 |
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
9 |
* or http://www.opensolaris.org/os/licensing. |
|
10 |
* See the License for the specific language governing permissions |
|
11 |
* and limitations under the License. |
|
12 |
* |
|
13 |
* When distributing Covered Code, include this CDDL HEADER in each |
|
14 |
* file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
15 |
* If applicable, add the following below this CDDL HEADER, with the |
|
16 |
* fields enclosed by brackets "[]" replaced with your own identifying |
|
17 |
* information: Portions Copyright [yyyy] [name of copyright owner] |
|
18 |
* |
|
19 |
* CDDL HEADER END |
|
20 |
*/ |
|
21 |
||
22 |
/* |
|
500
d134d555588f
15908 create accessors for all ADR data
David Powell <david.e.powell@oracle.com>
parents:
468
diff
changeset
|
23 |
* Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. |
391 | 24 |
*/ |
25 |
||
26 |
#include <sys/types.h> |
|
27 |
#include <sys/socket.h> |
|
612
670030d74969
17519 PAM conversation needs to handle password expiry
David Powell <david.e.powell@oracle.com>
parents:
543
diff
changeset
|
28 |
#include <bsm/adt_event.h> |
391 | 29 |
#include <stdio.h> |
30 |
#include <string.h> |
|
31 |
#include <stdlib.h> |
|
32 |
#include <errno.h> |
|
33 |
#include <unistd.h> |
|
34 |
#include <pthread.h> |
|
35 |
#include <ucred.h> |
|
36 |
#include <zone.h> |
|
37 |
||
543
aa62f8edcc3d
16605 need stream abstraction for handling non-fd based communication
David Powell <david.e.powell@oracle.com>
parents:
540
diff
changeset
|
38 |
#include <rad/adr_stream.h> |
391 | 39 |
#include "rad_object.h" |
40 |
#include "rad_modapi.h" |
|
41 |
#include "rad_modapi_xport.h" |
|
42 |
#include "rad_connection.h" |
|
43 |
#include "rad_xport.h" |
|
44 |
||
45 |
#include "api_uds.h" |
|
46 |
||
47 |
static boolean_t |
|
48 |
sockaddr_init(struct sockaddr_un *addr, const char *name) |
|
49 |
{ |
|
50 |
size_t namelen; |
|
51 |
size_t addrlen; |
|
52 |
||
53 |
(void) memset(addr, 0, sizeof (*addr)); |
|
54 |
addr->sun_family = AF_UNIX; |
|
55 |
||
56 |
namelen = strlen(name); |
|
57 |
addrlen = sizeof (addr->sun_path); |
|
58 |
||
59 |
if (namelen >= addrlen) |
|
60 |
return (B_FALSE); |
|
61 |
||
62 |
(void) strlcpy(addr->sun_path, name, sizeof (addr->sun_path)); |
|
63 |
return (B_TRUE); |
|
64 |
} |
|
65 |
||
66 |
static int |
|
67 |
listen_on_name(const char *name) |
|
68 |
{ |
|
69 |
int fd; |
|
70 |
struct sockaddr_un addr; |
|
71 |
||
72 |
if (unlink(name) == -1 && errno != ENOENT) { |
|
73 |
rad_log(RL_ERROR, "unlink of '%s' failed: %s", name, |
|
74 |
strerror(errno)); |
|
75 |
return (-1); |
|
76 |
} |
|
77 |
||
78 |
if (!sockaddr_init(&addr, name)) { |
|
79 |
rad_log(RL_ERROR, "socket name '%s' too long", name); |
|
80 |
return (-1); |
|
81 |
} |
|
82 |
||
83 |
if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { |
|
84 |
rad_log(RL_ERROR, "socket failed: %s", strerror(errno)); |
|
85 |
return (-1); |
|
86 |
} |
|
87 |
||
88 |
if (bind(fd, (struct sockaddr *)&addr, sizeof (addr)) == -1) { |
|
89 |
rad_log(RL_ERROR, "bind to '%s' failed: %s", name, |
|
90 |
strerror(errno)); |
|
91 |
(void) close(fd); |
|
92 |
