Main Page | Modules | Data Structures | File List | Data Fields | Globals | Related Pages

lcmaps_posix.c

Go to the documentation of this file.
00001 /*                                                                                                            
00002  * Copyright (c) Members of the EGEE Collaboration. 2004.
00003  * See http://eu-egee.org/partners/ for details on the copyright holders.
00004  * For license conditions see the license file or
00005  * http://eu-egee.org/license.html
00006  */
00007 
00008 /*
00009  * Copyright (c) 2001 EU DataGrid.                                                                             
00010  * For license conditions see http://www.eu-datagrid.org/license.html                                          
00011  *
00012  * Copyright (c) 2001, 2002 by 
00013  *     Martijn Steenbakkers <martijn@nikhef.nl>,
00014  *     David Groep <davidg@nikhef.nl>,
00015  *     NIKHEF Amsterdam, the Netherlands
00016  */
00017 
00119 /*****************************************************************************
00120                             Include header files
00121 ******************************************************************************/
00122 #include "lcmaps_config.h"
00123 #include <stdio.h>
00124 #include <stdlib.h>
00125 #include <string.h>
00126 #include <pwd.h>
00127 #include <grp.h>
00128 #include <ctype.h>
00129 #include <unistd.h>
00130 #include <sys/types.h>
00131 #include <errno.h>
00132 
00133 #include "lcmaps_modules.h"
00134 #include "lcmaps_arguments.h"
00135 #include "lcmaps_cred_data.h"
00136 /******************************************************************************
00137                                 Definitions
00138 ******************************************************************************/
00139 
00140 #define MAX_UNDEFINED ((int)(-1))
00141 
00142 #ifndef NGROUPS
00143     #ifdef NGROUPS_MAX
00144         #define NGROUPS NGROUPS_MAX
00145     #else
00146         #define NGROUPS 32 
00147     #endif
00148 #endif
00149 
00150 /* 
00151  * MAX_NGROUPS has also been used. I couldn't see in the source if it was
00152  * a self made define in the code or that it was OS specific.
00153  */
00154 
00155 #ifndef MAX_LOG_BUFFER_SIZE
00156     #define MAX_LOG_BUFFER_SIZE 500
00157 #endif
00158 
00159 /******************************************************************************
00160                           Module specific prototypes
00161 ******************************************************************************/
00162 
00163 static int log_cred (
00164     char  *dn, 
00165     uid_t *uid, 
00166     int    cntUid, 
00167     gid_t *priGid, 
00168     int    cntPriGid, 
00169     gid_t *secGid, 
00170     int    cntSecGid
00171 );
00172 
00173 
00174 /******************************************************************************
00175                        Define module specific variables
00176 ******************************************************************************/
00177 
00178 static int maxuid  = MAX_UNDEFINED;
00179 static int maxpgid = MAX_UNDEFINED;
00180 static int maxsgid = MAX_UNDEFINED;
00181 static int set_only_euid = 0;
00182 static int set_only_egid = 0;
00183 
00184 
00185 
00186 /******************************************************************************
00187 Function:   log_cred
00188 Description:
00189     Makes a log of the Enforceable credential data
00190 Parameters:
00191     *dn        : Distinghuished Name
00192     *uid       : list of uid_t
00193     cntUid     : amount of uids (ussually only one)
00194     *priGid    : list of primary gid_t
00195     cntPriGid  : amount of primary gids (usually only one)
00196     *secGid    : list of secondary gid_t
00197     cntSecGid  : amount of secondary gids (0 to (NGROUPS || 32))
00198 
00199 Returns:
00200     0: succes
00201     1: failure
00202 ******************************************************************************/
00203 static int log_cred (char  *dn,
00204                      uid_t *uid,
00205                      int    cntUid,
00206                      gid_t *priGid,
00207                      int    cntPriGid,
00208                      gid_t *secGid,
00209                      int    cntSecGid)
00210 {
00211     char * logstr = "    lcmaps_plugin_posix_enf-log_cred()";
00212 
00213     struct passwd *  user_info = NULL;
00214     struct group  *  grp_info = NULL;
00215   
00216     char *           logbuf = NULL;
00217     int              i;
00218     int              ngroups;
00219     gid_t *          list = NULL;
00220 
00221     char *           bufptr = NULL;
00222     int              buflen = 0;
00223     int              totalchars = 0;
00224 
00225     // Log Enforced Credential Data
00226     logbuf = malloc(MAX_LOG_BUFFER_SIZE * sizeof(char));
00227 
00228     bufptr=logbuf;
00229     buflen=MAX_LOG_BUFFER_SIZE;
00230 
00231     // First the uid
00232     totalchars=snprintf(bufptr,(size_t)buflen,"uid=");
