OpenVista/GT.M Integration

Merge lp:~jeff-apple/openvista-gtm-integration/bug385746 into lp:openvista-gtm-integration

  1. bug385746
  2. Merge into mainline
Proposed by jeff.apple
Status: Merged
Merged at revision: not available
Proposed branch: lp:~jeff-apple/openvista-gtm-integration/bug385746
Merge into: lp:openvista-gtm-integration
Diff against target: None lines
To merge this branch: bzr merge lp:~jeff-apple/openvista-gtm-integration/bug385746
Reviewer Review Type Date Requested Status
OpenVista/GT.M Integration Team Pending
Review via email: mp+7526@code.launchpad.net
To post a comment you must log in.
Revision history for this message
jeff.apple (jeff-apple) wrote :

The packaging parts may not be quite up to snuff. Jon should pay special attention to that.

Revision history for this message
Jon Tai (jontai) wrote :

In src/libopenvista/compile.sh, can you remove the -lpam flag?

In packages/rpm/openvista-libs-5.3003.spec, I'm thinking ovauth may be better in /sbin like unix_chkpwd, or at least /usr/sbin. It definitely should not be installed chgrp gtm, since it has nothing to do with GT.M. Perhaps chgrp openvista would be more appropriate?

In src/ovauth/ovauth.c, "reading an appending" should be "reading and appending".

Finally, should we test this on a LDAP and non-LDAP machine before merging?

lp:~jeff-apple/openvista-gtm-integration/bug385746 updated
66. By jeff.apple

Change install location of ovauth binary
Make ovauth be in group openvista
Remove PAM library dependency in libopenvista