return (-1); |
|
93 |
} |
|
94 |
||
95 |
if (listen(fd, 15) == -1) { |
|
96 |
rad_log(RL_ERROR, "listen on '%s' failed: %s", name, |
|
97 |
strerror(errno)); |
|
98 |
return (-1); |
|
99 |
} |
|
100 |
||
101 |
return (fd); |
|
102 |
} |
|
103 |
||
104 |
/* |
|
105 |
* Determines if the ucred represents someone who is effectively us. |
|
106 |
*/ |
|
107 |
static boolean_t |
|
108 |
sent_by_joe(ucred_t *uc) |
|
109 |
{ |
|
110 |
const priv_set_t *theirprivs; |
|
111 |
priv_set_t *myprivs = priv_allocset(); |
|
112 |
if (myprivs == NULL) { |
|
113 |
rad_log(RL_ERROR, "failed to allocate privilege set"); |
|
114 |
return (B_FALSE); |
|
115 |
} |
|
523
775c35bc3fe6
16318 make threading of Python client optional (cont)
David Powell <david.e.powell@oracle.com>
parents:
500
diff
changeset
|
116 |
|
775c35bc3fe6
16318 make threading of Python client optional (cont)
David Powell <david.e.powell@oracle.com>
parents:
500
diff
changeset
|
117 |
/* Could handle this "gracefully", but it isn't supposed to fail */ |
391 | 118 |
if (getppriv(PRIV_PERMITTED, myprivs) == -1) |
119 |
rad_log(RL_FATAL, "getppriv(PRIV_PERMITTED) failed: %s", |
|
120 |
strerror(errno)); |
|
121 |
||
122 |
if (uc == NULL || |
|
123 |
ucred_geteuid(uc) != getuid() || |
|
124 |
ucred_getzoneid(uc) != getzoneid() || |
|
125 |
(theirprivs = ucred_getprivset(uc, PRIV_EFFECTIVE)) == NULL || |
|
126 |
!priv_issubset(myprivs, theirprivs)) { |
|
127 |
priv_freeset(myprivs); |
|
128 |
rad_log(RL_WARN, "unprivileged client (uid=%d) " |
|
129 |
"attempted connection to control port", ucred_geteuid(uc)); |
|
130 |
return (B_FALSE); |
|
131 |
} |
|
132 |
||
133 |
priv_freeset(myprivs); |
|
134 |
return (B_TRUE); |
|
135 |
} |
|
136 |
||
137 |
static void |
|
138 |
uds_run(void *arg) |
|
139 |
{ |
|
140 |
radmod_connection_t *conn = arg; |
|
141 |
rad_proto_handle(conn); |
|
468
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
426
diff
changeset
|
142 |
rad_conn_free(conn); |
391 | 143 |
} |
144 |
||
145 |
static rad_moderr_t |
|
146 |
uds_listen(rad_thread_t *arg) |
|
147 |
{ |
|
148 |
data_t *data = rad_thread_arg(arg); |
|
149 |
int fd; |
|
150 |
data_t *d, *path = struct_get(data, "path"); |
|
151 |
d = struct_get(data, "proto"); |
|
500
d134d555588f
15908 create accessors for all ADR data
David Powell <david.e.powell@oracle.com>
parents:
468
diff
changeset
|
152 |
const char *protostr = d != NULL ? data_to_string(d) : "rad"; |
391 | 153 |
d = struct_get(data, "control"); |
500
d134d555588f
15908 create accessors for all ADR data
David Powell <david.e.powell@oracle.com>
parents:
468
diff
changeset
|
154 |
boolean_t control = d != NULL ? data_to_boolean(d) : B_FALSE; |
391 | 155 |
|
156 |
rad_protocol_t *proto = rad_proto_find(protostr); |
|
157 |
if (proto == NULL) { |
|
158 |
rad_log(RL_ERROR, "Unable to find protocol \"%s\".", protostr); |
|
159 |
return (rm_config); |
|
160 |
} |
|
161 |
||
500
d134d555588f
15908 create accessors for all ADR data
David Powell <david.e.powell@oracle.com>
parents:
468
diff
changeset
|
162 |
if ((fd = listen_on_name(data_to_string(path))) < 0) { |
391 | 163 |
rad_log(RL_ERROR, "Error starting uds server: %s", |