00233     if ( (totalchars+1) > buflen )
00234     {
00235         lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00236         lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00237         return 1;
00238     }
00239     else if ( totalchars < 0 )
00240     {
00241         lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00242         return 1;
00243     }
00244     else
00245     {
00246         bufptr+=totalchars;
00247         buflen-=totalchars;
00248     }
00249     uid_t found_uid=-1;
00250 
00251     if (set_only_euid)
00252         found_uid = geteuid();
00253     else
00254         found_uid = getuid();
00255     user_info = getpwuid(found_uid);
00256 
00257     if (user_info != NULL)
00258         totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_uid, user_info->pw_name);
00259     else
00260         totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_uid, "n\\a");
00261     if ( (totalchars+1) > buflen )
00262     {
00263         lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00264         lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00265         return 1;
00266     }
00267     else if ( totalchars < 0 )
00268     {
00269         lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00270             return 1;
00271     }
00272     else
00273     {
00274         bufptr+=totalchars;
00275         buflen-=totalchars;
00276     }
00277  
00278     // Then the primary gid
00279     // Ok, we do something strange. If cntPriGid==1 then we fetch the gid from the process,
00280     // otherwise if e.g. cntPriGid>1 (should never happen) then we just print out the list of
00281     // primary gids.
00282     totalchars=snprintf(bufptr,(size_t)buflen,":pgid=");
00283     if ( (totalchars+1) > buflen )
00284     {
00285         lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00286         lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00287         return 1;
00288     }
00289     else if ( totalchars < 0 )
00290     {
00291         lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00292         return 1;
00293     }
00294     else
00295     {
00296         bufptr+=totalchars;
00297         buflen-=totalchars;
00298     }
00299     if (cntPriGid == 1)
00300     {
00301         gid_t found_gid=-1;
00302 
00303         if (set_only_egid)
00304             found_gid = getegid();
00305         else
00306             found_gid = getgid();
00307         grp_info = getgrgid(found_gid);
00308 
00309         if (grp_info != NULL)
00310         {
00311             totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_gid, grp_info->gr_name);
00312         }
00313         else
00314         {
00315             totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_gid, "n\\a");
00316         }
00317         if ( (totalchars+1) > buflen )
00318         {
00319             lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00320             lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00321             return 1;
00322         }
00323         else if ( totalchars < 0 )
00324         {
00325             lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00326             return 1;
00327         }
00328         else
00329         {
00330             bufptr+=totalchars;
00331             buflen-=totalchars;
00332         }    
00333     }
00334     else
00335     {
00336         for (i = 0; i < cntPriGid; i++)
00337         {
00338             gid_t found_gid=priGid[i];
00339 
00340             grp_info = getgrgid(found_gid);
00341             if (grp_info != NULL)
00342             {
00343                 if (i == 0)
00344                     totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_gid, grp_info->gr_name);
00345                 else
00346                     totalchars=snprintf(bufptr,(size_t)buflen,",%d(%s)", found_gid, grp_info->gr_name);
00347             }
00348             else
00349             {
00350                 if (i == 0)
00351                     totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_gid, "n\\a");
00352                 else
00353                     totalchars=snprintf(bufptr,(size_t)buflen,",%d(%s)", found_gid, "n\\a");
00354             }
00355             if ( (totalchars+1) > buflen )
00356             {
00357                 lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00358                 lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00359                 return 1;
00360             }
00361             else if ( totalchars < 0 )
00362             {
00363                 lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00364                 return 1;
00365             }
00366             else
00367             {
00368                 bufptr+=totalchars;
00369                 buflen-=totalchars;
00370             }    
00371         }
00372     }
00373 
00374     // Finally the secondary gids
00375     // Now we only print the groups from getgroups().