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'mumps/ZOSVGUX.m'
--- mumps/ZOSVGUX.m 2009-06-11 20:20:10 +0000
+++ mumps/ZOSVGUX.m 2009-06-16 22:31:04 +0000
@@ -71,7 +71,14 @@
71 Q 1 ; until we fix this, we're never in application mode71 Q 1 ; until we fix this, we're never in application mode
72 ;72 ;
73AUTH(USER,PASS) ;73AUTH(USER,PASS) ;
74 Q $&openvista.dopam($G(USER),$G(PASS),"openvista")74 N DEV,OLDIO,STATUS
75 S DEV="ovauth",OLDIO=$IO,STATUS="Problem opening pipe"
76 O DEV:(COMMAND=$ZTRNLNM("gtm_dist")_"/ovauth "_USER:PARSE:INDEPENDENT:EXCEPTION="G AUTHDONE")::"PIPE"
77 U DEV W PASS R STATUS
78AUTHDONE
79 U OLDIO
80 C DEV
81 Q STATUS="OK"
75UCI ;82UCI ;
76 S Y=^%ZOSF("PROD") Q83 S Y=^%ZOSF("PROD") Q
77 ;84 ;
7885
=== modified file 'packages/rpm/openvista-libs-5.3003.spec'
--- packages/rpm/openvista-libs-5.3003.spec 2009-06-05 19:50:29 +0000
+++ packages/rpm/openvista-libs-5.3003.spec 2009-06-16 05:54:58 +0000
@@ -49,6 +49,11 @@
49cd src/suidwrapper49cd src/suidwrapper
50./compile.sh50./compile.sh
5151
52cd ../../
53
54cd src/ovauth
55./compile.sh
56
52%install57%install
53rm -rf %{buildroot}58rm -rf %{buildroot}
5459
@@ -56,6 +61,7 @@
56install -m 550 src/libopenvista/libopenvista.so %{buildroot}%{gtm_dist}61install -m 550 src/libopenvista/libopenvista.so %{buildroot}%{gtm_dist}
57install -m 440 src/libopenvista/openvista.xc %{buildroot}%{gtm_dist}62install -m 440 src/libopenvista/openvista.xc %{buildroot}%{gtm_dist}
58install -m 4550 src/suidwrapper/gtmsignal %{buildroot}%{gtm_dist}63install -m 4550 src/suidwrapper/gtmsignal %{buildroot}%{gtm_dist}
64install -m 4550 src/ovauth/ovauth %{buildroot}%{gtm_dist}
5965
60%clean66%clean
61rm -rf %{buildroot}67rm -rf %{buildroot}
@@ -71,6 +77,7 @@
71%{gtm_dist}/openvista.xc77%{gtm_dist}/openvista.xc
72%defattr(-,root,gtm)78%defattr(-,root,gtm)
73%{gtm_dist}/gtmsignal79%{gtm_dist}/gtmsignal
80%{gtm_dist}/ovauth
7481
75%post82%post
76# See http://fedoraproject.org/wiki/PackagingDrafts/SELinux83# See http://fedoraproject.org/wiki/PackagingDrafts/SELinux
7784
=== removed file 'src/libopenvista/authdata.h'
--- src/libopenvista/authdata.h 2009-02-18 07:36:49 +0000
+++ src/libopenvista/authdata.h 1970-01-01 00:00:00 +0000
@@ -1,27 +0,0 @@
1/*
2* Copyright (C) 2009 Medsphere Systems Corporation
3*
4* This program is free software; you can redistribute it and/or modify it
5* solely under the terms of the GNU Affero General Public License version 3 as
6* published by the Free Software Foundation.
7*
8* This program is distributed in the hope that it will be useful, but WITHOUT
9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License
11* for more details.
12*
13* You should have received a copy of the GNU Affero General Public License
14* along with this program. If not, see <http://www.gnu.org/licenses>.
15*
16* You can contact Medsphere Systems Corporation headquarters at 1917 Palomar
17* Oaks Way, Suite 200, Carlsbad, CA 92008 or at legal@medsphere.com.
18*/
19#ifndef AUTHDATA_H
20#define AUTHDATA_H
21
22typedef struct {
23 char *user;
24 char *password;
25} authdata;
26
27#endif
280
=== modified file 'src/libopenvista/compile.sh'
--- src/libopenvista/compile.sh 2009-04-30 06:54:29 +0000
+++ src/libopenvista/compile.sh 2009-06-16 05:54:58 +0000
@@ -17,7 +17,5 @@
17# You can contact Medsphere Systems Corporation headquarters at 1917 Palomar 17# You can contact Medsphere Systems Corporation headquarters at 1917 Palomar
18# Oaks Way, Suite 200, Carlsbad, CA 92008 or at legal@medsphere.com. 18# Oaks Way, Suite 200, Carlsbad, CA 92008 or at legal@medsphere.com.
1919
20gcc -c -FPIC myconv.c
21gcc -c -FPIC -I /opt/lsb-gtm/V5.3-003_i686 dopam.c
22gcc -c -FPIC -I /opt/lsb-gtm/V5.3-003_i686 gtmserver.c20gcc -c -FPIC -I /opt/lsb-gtm/V5.3-003_i686 gtmserver.c