164 |
strerror(errno)); |
|
165 |
return (rm_system); |
|
166 |
} |
|
167 |
||
168 |
rad_thread_ack(arg, rm_ok); |
|
169 |
for (;;) { |
|
170 |
int afd; |
|
171 |
||
172 |
rad_log(RL_DEBUG, "Waiting for connection.\n"); |
|
173 |
if ((afd = accept(fd, 0, 0)) == -1) { |
|
174 |
rad_log(RL_WARN, "Error in accept(): %s\n", |
|
175 |
strerror(errno)); |
|
176 |
continue; |
|
177 |
} |
|
178 |
rad_log(RL_DEBUG, "Connection accepted.\n"); |
|
179 |
||
468
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
426
diff
changeset
|
180 |
/* subject allocation failure and missing ucred are conflated */ |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
426
diff
changeset
|
181 |
rad_subject_t *subject = rad_subject_create_fd(afd); |
391 | 182 |
|
183 |
if (control) { |
|
468
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
426
diff
changeset
|
184 |
if (subject == NULL) { |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
426
diff
changeset
|
185 |
(void) close(afd); |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
426
diff
changeset
|
186 |
continue; |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
426
diff
changeset
|
187 |
} |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
426
diff
changeset
|
188 |
|
391 | 189 |
if (!sent_by_joe(subject->rs_ucred)) { |
190 |
rad_subject_unref(subject); |
|
191 |
(void) close(afd); |
|
192 |
continue; |
|
193 |
} |
|
194 |
rad_log(RL_DEBUG, |
|
195 |
"accepting connection on control port"); |
|
196 |
subject->rs_control = B_TRUE; |
|
197 |
} |
|
198 |
||
543
aa62f8edcc3d
16605 need stream abstraction for handling non-fd based communication
David Powell <david.e.powell@oracle.com>
parents:
540
diff
changeset
|
199 |
adr_stream_t *stream = adr_stream_create_fd(afd); |
aa62f8edcc3d
16605 need stream abstraction for handling non-fd based communication
David Powell <david.e.powell@oracle.com>
parents:
540
diff
changeset
|
200 |
if (stream == NULL) |
aa62f8edcc3d
16605 need stream abstraction for handling non-fd based communication
David Powell <david.e.powell@oracle.com>
parents:
540
diff
changeset
|
201 |
continue; |
aa62f8edcc3d
16605 need stream abstraction for handling non-fd based communication
David Powell <david.e.powell@oracle.com>
parents:
540
diff
changeset
|
202 |
|
468
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
426
diff
changeset
|
203 |
radmod_connection_t *conn = rad_conn_create_fd(afd, B_TRUE); |
543
aa62f8edcc3d
16605 need stream abstraction for handling non-fd based communication
David Powell <david.e.powell@oracle.com>
parents:
540
diff
changeset
|
204 |
if (conn == NULL) { |
aa62f8edcc3d
16605 need stream abstraction for handling non-fd based communication
David Powell <david.e.powell@oracle.com>
parents:
540
diff
changeset
|
205 |
adr_stream_close(stream); |
aa62f8edcc3d
16605 need stream abstraction for handling non-fd based communication
David Powell <david.e.powell@oracle.com>
parents:
540
diff
changeset
|
206 |
adr_stream_free(stream); |
523
775c35bc3fe6
16318 make threading of Python client optional (cont)
David Powell <david.e.powell@oracle.com>
parents:
500
diff
changeset
|
207 |