00376     // NOTE: These may contain also effective/real primary gids !
00377     if ((ngroups=getgroups(0, NULL)) > 0)
00378     {
00379         if (ngroups != cntSecGid)
00380         {
00381             lcmaps_log_debug(1,"%s: something strange going on, the number of sec. gids from getgroups() (%d)\n",logstr,ngroups);
00382             lcmaps_log_debug(1,"%s: differs from the number of gids set (cntSecGid=%d)\n",logstr,cntSecGid);
00383         }
00384         if (ngroups < 0)
00385         {
00386             lcmaps_log(0,"%s: error in getgroups() (failure)\n",logstr);
00387             return 1;
00388         }
00389         list = (gid_t *) malloc(ngroups * sizeof(gid_t));
00390         if (getgroups(ngroups, list) > 0)
00391         {
00392             totalchars=snprintf(bufptr,(size_t)buflen,":sgid=");
00393             if ( (totalchars+1) > buflen )
00394             {
00395                 lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00396                 lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00397                 return 1;
00398             }
00399             else if ( totalchars < 0 )
00400             {
00401                 lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00402                 return 1;
00403             }
00404             else
00405             {
00406                 bufptr+=totalchars;
00407                 buflen-=totalchars;
00408             }
00409             for (i = 0; i < ngroups; i++)
00410             {
00411                 grp_info = getgrgid(list[i]);
00412 
00413                 if (grp_info != NULL)
00414                 {
00415                     if (i == 0)
00416                         totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", (list[i]), grp_info->gr_name);
00417                     else
00418                         totalchars=snprintf(bufptr,(size_t)buflen,",%d(%s)", (list[i]), grp_info->gr_name);
00419                 }
00420                 else
00421                 {
00422                     if (i == 0)
00423                         totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", (list[i]), "n\\a");
00424                     else
00425                         totalchars=snprintf(bufptr,(size_t)buflen,",%d(%s)", (list[i]), "n\\a");
00426                 }
00427                 if ( (totalchars+1) > buflen )
00428                 {
00429                     lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00430                     lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00431                     return 1;
00432                 }
00433                 else if ( totalchars < 0 )
00434                 {
00435                     lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00436                     return 1;
00437                 }
00438                 else
00439                 {
00440                     bufptr+=totalchars;
00441                     buflen-=totalchars;
00442                 }
00443             }
00444         }
00445         if (list != NULL)
00446         {
00447             free(list);
00448             list = NULL;
00449         }
00450     }
00451     lcmaps_log_debug(5,"%s: At the end we still have %d spaces left in the buffer\n", logstr, buflen);
00452 
00453     lcmaps_log_time(LOG_INFO, "%s: %s\n", logstr, logbuf);
00454 
00455     // End Log Credential Data 
00456 
00457     if (logbuf != NULL)
00458     {
00459         free(logbuf);
00460         logbuf = NULL;
00461     }
00462     return 0;
00463 }
00464 
00465 
00466 
00467 /******************************************************************************
00468 Function:   plugin_initialize
00469 Description:
00470     Initialize plugin
00471 Parameters:
00472     argc, argv
00473     argv[0]: the name of the plugin
00474 Returns:
00475     LCMAPS_MOD_SUCCESS : succes
00476     LCMAPS_MOD_FAIL    : failure
00477     LCMAPS_MOD_NOFILE  : db file not found (will halt LCMAPS initialization)
00478 ******************************************************************************/
00479 int plugin_initialize(
00480         int argc,
00481         char ** argv
00482 )
00483 {
00484     int i, j;
00485     char * logstr = "\tlcmaps_plugin_posix_enf-plugin_initialize()";  
00486 
00487  
00488     lcmaps_log_debug(1,"%s: passed arguments:\n", logstr);
00489     for (i=0; i < argc; i++)
00490     {
00491        lcmaps_log_debug(2,"%s: arg %d is %s\n", logstr, i, argv[i]);
00492     }
00493 
00494     /*
00495      * Parse arguments, argv[0] = name of plugin, so start with i = 1