23gcc -o libopenvista.so -shared myconv.o dopam.o gtmserver.o -lpam21gcc -o libopenvista.so -shared gtmserver.o -lpam
2422
=== removed file 'src/libopenvista/dopam.c'
--- src/libopenvista/dopam.c 2009-04-30 06:54:29 +0000
+++ src/libopenvista/dopam.c 1970-01-01 00:00:00 +0000
@@ -1,71 +0,0 @@
1/*
2* Copyright (C) 2009 Medsphere Systems Corporation
3*
4* This program is free software; you can redistribute it and/or modify it
5* solely under the terms of the GNU Affero General Public License version 3 as
6* published by the Free Software Foundation.
7*
8* This program is distributed in the hope that it will be useful, but WITHOUT
9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License
11* for more details.
12*
13* You should have received a copy of the GNU Affero General Public License
14* along with this program. If not, see <http://www.gnu.org/licenses>.
15*
16* You can contact Medsphere Systems Corporation headquarters at 1917 Palomar
17* Oaks Way, Suite 200, Carlsbad, CA 92008 or at legal@medsphere.com.
18*/
19#include <stdio.h>
20
21#include <stdlib.h>
22#include <security/pam_appl.h>
23
24#include "authdata.h"
25#include "gtmxc_types.h"
26
27extern int myconv(int n, const struct pam_message **msg, struct pam_response **resp, void *data);
28
29xc_long_t dopam(int count, char *user, char *password, char *pam_mod)
30{
31 int pam_err;
32 pam_handle_t *pamh;
33 struct pam_conv pamc;
34 authdata adata;
35
36 if (password && *password!='\0')
37 adata.password = password;
38 else
39 return 0;
40
41 if (user && *user!='\0')
42 adata.user = user;
43 else
44 return 0;
45
46 if (!pam_mod || *pam_mod=='\0')
47 pam_mod = "openvista";
48
49 /* initialize PAM */
50 pamc.conv = &myconv;
51 pamc.appdata_ptr = &adata;
52 pam_start(pam_mod, adata.user, &pamc, &pamh);
53
54 /* authenticate the applicant */
55 if ((pam_err = pam_authenticate(pamh, 0)) != PAM_SUCCESS)
56 goto pamerr;
57 if ((pam_err = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS)
58 goto pamerr;
59
60 /* establish the requested credentials */
61 if ((pam_err = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS)
62 goto pamerr;
63
64 pam_end(pamh, pam_err);
65 return 1;
66
67pamerr:
68 pam_end(pamh, pam_err);
69 return 0;
70}
71
720
=== modified file 'src/libopenvista/openvista.xc'
--- src/libopenvista/openvista.xc 2009-04-30 06:48:24 +0000
+++ src/libopenvista/openvista.xc 2009-06-16 05:54:58 +0000
@@ -1,3 +1,2 @@
1/opt/lsb-gtm/V5.3-003_i686/libopenvista.so1/opt/lsb-gtm/V5.3-003_i686/libopenvista.so
2dopam: xc_long_t dopam(I:xc_char_t*, I:xc_char_t*, I:xc_char_t*)
3gtmserver: xc_long_t gtmserver(I:xc_long_t, I:xc_char_t*)2gtmserver: xc_long_t gtmserver(I:xc_long_t, I:xc_char_t*)
43
=== added directory 'src/ovauth'
=== renamed file 'src/libopenvista/SYSAUTH.m' => 'src/ovauth/SYSAUTH.m'
--- src/libopenvista/SYSAUTH.m 2009-06-11 20:55:44 +0000
+++ src/ovauth/SYSAUTH.m 2009-06-16 22:31:04 +0000
@@ -29,6 +29,13 @@
29 X ^%ZOSF("EON")29 X ^%ZOSF("EON")
30 W !30 W !
31 Q:PASS="^" 031 Q:PASS="^" 0
32 Q $$AUTH(USER,PASS)32 ; fall through
33AUTH(USER,PASS,MOD)33AUTH(USER,PASS)
34 Q $&openvista.dopam($G(USER),$G(PASS),$G(MOD))34 N DEV,OLDIO,STATUS
35 S DEV="ovauth",OLDIO=$IO,STATUS="Problem opening pipe"
36 O DEV:(COMMAND=$ZTRNLNM("gtm_dist")_"/ovauth "_USER:PARSE:INDEPENDENT:EXCEPTION="G AUTHDONE")::"PIPE"
37 U DEV W PASS R STATUS
38AUTHDONE
39 U OLDIO
40 C DEV
41 Q STATUS="OK"
3542
=== added file 'src/ovauth/compile.sh'
--- src/ovauth/compile.sh 1970-01-01 00:00:00 +0000
+++ src/ovauth/compile.sh 2009-06-16 05:54:58 +0000
@@ -0,0 +1,3 @@
1#/bin/sh
2
3gcc -O2 ovauth.c -lpam -o ovauth
04
=== added file 'src/ovauth/ovauth.c'
--- src/ovauth/ovauth.c 1970-01-01 00:00:00 +0000
+++ src/ovauth/ovauth.c 2009-06-16 23:01:16 +0000
@@ -0,0 +1,292 @@
1/*
2* Copyright (C) 2009 Medsphere Systems Corporation
3*
