OpenVista/GT.M Integration

Merge lp:~jeff-apple/openvista-gtm-integration/bug385746 into lp:openvista-gtm-integration

  1. bug385746
  2. Merge into mainline
Proposed by jeff.apple
Status: Merged
Merged at revision: not available
Proposed branch: lp:~jeff-apple/openvista-gtm-integration/bug385746
Merge into: lp:openvista-gtm-integration
Diff against target: None lines
To merge this branch: bzr merge lp:~jeff-apple/openvista-gtm-integration/bug385746
Reviewer Review Type Date Requested Status
OpenVista/GT.M Integration Team Pending
Review via email: mp+7526@code.launchpad.net
To post a comment you must log in.
Revision history for this message
jeff.apple (jeff-apple) wrote :

The packaging parts may not be quite up to snuff. Jon should pay special attention to that.

Revision history for this message
Jon Tai (jontai) wrote :

In src/libopenvista/compile.sh, can you remove the -lpam flag?

In packages/rpm/openvista-libs-5.3003.spec, I'm thinking ovauth may be better in /sbin like unix_chkpwd, or at least /usr/sbin. It definitely should not be installed chgrp gtm, since it has nothing to do with GT.M. Perhaps chgrp openvista would be more appropriate?

In src/ovauth/ovauth.c, "reading an appending" should be "reading and appending".

Finally, should we test this on a LDAP and non-LDAP machine before merging?

lp:~jeff-apple/openvista-gtm-integration/bug385746 updated
66. By jeff.apple

Change install location of ovauth binary
Make ovauth be in group openvista
Remove PAM library dependency in libopenvista