00496      */
00497     for (i = 1; i < argc; i++)
00498     {
00499         // setting maxuid parameter from init plugin arguments
00500         if ( (((strcmp(argv[i], "-maxuid") == 0) ||
00501              (strcmp(argv[i], "-MAXUID") == 0)) &&
00502              (maxuid == MAX_UNDEFINED))
00503              && (i + 1 < argc) )
00504         {
00505             if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
00506             {
00507                  lcmaps_log_debug(2,"%s: Checking if argument behind \"-maxuid\" is a number\n", logstr);
00508                  for (j = 0; j < strlen(argv[i + 1]); j++)
00509                  { 
00510                      if (!isdigit((argv[i + 1])[j]))
00511                      {
00512                          lcmaps_log(0,"%s\tError: maybe found some digits, but there is at least one char corrupting this parameter: %s\n", logstr, argv[i + 1]);
00513                          maxuid = -1;
00514                          goto fail_posix;
00515                      }
00516                  }
00517                  maxuid = atoi(argv[i + 1]);
00518             }
00519             else
00520             {
00521                 lcmaps_log(0,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
00522                 goto fail_posix;
00523             }
00524             i++;
00525         }        
00526 
00527         // setting maxpgid parameter from init plugin arguments
00528         else if ( (((strcmp(argv[i], "-maxpgid") == 0) ||
00529              (strcmp(argv[i], "-MAXPGID") == 0)) &&
00530              (maxpgid == MAX_UNDEFINED))
00531              && (i + 1 < argc) )
00532         {
00533             if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
00534             {
00535                  lcmaps_log_debug(2,"%s: Checking if argument behind \"-maxpgid\" is a number\n", logstr);
00536                  for (j = 0; j < strlen(argv[i + 1]); j++)
00537                  {
00538                      if (!isdigit((argv[i + 1])[j]))
00539                      {
00540                          lcmaps_log(0,"%s\tError: maybe found some digits, but there is at least one char corrupting this parameter: %s\n", logstr, argv[i + 1]);
00541                          maxpgid = -1;
00542                          goto fail_posix;
00543                      }
00544                  }
00545                  maxpgid = atoi(argv[i + 1]);
00546             }
00547             else
00548             {
00549                 lcmaps_log(0,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
00550                 goto fail_posix;
00551             }
00552             i++;
00553         }
00554 
00555         // setting maxsgid parameter from init plugin arguments
00556         else if  ( (((strcmp(argv[i], "-maxsgid") == 0) ||
00557              (strcmp(argv[i], "-MAXSGID") == 0)) &&
00558              (maxsgid == MAX_UNDEFINED))
00559              && (i + 1 < argc) )
00560         {
00561             if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
00562             {
00563                  lcmaps_log_debug(2,"%s: Checking if argument behind \"-maxsgid\" is a number\n", logstr);
00564                  for (j = 0; j < strlen(argv[i + 1]); j++)
00565                  {
00566                      if (!isdigit((argv[i + 1])[j]))
00567                      {
00568                          lcmaps_log(0,"%s\tError: maybe found some digits, but there is atleast one char corrupting this parameter: %s\n", logstr, argv[i + 1]);
00569                          maxsgid = -1;
00570                          goto fail_posix;
00571                      }
00572                  }
00573                  maxsgid = atoi(argv[i + 1]);
00574             }
00575             else
00576             {
00577                 lcmaps_log(0,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
00578                 goto fail_posix;
00579             }
00580             i++;
00581         }
00582         else if  ( (strcmp(argv[i], "-set_only_euid") == 0)
00583              && (i + 1 < argc) )
00584         {
00585             if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
00586             {
00587                  if (strcmp(argv[i+1],"yes") == 0)
00588                  {
00589                      set_only_euid = 1;
00590                  }
00591                  else if (strcmp(argv[i+1],"no") == 0)
00592                  {
00593                      set_only_euid = 0;
00594                  }
00595                  else