4* This program is free software; you can redistribute it and/or modify it
5* solely under the terms of the GNU Affero General Public License version 3 as
6* published by the Free Software Foundation.
7*
8* This program is distributed in the hope that it will be useful, but WITHOUT
9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License
11* for more details.
12*
13* You should have received a copy of the GNU Affero General Public License
14* along with this program. If not, see <http://www.gnu.org/licenses>.
15*
16* You can contact Medsphere Systems Corporation headquarters at 1917 Palomar
17* Oaks Way, Suite 200, Carlsbad, CA 92008 or at legal@medsphere.com.
18*/
19
20#include <unistd.h>
21#include <stdio.h>
22#include <stdlib.h>
23#include <string.h>
24#include <grp.h>
25#include <pwd.h>
26#include <security/pam_appl.h>
27#include <syslog.h>
28#include <stdarg.h>
29
30#define MAXPASS 200
31#define OV_GROUP "openvista"
32#define OV_USER "openvista"
33#define OV_PAM_MOD "openvista"
34
35typedef struct {
36 const char *user;
37 const char *password;
38} authdata;
39
40/* Log to syslog, and print to stdout */
41static void ov_auth_log(int priority, const char *format, ...)
42{
43 va_list args;
44 char msg[1000];
45
46 /* Print the var args to buffer */
47 va_start(args, format);
48 vsnprintf( msg, 1000, format, args );
49 va_end(args);
50
51 /* Write to syslog */
52 openlog("ovauth", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
53 syslog(priority, "%s", msg);
54 closelog();
55
56 /* Write to stdout and flush */
57 printf( "%s\n", msg );
58 fflush( stdout );
59}
60
61/* PAM conversation function */
62int myconv(int n, const struct pam_message **msg, struct pam_response **resp, void *data) {
63 struct pam_response *aresp;
64 char buf[PAM_MAX_RESP_SIZE];
65 int i;
66 int len;
67 int sysretry;
68
69 authdata *adata = (authdata *) data;
70 if (!adata) {
71 goto fail;
72 }
73
74 if (n <= 0 || n > PAM_MAX_NUM_MSG) {
75 return (PAM_CONV_ERR);
76 }
77 if ((aresp = calloc(n, sizeof *aresp)) == NULL) {
78 return (PAM_BUF_ERR);
79 }
80 for (i = 0; i < n; ++i) {
81 aresp[i].resp_retcode = 0;
82 aresp[i].resp = NULL;
83 switch (msg[i]->msg_style) {
84 case PAM_PROMPT_ECHO_OFF:
85 aresp[i].resp = strdup(adata->password);
86 if (aresp[i].resp == NULL)
87 goto fail;
88 break;
89 case PAM_PROMPT_ECHO_ON:
90 aresp[i].resp = strdup(adata->user);
91 if (aresp[i].resp == NULL)
92 goto fail;
93 break;
94 case PAM_ERROR_MSG:
95 // fall though
96 case PAM_TEXT_INFO:
97 // do nothing
98 break;
99 default:
100 goto fail;
101 }
102 }
103 *resp = aresp;
104 return (PAM_SUCCESS);
105 fail:
106 for (i = 0; i < n; ++i) {
107 if (aresp[i].resp != NULL) {
108 memset(aresp[i].resp, 0, strlen(aresp[i].resp));
109 free(aresp[i].resp);
110 }
111 }
112 memset(aresp, 0, n * sizeof *aresp);
113 *resp = NULL;
114 return (PAM_CONV_ERR);
115}
116
117int using_shadow_pw( struct passwd *pwd ) {
118 /* This logic is from the PAM module */
119 char *pass_wd;
120 if (strcmp(pwd->pw_passwd, "x") == 0) {
121 /* Password is just "x" */
122 return 1;
123 }
124 pass_wd = pwd->pw_passwd;
125 if (*(pass_wd++)=='#' && *(pass_wd++)=='#' && strcmp(pwd->pw_name, pass_wd)==0) {
126 /* Password is "##username" */
127 return 1;
128 }
129 return 0;
130}
131
132int pam_auth(const char *user, const char *pass) {
133 int pam_err;
134 pam_handle_t *pamh;
135 struct pam_conv pamc;
136 authdata adata;
137
138 adata.password = pass;
139 adata.user = user;
140
141 /* initialize PAM */
142 pamc.conv = &myconv;
143 pamc.appdata_ptr = &adata;
144 pam_start(OV_PAM_MOD, adata.user, &pamc, &pamh);
145
146 /* authenticate the applicant */
147 if ((pam_err = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
148 goto pamerr;
149 }
150 if ((pam_err = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) {
151 goto pamerr;
152 }