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'mumps/ZOSVGUX.m'
2--- mumps/ZOSVGUX.m 2009-06-11 20:20:10 +0000
3+++ mumps/ZOSVGUX.m 2009-06-16 22:31:04 +0000
4@@ -71,7 +71,14 @@
5 Q 1 ; until we fix this, we're never in application mode
6 ;
7 AUTH(USER,PASS) ;
8- Q $&openvista.dopam($G(USER),$G(PASS),"openvista")
9+ N DEV,OLDIO,STATUS
10+ S DEV="ovauth",OLDIO=$IO,STATUS="Problem opening pipe"
11+ O DEV:(COMMAND=$ZTRNLNM("gtm_dist")_"/ovauth "_USER:PARSE:INDEPENDENT:EXCEPTION="G AUTHDONE")::"PIPE"
12+ U DEV W PASS R STATUS
13+AUTHDONE
14+ U OLDIO
15+ C DEV
16+ Q STATUS="OK"
17 UCI ;
18 S Y=^%ZOSF("PROD") Q
19 ;
20
21=== modified file 'packages/rpm/openvista-libs-5.3003.spec'
22--- packages/rpm/openvista-libs-5.3003.spec 2009-06-05 19:50:29 +0000
23+++ packages/rpm/openvista-libs-5.3003.spec 2009-06-16 05:54:58 +0000
24@@ -49,6 +49,11 @@
25 cd src/suidwrapper
26 ./compile.sh
27
28+cd ../../
29+
30+cd src/ovauth
31+./compile.sh
32+
33 %install
34 rm -rf %{buildroot}
35
36@@ -56,6 +61,7 @@
37 install -m 550 src/libopenvista/libopenvista.so %{buildroot}%{gtm_dist}
38 install -m 440 src/libopenvista/openvista.xc %{buildroot}%{gtm_dist}
39 install -m 4550 src/suidwrapper/gtmsignal %{buildroot}%{gtm_dist}
40+install -m 4550 src/ovauth/ovauth %{buildroot}%{gtm_dist}
41
42 %clean
43 rm -rf %{buildroot}
44@@ -71,6 +77,7 @@
45 %{gtm_dist}/openvista.xc
46 %defattr(-,root,gtm)
47 %{gtm_dist}/gtmsignal
48+%{gtm_dist}/ovauth
49
50 %post
51 # See http://fedoraproject.org/wiki/PackagingDrafts/SELinux
52
53=== removed file 'src/libopenvista/authdata.h'
54--- src/libopenvista/authdata.h 2009-02-18 07:36:49 +0000
55+++ src/libopenvista/authdata.h 1970-01-01 00:00:00 +0000
56@@ -1,27 +0,0 @@
57-/*
58-* Copyright (C) 2009 Medsphere Systems Corporation
59-*
60-* This program is free software; you can redistribute it and/or modify it
61-* solely under the terms of the GNU Affero General Public License version 3 as
62-* published by the Free Software Foundation.
63-*
64-* This program is distributed in the hope that it will be useful, but WITHOUT
65-* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
66-* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License
67-* for more details.
68-*
69-* You should have received a copy of the GNU Affero General Public License
70-* along with this program. If not, see <http://www.gnu.org/licenses>.
71-*
72-* You can contact Medsphere Systems Corporation headquarters at 1917 Palomar
73-* Oaks Way, Suite 200, Carlsbad, CA 92008 or at legal@medsphere.com.
74-*/
75-#ifndef AUTHDATA_H
76-#define AUTHDATA_H
77-
78-typedef struct {
79- char *user;
80- char *password;
81-} authdata;
82-
83-#endif
84
85=== modified file 'src/libopenvista/compile.sh'
86--- src/libopenvista/compile.sh 2009-04-30 06:54:29 +0000
87+++ src/libopenvista/compile.sh 2009-06-16 05:54:58 +0000
88@@ -17,7 +17,5 @@
89 # You can contact Medsphere Systems Corporation headquarters at 1917 Palomar
90 # Oaks Way, Suite 200, Carlsbad, CA 92008 or at legal@medsphere.com.
91
92-gcc -c -FPIC myconv.c
93-gcc -c -FPIC -I /opt/lsb-gtm/V5.3-003_i686 dopam.c
94 gcc -c -FPIC -I /opt/lsb-gtm/V5.3-003_i686 gtmserver.c
95-gcc -o libopenvista.so -shared myconv.o dopam.o gtmserver.o -lpam
96+gcc -o libopenvista.so -shared gtmserver.o -lpam
97
98=== removed file 'src/libopenvista/dopam.c'
99--- src/libopenvista/dopam.c 2009-04-30 06:54:29 +0000
100+++ src/libopenvista/dopam.c 1970-01-01 00:00:00 +0000
101@@ -1,71 +0,0 @@
102-/*
103-* Copyright (C) 2009 Medsphere Systems Corporation
104-*
105-* This program is free software; you can redistribute it and/or modify it
106-* solely under the terms of the GNU Affero General Public License version 3 as
107-* published by the Free Software Foundation.
108-*
109-* This program is distributed in the hope that it will be useful, but WITHOUT