rad_log(RL_WARN, "failed to allocate connection"); |
775c35bc3fe6
16318 make threading of Python client optional (cont)
David Powell <david.e.powell@oracle.com>
parents:
500
diff
changeset
|
208 |
continue; |
775c35bc3fe6
16318 make threading of Python client optional (cont)
David Powell <david.e.powell@oracle.com>
parents:
500
diff
changeset
|
209 |
} |
543
aa62f8edcc3d
16605 need stream abstraction for handling non-fd based communication
David Powell <david.e.powell@oracle.com>
parents:
540
diff
changeset
|
210 |
conn->rm_conn_xport = stream; |
aa62f8edcc3d
16605 need stream abstraction for handling non-fd based communication
David Powell <david.e.powell@oracle.com>
parents:
540
diff
changeset
|
211 |
conn->rm_conn_proto_ops = proto; |
523
775c35bc3fe6
16318 make threading of Python client optional (cont)
David Powell <david.e.powell@oracle.com>
parents:
500
diff
changeset
|
212 |
|
612
670030d74969
17519 PAM conversation needs to handle password expiry
David Powell <david.e.powell@oracle.com>
parents:
543
diff
changeset
|
213 |
if (subject != NULL && |
670030d74969
17519 PAM conversation needs to handle password expiry
David Powell <david.e.powell@oracle.com>
parents:
543
diff
changeset
|
214 |
!rad_conn_setsubject(conn, subject, ADT_login)) { |
523
775c35bc3fe6
16318 make threading of Python client optional (cont)
David Powell <david.e.powell@oracle.com>
parents:
500
diff
changeset
|
215 |
rad_conn_close(conn); |
775c35bc3fe6
16318 make threading of Python client optional (cont)
David Powell <david.e.powell@oracle.com>
parents:
500
diff
changeset
|
216 |
rad_conn_free(conn); |
775c35bc3fe6
16318 make threading of Python client optional (cont)
David Powell <david.e.powell@oracle.com>
parents:
500
diff
changeset
|
217 |
rad_log(RL_WARN, "failed to set connection subject"); |
775c35bc3fe6
16318 make threading of Python client optional (cont)
David Powell <david.e.powell@oracle.com>
parents:
500
diff
changeset
|
218 |
continue; |
775c35bc3fe6
16318 make threading of Python client optional (cont)
David Powell <david.e.powell@oracle.com>
parents:
500
diff
changeset
|
219 |
} |
391 | 220 |
|
221 |
if (rad_thread_create_async(uds_run, conn) != rm_ok) { |
|
222 |
rad_conn_close(conn); |
|
468
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
426
diff
changeset
|
223 |
rad_conn_free(conn); |
391 | 224 |
} |
225 |
} |
|
226 |
} |
|
227 |
||
228 |
static pthread_t server_thread; |
|
229 |
||
230 |
static rad_moderr_t |
|
231 |
starter(data_t *data) |
|
232 |
{ |
|
233 |
data_t *path = struct_get(data, "path"); |
|
234 |
||
235 |
if (path == NULL) { |
|
236 |
rad_log(RL_ERROR, "Unix domain socket requires path\n"); |
|
237 |
return (rm_config); |
|
238 |
} |
|
239 |
||
240 |
return (rad_thread_create(uds_listen, data)); |
|
241 |
} |
|
242 |
||
243 |
static rad_modinfo_t modinfo = { |
|
244 |
"xport_uds", "unix domain socket transport module", |
|
245 |
}; |
|
246 |
||
247 |
int |
|
248 |
_rad_init(void *handle) |
|
249 |
{ |
|
250 |
if (rad_module_register(handle, RAD_MODVERSION, &modinfo) == -1) |
|
251 |
return (-1); |
|
252 |
||
253 |
rad_xport_register("uds", &t__uds, starter); |
|
254 |
return (0); |
|
255 |
} |