00596                  {
00597                      lcmaps_log(0,"%s: use \"yes\" or \"no\" for option %s\n", logstr, argv[i]);
00598                      goto fail_posix;
00599                  }
00600             }
00601             else
00602             {
00603                 lcmaps_log(0,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
00604                 goto fail_posix;
00605             }
00606             i++;
00607         }
00608         else if  ( (strcmp(argv[i], "-set_only_egid") == 0)
00609              && (i + 1 < argc) )
00610         {
00611             if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
00612             {
00613                  if (strcmp(argv[i+1],"yes") == 0)
00614                  {
00615                      set_only_egid = 1;
00616                  }
00617                  else if (strcmp(argv[i+1],"no") == 0)
00618                  {
00619                      set_only_egid = 0;
00620                  }
00621                  else
00622                  {
00623                      lcmaps_log(0,"%s: use \"yes\" or \"no\" for option %s\n", logstr, argv[i]);
00624                      goto fail_posix;
00625                  }
00626             }
00627             else
00628             {
00629                 lcmaps_log(0,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
00630                 goto fail_posix;
00631             }
00632             i++;
00633         }
00634     }
00635 
00636     if (maxsgid > NGROUPS)
00637     {
00638         lcmaps_log(0,"%s\tError: The prefered set maximum of %d Secondary Gid's exceeds the system maximum of NGROUPS witch is set to %d on this system\n", logstr, maxsgid, NGROUPS);
00639         goto fail_posix;
00640     }
00641     else if (maxsgid == MAX_UNDEFINED)
00642     {
00643         lcmaps_log(0,"%s\tAuto set maximum Secondary Gid's to system maximum of NGROUPS witch is set to %d on this system\n", logstr, NGROUPS);
00644     }
00645 
00646 
00647     lcmaps_log_debug(2,"%s: Summary init maxuid  : %d\n", logstr, maxuid);
00648     lcmaps_log_debug(2,"%s: Summary init maxpgid : %d\n", logstr, maxpgid);
00649     lcmaps_log_debug(2,"%s: Summary init maxsgid : %d\n", logstr, maxsgid);
00650 
00651     return LCMAPS_MOD_SUCCESS;
00652 
00653 
00654  fail_posix:
00655     return LCMAPS_MOD_FAIL; 
00656 } 
00657 
00658 /******************************************************************************
00659 Function:   plugin_introspect
00660 Description:
00661     return list of required arguments
00662 Parameters:
00663 
00664 Returns:
00665     LCMAPS_MOD_SUCCESS : succes
00666     LCMAPS_MOD_FAIL    : failure
00667 ******************************************************************************/
00668 int plugin_introspect(
00669         int * argc,
00670         lcmaps_argument_t ** argv
00671 )
00672 {
00673     char * logstr = "\tlcmaps_plugin_posix_enf-plugin_introspect()";  
00674 
00675     static lcmaps_argument_t argList[] = {
00676         {NULL           ,       NULL            , -1,   NULL}
00677     };
00678 
00679     lcmaps_log_debug(1,"%s: introspecting\n", logstr);
00680 
00681     *argv = argList;
00682     *argc = lcmaps_cntArgs(argList);
00683     lcmaps_log_debug(1,"%s: address first argument: 0x%x\n", logstr, argList);
00684 
00685     return LCMAPS_MOD_SUCCESS;
00686 }
00687 
00688 
00689 /******************************************************************************
00690 Function:   plugin_run
00691 Description:
00692     Gather credentials for LCMAPS
00693 Parameters:
00694     argc: number of arguments
00695     argv: list of arguments
00696 Returns:
00697     LCMAPS_MOD_SUCCESS: authorization succeeded
00698     LCMAPS_MOD_FAIL   : authorization failed
00699 ******************************************************************************/
00700 int plugin_run(
00701         int argc,
00702         lcmaps_argument_t * argv
00703 )
00704 {
00705     char * logstr = "\tlcmaps_plugin_posix_enf-plugin_run()";  
00706     int                 i, t; 
00707     gid_t *             list        = NULL;
00708     int                 ngroups     = 0;
00709  
00710     char  *             dn          = NULL;
00711     uid_t *             uid         = NULL;
00712     int                 cntUid;
00713     gid_t *             priGid      = NULL;
00714     int                 cntPriGid;
00715     gid_t *             secGid      = NULL;
00716     int                 cntSecGid;
00717     struct passwd *     root_info   = NULL;
00718 
00719     /*