110-* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
111-* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License
112-* for more details.
113-*
114-* You should have received a copy of the GNU Affero General Public License
115-* along with this program. If not, see <http://www.gnu.org/licenses>.
116-*
117-* You can contact Medsphere Systems Corporation headquarters at 1917 Palomar
118-* Oaks Way, Suite 200, Carlsbad, CA 92008 or at legal@medsphere.com.
119-*/
120-#include <stdio.h>
121-
122-#include <stdlib.h>
123-#include <security/pam_appl.h>
124-
125-#include "authdata.h"
126-#include "gtmxc_types.h"
127-
128-extern int myconv(int n, const struct pam_message **msg, struct pam_response **resp, void *data);
129-
130-xc_long_t dopam(int count, char *user, char *password, char *pam_mod)
131-{
132- int pam_err;
133- pam_handle_t *pamh;
134- struct pam_conv pamc;
135- authdata adata;
136-
137- if (password && *password!='\0')
138- adata.password = password;
139- else
140- return 0;
141-
142- if (user && *user!='\0')
143- adata.user = user;
144- else
145- return 0;
146-
147- if (!pam_mod || *pam_mod=='\0')
148- pam_mod = "openvista";
149-
150- /* initialize PAM */
151- pamc.conv = &myconv;
152- pamc.appdata_ptr = &adata;
153- pam_start(pam_mod, adata.user, &pamc, &pamh);
154-
155- /* authenticate the applicant */
156- if ((pam_err = pam_authenticate(pamh, 0)) != PAM_SUCCESS)
157- goto pamerr;
158- if ((pam_err = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS)
159- goto pamerr;
160-
161- /* establish the requested credentials */
162- if ((pam_err = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS)
163- goto pamerr;
164-
165- pam_end(pamh, pam_err);
166- return 1;
167-
168-pamerr:
169- pam_end(pamh, pam_err);
170- return 0;
171-}
172-
173
174=== modified file 'src/libopenvista/openvista.xc'
175--- src/libopenvista/openvista.xc 2009-04-30 06:48:24 +0000
176+++ src/libopenvista/openvista.xc 2009-06-16 05:54:58 +0000
177@@ -1,3 +1,2 @@
178 /opt/lsb-gtm/V5.3-003_i686/libopenvista.so
179-dopam: xc_long_t dopam(I:xc_char_t*, I:xc_char_t*, I:xc_char_t*)
180 gtmserver: xc_long_t gtmserver(I:xc_long_t, I:xc_char_t*)
181
182=== added directory 'src/ovauth'
183=== renamed file 'src/libopenvista/SYSAUTH.m' => 'src/ovauth/SYSAUTH.m'
184--- src/libopenvista/SYSAUTH.m 2009-06-11 20:55:44 +0000
185+++ src/ovauth/SYSAUTH.m 2009-06-16 22:31:04 +0000
186@@ -29,6 +29,13 @@
187 X ^%ZOSF("EON")
188 W !
189 Q:PASS="^" 0
190- Q $$AUTH(USER,PASS)
191-AUTH(USER,PASS,MOD)
192- Q $&openvista.dopam($G(USER),$G(PASS),$G(MOD))
193+ ; fall through
194+AUTH(USER,PASS)
195+ N DEV,OLDIO,STATUS
196+ S DEV="ovauth",OLDIO=$IO,STATUS="Problem opening pipe"
197+ O DEV:(COMMAND=$ZTRNLNM("gtm_dist")_"/ovauth "_USER:PARSE:INDEPENDENT:EXCEPTION="G AUTHDONE")::"PIPE"
198+ U DEV W PASS R STATUS
199+AUTHDONE
200+ U OLDIO
201+ C DEV
202+ Q STATUS="OK"
203
204=== added file 'src/ovauth/compile.sh'
205--- src/ovauth/compile.sh 1970-01-01 00:00:00 +0000
206+++ src/ovauth/compile.sh 2009-06-16 05:54:58 +0000
207@@ -0,0 +1,3 @@
208+#/bin/sh
209+
210+gcc -O2 ovauth.c -lpam -o ovauth
211
212=== added file 'src/ovauth/ovauth.c'
213--- src/ovauth/ovauth.c 1970-01-01 00:00:00 +0000
214+++ src/ovauth/ovauth.c 2009-06-16 23:01:16 +0000
215@@ -0,0 +1,292 @@
216+/*
217+* Copyright (C) 2009 Medsphere Systems Corporation
218+*
219+* This program is free software; you can redistribute it and/or modify it
220+* solely under the terms of the GNU Affero General Public License version 3 as
221+* published by the Free Software Foundation.
222+*
223+* This program is distributed in the hope that it will be useful, but WITHOUT
224+* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
225+* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License
226+* for more details.
227+*