153
154 /* establish the requested credentials */
155 if ((pam_err = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
156 goto pamerr;
157 }
158
159 pam_end(pamh, pam_err);
160 return 1;
161
162pamerr:
163 pam_end(pamh, pam_err);
164 return 0;
165}
166
167int user_in_ov_group( struct passwd *user_pwd ) {
168 gid_t ov_gid;
169 gid_t user_gid;
170 struct group *group_struct;
171 int ngroups;
172 gid_t *groups;
173 int g_idx;
174 int ret_val = 0;
175
176 /* Get the gid for openvista group */
177 group_struct = getgrnam( OV_GROUP );
178 if (group_struct==0) {
179 ov_auth_log( LOG_ALERT, "Group %s was not found", OV_GROUP );
180 return 0;
181 }
182 ov_gid = group_struct->gr_gid;
183 user_gid = user_pwd->pw_gid;
184 if (ov_gid == user_gid) {
185 return 1;
186 }
187
188 /* Get the groups for this user. Allocate space for 20. */
189 ngroups = 20;
190 groups = malloc( ngroups * sizeof(gid_t) );
191 if (-1 == getgrouplist( user_pwd->pw_name, user_gid, groups, &ngroups )) {
192 /* User was in more than 20 groups, so reallocate and grab them all */
193 groups = realloc( groups, ngroups * sizeof(gid_t) );
194 getgrouplist( user_pwd->pw_name, user_gid, groups, &ngroups );
195 }
196 /* Scan for the group we're looking for */
197 for (g_idx=0; g_idx<ngroups; ++g_idx) {
198 if (groups[g_idx] == ov_gid) {
199 ret_val = 1;
200 break;
201 }
202 }
203 free( groups );
204 return ret_val;
205}
206
207int check_perms( struct passwd *user_pwd ) {
208 struct passwd *pwd = NULL;
209 /* Verify that user is openvista */
210 pwd = getpwuid(getuid());
211 if (pwd==0) {
212 ov_auth_log( LOG_ALERT, "Can not determine who is logged in" );
213 return 0;
214 }
215 if (strcmp(pwd->pw_name,OV_USER)!=0) {
216 ov_auth_log( LOG_NOTICE, "Can not be called by this user (%s)", pwd->pw_name );
217 return 0;
218 }
219 /* Verify that the user being authenticated is in openvista group */
220 if (!user_in_ov_group( user_pwd )) {
221 ov_auth_log( LOG_NOTICE, "User '%s' is not in %s group", user_pwd->pw_name, OV_GROUP );
222 return 0;
223 }
224 return 1;
225}
226
227int main( int argc, char *argv[] )
228{
229 int ret_val;
230 char pass[MAXPASS + 1];
231 char *user = argv[1];
232 int npass = 0;
233 struct passwd *user_pwd = NULL;
234
235 /* Make sure we're being run as intended. Provides only a usage guideline,
236 * really, not security.
237 */
238 if (isatty(STDIN_FILENO) || argc != 2 ) {
239 fprintf( stderr, "This program is not run meant to be run this way.\n" );
240 ov_auth_log( LOG_ALERT, "Run with tty stdin" );
241 return 1;
242 }
243
244 /* Read the password from stdin. We have to keep reading an appending if the
245 * message is fragmented.
246 */
247 memset(pass, '\0', MAXPASS);
248 while (1) {
249 npass += read(STDIN_FILENO, pass+npass, MAXPASS);
250 if (npass < 0) {
251 ov_auth_log( LOG_NOTICE, "Password not read" );
252 return 1;
253 } else if (npass >= MAXPASS) {
254 ov_auth_log( LOG_NOTICE, "Password too long" );
255 return 1;
256 }
257 if (pass[npass-1]=='\x0a') {
258 break;
259 }
260 }
261 pass[npass-1] = '\0';
262 user = argv[1];
263
264 /* Get the user's password info */
265 user_pwd = getpwnam( user );
266 if (user_pwd == NULL) {
267 ov_auth_log( LOG_NOTICE, "User '%s' not found", user );
268 return 1;
269 }
270
271 /* Verify that the right users are involved */
272 if (!check_perms(user_pwd)) {
273 return 1;
274 }
275
276 /* Only elevate privs if the user in question has a shadow password */
277 if (using_shadow_pw(user_pwd)) {
278 setuid( 0 );
279 }
280
281 /* Do the actual PAM authentication */
282 ret_val = pam_auth( user, pass );
283 memset(pass, '\0', MAXPASS);
284 if (ret_val==0) {
285 printf("Authentication failure\n");
286 } else {
287 printf("OK\n");
288 }
289 return (ret_val==0);
290}
291
292

Subscribers

People subscribed via source and target branches