00720      * The beginning
00721      */
00722     lcmaps_log_debug(1,"%s\n", logstr);
00723 
00724     uid    = getCredentialData(UID,     &cntUid);
00725     priGid = getCredentialData(PRI_GID, &cntPriGid);
00726     secGid = getCredentialData(SEC_GID, &cntSecGid);
00727     lcmaps_log_debug(2,"%s: number of uids: %d, priGids: %d, secGids: %d\n", logstr, cntUid,cntPriGid,cntSecGid);
00728     
00729     // Check amount of uid's, pri-gid's and sec-gid's with the set maximum
00730     if (maxuid != MAX_UNDEFINED)
00731     {
00732         lcmaps_log_debug(2,"%s: max number of uids: %d\n", logstr, maxuid);
00733         if (cntUid > maxuid)
00734         {
00735             lcmaps_log(0, "%s:\tError: The set amount of uid's gathered exceeds the maximum of %d uid('s) by %d\n", logstr, maxuid, (cntUid - maxuid));
00736             goto fail_posix;
00737         }
00738     }
00739     if (maxpgid != MAX_UNDEFINED)
00740     {
00741         lcmaps_log_debug(2,"%s: max number of primary gid('s): %d\n", logstr, maxpgid);
00742         if (cntPriGid > maxpgid)
00743         {
00744             lcmaps_log(0, "%s:\tError: The set amount of primary gid's gathered exceeds the maximum of %d primary gid('s) by %d\n", logstr, maxpgid, (cntPriGid - maxpgid));
00745             goto fail_posix;
00746         }
00747     }
00748     if (maxsgid != MAX_UNDEFINED)
00749     {
00750         lcmaps_log_debug(2,"%s: max number of secondary gid's: %d\n", logstr, maxsgid);
00751         if (cntSecGid > maxsgid)
00752         {
00753             lcmaps_log(0, "%s:\tError: The set amount of secondary gid's gathered exceeds the maximum of %d secunadary gid's by %d\n", logstr, maxsgid, (cntSecGid - maxsgid));
00754             goto fail_posix;
00755         }
00756     }
00757 
00758 
00759     // Je moet ROOT zijn
00760     if (getuid() != 0)
00761     {
00762         lcmaps_log(0, "%s: The service did not initialize with Root! -> %d\n", logstr, getuid());
00763         goto fail_posix;
00764     }
00765 
00766     // Only done to get name of root (normally "root")
00767     if ((root_info=getpwuid(0)) == NULL)
00768     {
00769         lcmaps_log(0, "%s: cannot get passwd info for root\n", logstr);
00770         if (errno==ENOMEM)
00771             lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00772         goto fail_posix;
00773     }
00774     lcmaps_log_debug(3,"%s: Name of root: %s\n", logstr, root_info->pw_name);
00775     lcmaps_log_debug(3,"%s: Je real      GID  was  -> %d\n", logstr, getgid());
00776     lcmaps_log_debug(3,"%s: Je effective GID  was  -> %d\n", logstr, getegid());
00777 
00778     // Set new primary group ID
00779     if (cntPriGid > 0)
00780     {
00781         if (set_only_egid)
00782             if (setregid(-1, priGid[0]) != 0)
00783             {
00784                 lcmaps_log(0, "%s: cannot set effective gid by setregid()\n", logstr);
00785                 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00786             }
00787             else
00788             {
00789                 lcmaps_log_debug(1,"%s: Setting only effective primary gid to %d\n", logstr, (int) priGid[0]);
00790             }
00791         else
00792             if (setregid(priGid[0], priGid[0]) != 0)
00793             {
00794                 lcmaps_log(0, "%s: cannot set real and effective setregid()\n", logstr);
00795                 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00796             }
00797     }
00798     else
00799     {
00800         lcmaps_log(0, "%s: No primary group IDs found, need at least 1 !\n", logstr);
00801         goto fail_posix;
00802     }
00803         
00804     lcmaps_log_debug(3,"%s: Je real      GID is nu -> %d\n", logstr, getgid());
00805     lcmaps_log_debug(3,"%s: Je effective GID is nu -> %d\n", logstr, getegid());
00806 
00807     // Initialize group access list for root
00808     if (initgroups(root_info->pw_name, root_info->pw_gid)!=0)
00809     {
00810         lcmaps_log(0, "%s: error in initgroups() call\n", logstr);
00811         lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00812         goto fail_posix;
00813     }
00814 
00815     // Get the number of secondary group IDs for root
00816     if ((ngroups=getgroups(0, NULL)) < 0)
00817     {
00818         lcmaps_log(0, "%s: error in getgroups() call\n", logstr);
00819         lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00820         goto fail_posix;
00821     }
00822     lcmaps_log_debug(3,"%s: found %d sec group IDs initially\n", logstr, ngroups);