228+* You should have received a copy of the GNU Affero General Public License
229+* along with this program. If not, see <http://www.gnu.org/licenses>.
230+*
231+* You can contact Medsphere Systems Corporation headquarters at 1917 Palomar
232+* Oaks Way, Suite 200, Carlsbad, CA 92008 or at legal@medsphere.com.
233+*/
234+
235+#include <unistd.h>
236+#include <stdio.h>
237+#include <stdlib.h>
238+#include <string.h>
239+#include <grp.h>
240+#include <pwd.h>
241+#include <security/pam_appl.h>
242+#include <syslog.h>
243+#include <stdarg.h>
244+
245+#define MAXPASS 200
246+#define OV_GROUP "openvista"
247+#define OV_USER "openvista"
248+#define OV_PAM_MOD "openvista"
249+
250+typedef struct {
251+ const char *user;
252+ const char *password;
253+} authdata;
254+
255+/* Log to syslog, and print to stdout */
256+static void ov_auth_log(int priority, const char *format, ...)
257+{
258+ va_list args;
259+ char msg[1000];
260+
261+ /* Print the var args to buffer */
262+ va_start(args, format);
263+ vsnprintf( msg, 1000, format, args );
264+ va_end(args);
265+
266+ /* Write to syslog */
267+ openlog("ovauth", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
268+ syslog(priority, "%s", msg);
269+ closelog();
270+
271+ /* Write to stdout and flush */
272+ printf( "%s\n", msg );
273+ fflush( stdout );
274+}
275+
276+/* PAM conversation function */
277+int myconv(int n, const struct pam_message **msg, struct pam_response **resp, void *data) {
278+ struct pam_response *aresp;
279+ char buf[PAM_MAX_RESP_SIZE];
280+ int i;
281+ int len;
282+ int sysretry;
283+
284+ authdata *adata = (authdata *) data;
285+ if (!adata) {
286+ goto fail;
287+ }
288+
289+ if (n <= 0 || n > PAM_MAX_NUM_MSG) {
290+ return (PAM_CONV_ERR);
291+ }
292+ if ((aresp = calloc(n, sizeof *aresp)) == NULL) {
293+ return (PAM_BUF_ERR);
294+ }
295+ for (i = 0; i < n; ++i) {
296+ aresp[i].resp_retcode = 0;
297+ aresp[i].resp = NULL;
298+ switch (msg[i]->msg_style) {
299+ case PAM_PROMPT_ECHO_OFF:
300+ aresp[i].resp = strdup(adata->password);
301+ if (aresp[i].resp == NULL)
302+ goto fail;
303+ break;
304+ case PAM_PROMPT_ECHO_ON:
305+ aresp[i].resp = strdup(adata->user);
306+ if (aresp[i].resp == NULL)
307+ goto fail;
308+ break;
309+ case PAM_ERROR_MSG:
310+ // fall though
311+ case PAM_TEXT_INFO:
312+ // do nothing
313+ break;
314+ default:
315+ goto fail;
316+ }
317+ }
318+ *resp = aresp;
319+ return (PAM_SUCCESS);
320+ fail:
321+ for (i = 0; i < n; ++i) {
322+ if (aresp[i].resp != NULL) {
323+ memset(aresp[i].resp, 0, strlen(aresp[i].resp));
324+ free(aresp[i].resp);
325+ }
326+ }
327+ memset(aresp, 0, n * sizeof *aresp);
328+ *resp = NULL;
329+ return (PAM_CONV_ERR);
330+}
331+
332+int using_shadow_pw( struct passwd *pwd ) {
333+ /* This logic is from the PAM module */
334+ char *pass_wd;
335+ if (strcmp(pwd->pw_passwd, "x") == 0) {
336+ /* Password is just "x" */
337+ return 1;
338+ }
339+ pass_wd = pwd->pw_passwd;
340+ if (*(pass_wd++)=='#' && *(pass_wd++)=='#' && strcmp(pwd->pw_name, pass_wd)==0) {
341+ /* Password is "##username" */
342+ return 1;
343+ }
344+ return 0;
345+}
346+
347+int pam_auth(const char *user, const char *pass) {
348+ int pam_err;
349+ pam_handle_t *pamh;
350+ struct pam_conv pamc;
351+ authdata adata;
352+
353+ adata.password = pass;
354+ adata.user = user;
355+
356+ /* initialize PAM */
357+ pamc.conv = &myconv;
358+ pamc.appdata_ptr = &adata;
359+ pam_start(OV_PAM_MOD, adata.user, &pamc, &pamh);
360+
361+ /* authenticate the applicant */
362+ if ((pam_err = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
363+ goto pamerr;
364+ }
365+ if ((pam_err = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) {
366+ goto pamerr;
367+ }
368+
369+ /* establish the requested credentials */
370+ if ((pam_err = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
371+ goto pamerr;
372+ }
373+
374+ pam_end(pamh, pam_err);
375+ return 1;
376+
377+pamerr:
378+ pam_end(pamh, pam_err);
379+ return 0;
380+}
381+
382+int user_in_ov_group( struct passwd *user_pwd ) {
383+ gid_t ov_gid;
384+ gid_t user_gid;
385+ struct group *group_struct;
386+ int ngroups;
387+ gid_t *groups;
388+ int g_idx;
389+ int ret_val = 0;
390+
391+ /* Get the gid for openvista group */
392+ group_struct = getgrnam( OV_GROUP );
393+ if (group_struct==0) {
394+ ov_auth_log( LOG_ALERT, "Group %s was not found", OV_GROUP );
395+ return 0;
396+ }
397+ ov_gid = group_struct->gr_gid;
398+ user_gid = user_pwd->pw_gid;
399+ if (ov_gid == user_gid) {
400+ return 1;
401+ }
402+
403+ /* Get the groups for this user. Allocate space for 20. */
404+ ngroups = 20;
405+ groups = malloc( ngroups * sizeof(gid_t) );
406+ if (-1 == getgrouplist( user_pwd->pw_name, user_gid, groups, &ngroups )) {
407+ /* User was in more than 20 groups, so reallocate and grab them all */
408+ groups = realloc( groups, ngroups * sizeof(gid_t) );
409+ getgrouplist( user_pwd->pw_name, user_gid, groups, &ngroups );
410+ }
411+ /* Scan for the group we're looking for */
412+ for (g_idx=0; g_idx<ngroups; ++g_idx) {
413+ if (groups[g_idx] == ov_gid) {
414+ ret_val = 1;
415+ break;
416+ }
417+ }
418+ free( groups );
419+ return ret_val;
420+}
421+
422+int check_perms( struct passwd *user_pwd ) {
423+ struct passwd *pwd = NULL;
424+ /* Verify that user is openvista */
425+ pwd = getpwuid(getuid());
426+ if (pwd==0) {
427+ ov_auth_log( LOG_ALERT, "Can not determine who is logged in" );
428+ return 0;
429+ }
430+ if (strcmp(pwd->pw_name,OV_USER)!=0) {
431+ ov_auth_log( LOG_NOTICE, "Can not be called by this user (%s)", pwd->pw_name );
432+ return 0;
433+ }
434+ /* Verify that the user being authenticated is in openvista group */
435+ if (!user_in_ov_group( user_pwd )) {
436+ ov_auth_log( LOG_NOTICE, "User '%s' is not in %s group", user_pwd->pw_name, OV_GROUP );
437+ return 0;
438+ }
439+ return 1;
440+}
441+
442+int main( int argc, char *argv[] )
443+{
444+ int ret_val;
445+ char pass[MAXPASS + 1];
446+ char *user = argv[1];
447+ int npass = 0;
448+ struct passwd *user_pwd = NULL;
449+
450+ /* Make sure we're being run as intended. Provides only a usage guideline,
451+ * really, not security.
452+ */
453+ if (isatty(STDIN_FILENO) || argc != 2 ) {
454+ fprintf( stderr, "This program is not run meant to be run this way.\n" );
455+ ov_auth_log( LOG_ALERT, "Run with tty stdin" );
456+ return 1;
457+ }
458+
459+ /* Read the password from stdin. We have to keep reading an appending if the
460+ * message is fragmented.
461+ */
462+ memset(pass, '\0', MAXPASS);
463+ while (1) {
464+ npass += read(STDIN_FILENO, pass+npass, MAXPASS);
465+ if (npass < 0) {
466+ ov_auth_log( LOG_NOTICE, "Password not read" );
467+ return 1;
468+ } else if (npass >= MAXPASS) {
469+ ov_auth_log( LOG_NOTICE, "Password too long" );
470+ return 1;
471+ }
472+ if (pass[npass-1]=='\x0a') {
473+ break;
474+ }
475+ }
476+ pass[npass-1] = '\0';
477+ user = argv[1];
478+
479+ /* Get the user's password info */
480+ user_pwd = getpwnam( user );
481+ if (user_pwd == NULL) {
482+ ov_auth_log( LOG_NOTICE, "User '%s' not found", user );
483+ return 1;
484+ }
485+
486+ /* Verify that the right users are involved */
487+ if (!check_perms(user_pwd)) {
488+ return 1;
489+ }
490+
491+ /* Only elevate privs if the user in question has a shadow password */
492+ if (using_shadow_pw(user_pwd)) {
493+ setuid( 0 );
494+ }
495+
496+ /* Do the actual PAM authentication */
497+ ret_val = pam_auth( user, pass );
498+ memset(pass, '\0', MAXPASS);
499+ if (ret_val==0) {
500+ printf("Authentication failure\n");
501+ } else {
502+ printf("OK\n");
503+ }
504+ return (ret_val==0);
505+}
506+
507+

Subscribers

People subscribed via source and target branches