00823     list = (gid_t *) malloc(ngroups * sizeof(gid_t));
00824 
00825     // Get the secondary group IDs for root
00826     if (getgroups(ngroups, list) < 0)
00827     {
00828         lcmaps_log(0, "%s: error in getgroups() call\n", logstr);
00829         lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00830         goto fail_posix;
00831     }
00832     for (t = 0; t < ngroups; t++)
00833     {
00834         lcmaps_log_debug(3,"%s: Je Sec. Gids waren     -> %d\n", logstr, list[t]);
00835     }
00836     if (list) free(list);
00837     list=(gid_t *) NULL;
00838 
00839     // Set the new secondary group IDs
00840     if (setgroups(cntSecGid, secGid)!=0)
00841     {
00842         switch (errno)
00843         {
00844             case EFAULT :
00845                 {
00846                     lcmaps_log_debug(1, "%s: Not that fatal but serious error\n", logstr);
00847                     lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00848                     goto fail_posix;
00849                     break;
00850                 }
00851             case EPERM :
00852                 {
00853                     lcmaps_log_debug(1, "%s: You are not ROOT\n", logstr);
00854                     lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00855                     goto fail_posix;
00856                     break;
00857                 }
00858             case EINVAL :
00859                 {
00860                     for (i = 0; i < cntSecGid; i++)
00861                     {
00862                         lcmaps_log_debug(1,"%s: > i = %d met %d\n", logstr, i, secGid[i]);
00863                     }
00864                     lcmaps_log_debug(1, "%s: Invalid GID list\n", logstr);
00865                     lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00866                     goto fail_posix;
00867                     break;
00868                 }
00869             default :
00870                 {
00871                     lcmaps_log_debug(1, "%s: Unspecified error in setgroups()\n", logstr);
00872                     goto fail_posix;
00873                 }
00874         }
00875     }
00876     // Get the new number of secondary group IDs
00877     if ((ngroups=getgroups(0, NULL)) < 0)
00878     {
00879         lcmaps_log(0, "%s: error in getgroups() call\n", logstr);
00880         lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00881         goto fail_posix;
00882     }
00883     lcmaps_log_debug(1,"%s: found %d sec gids after setgroups(), cntSecGid=%d\n", logstr, ngroups,cntSecGid);
00884     list = (gid_t *) malloc(ngroups * sizeof(gid_t));
00885 
00886     // Get the new secondary group IDs
00887     if (getgroups(ngroups, list) < 0)
00888     {
00889         lcmaps_log(0, "%s: error in getgroups() call\n", logstr);
00890         lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00891         goto fail_posix;
00892     }
00893     for (t = 0; t < ngroups; t++)
00894     {
00895         lcmaps_log_debug(2,"%s: Je Sec. Gid s zijn nu  -> %d\n", logstr, list[t]);
00896     }
00897 
00898     lcmaps_log_debug(2,"%s: Je was user            -> %d\n", logstr, getuid());
00899 
00900     // Set the new user ID
00901     if (cntUid > 0)
00902     {
00903         if (set_only_euid)
00904             if (setreuid(-1, uid[0]) != 0)
00905             {
00906                 lcmaps_log(0, "%s: cannot set effective uid by setreuid()\n", logstr);
00907                 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00908             }
00909             else
00910             {
00911                 lcmaps_log_debug(1,"%s: Setting only effective uid to %d\n", logstr, (int) uid[0]);
00912             }
00913         else
00914             if (setreuid(uid[0], uid[0]) != 0)
00915             {
00916                 lcmaps_log(0, "%s: cannot setreuid()\n", logstr);
00917                 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00918             }
00919     }
00920     else
00921     {
00922         lcmaps_log(0, "%s: No user IDs found, need at least 1 !\n", logstr);
00923         goto fail_posix;
00924     }
00925 
00926     lcmaps_log_debug(2,"%s: Je bent nu geworden    -> %d\n", logstr, getuid());
00927     lcmaps_log_debug(1,"%s: Je real      UID  is   -> %d\n", logstr, getuid());
00928     lcmaps_log_debug(1,"%s: Je effective UID  is   -> %d\n", logstr, geteuid());
00929 
00930 
00931     /* We should set the appropriate environment variables here (see globus gatekeeper)
00932      * (or before all setuid/setgid calls ?)
00933      */
00934 
00935 
00936     /*
00937      * Do Not End This POSIX Enforment with ROOT privileges
00938      * (depending on the set_only_euid and set_only_egid options)
00939      */
00940     if ( (!set_only_euid) && ((getuid() == 0) || (geteuid() == 0)) )
00941     {
00942         lcmaps_log(0, "%s: real and or effective uid == 0, which is not allowed at this stage\n", logstr);
00943         goto fail_posix;
00944     }
00945     else if (geteuid() == 0)
00946     {
00947         lcmaps_log(0, "%s: effective uid == 0, which is not allowed at this stage\n", logstr);
00948         goto fail_posix;
00949     }
00950         
00951     if ( (!set_only_egid) && ((getgid() == 0) || (getegid() == 0)) )
00952     {
00953         lcmaps_log(0, "%s: real and or effective gid == 0, which is not allowed at this stage\n", logstr);
00954         goto fail_posix;
00955     }
00956     else if (getegid() == 0)
00957     {
00958         lcmaps_log(0, "%s: effective gid == 0, which is not allowed at this stage\n", logstr);
00959         goto fail_posix;
00960     }
00961         
00962 //    if ((getuid() == 0) || (getgid() == 0))
00963 //    {
00964 //        goto fail_posix;
00965 //    }
00966 
00967 
00968     // Log Enforced Credential Data
00969     if (log_cred(dn, uid, cntUid, priGid, cntPriGid, secGid, cntSecGid) != 0)
00970     {
00971         lcmaps_log(0, "%s: Something wrong in printing the logged credentials (failure)\n", logstr);
00972         goto fail_posix;
00973     }
00974 
00975 
00976     /* succes */
00977  success_posix:
00978     if (list) free(list);
00979     lcmaps_log_time(0,"%s: posix_enf plugin succeeded\n", logstr);
00980     return LCMAPS_MOD_SUCCESS;
00981 
00982  fail_posix:
00983     if (list) free(list);
00984     lcmaps_log_time(0,"%s: posix_enf plugin failed\n", logstr);
00985     return LCMAPS_MOD_FAIL;
00986 }
00987 
00988 /******************************************************************************
00989 Function:   plugin_terminate
00990 Description:
00991     Terminate plugin
00992 Parameters:
00993 
00994 Returns:
00995     LCMAPS_MOD_SUCCESS : succes
00996     LCMAPS_MOD_FAIL    : failure
00997 ******************************************************************************/
00998 int plugin_terminate()
00999 {
01000     char * logstr = "\tlcmaps_plugin_posix_enf-plugin_introspect()";
01001 
01002     lcmaps_log_debug(1,"%s: terminating\n", logstr);
01003     
01004     return LCMAPS_MOD_SUCCESS;
01005 }
01006 
01007 /******************************************************************************
01008 CVS Information:
01009     $Source: /cvs/jra1mw/org.glite.security.lcmaps-plugins-basic/src/posix_enf/lcmaps_posix.c,v $
01010     $Date: 2005/02/27 01:30:41 $
01011     $Revision: 1.4 $
01012     $Author: msteenba $
01013 ******************************************************************************/
Generated on Sun May 29 21:22:11 2005 for lcmaps by doxygen 1.3.5