From mboxrd@z Thu Jan 1 00:00:00 1970 From: kupcevic@sourceware.org Date: 24 Oct 2006 21:59:56 -0000 Subject: [Cluster-devel] conga ./conga.spec.in.in make/version.in ricci ... Message-ID: <20061024215956.11018.qmail@sourceware.org> List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit CVSROOT: /cvs/cluster Module name: conga Branch: RHEL5 Changes by: kupcevic at sourceware.org 2006-10-24 21:59:55 Modified files: . : conga.spec.in.in make : version.in ricci/init.d : ricci ricci/ricci : Auth.cpp Auth.h Makefile Log message: ricci: switch pam to sasl authentication (bz211191) Patches: http://sourceware.org/cgi-bin/cvsweb.cgi/conga/conga.spec.in.in.diff?cvsroot=cluster&only_with_tag=RHEL5&r1=1.45&r2=1.45.2.1 http://sourceware.org/cgi-bin/cvsweb.cgi/conga/make/version.in.diff?cvsroot=cluster&only_with_tag=RHEL5&r1=1.21&r2=1.21.2.1 http://sourceware.org/cgi-bin/cvsweb.cgi/conga/ricci/init.d/ricci.diff?cvsroot=cluster&only_with_tag=RHEL5&r1=1.8&r2=1.8.2.1 http://sourceware.org/cgi-bin/cvsweb.cgi/conga/ricci/ricci/Auth.cpp.diff?cvsroot=cluster&only_with_tag=RHEL5&r1=1.4&r2=1.4.2.1 http://sourceware.org/cgi-bin/cvsweb.cgi/conga/ricci/ricci/Auth.h.diff?cvsroot=cluster&only_with_tag=RHEL5&r1=1.2&r2=1.2.2.1 http://sourceware.org/cgi-bin/cvsweb.cgi/conga/ricci/ricci/Makefile.diff?cvsroot=cluster&only_with_tag=RHEL5&r1=1.16&r2=1.16.2.1 --- conga/conga.spec.in.in 2006/10/16 21:01:40 1.45 +++ conga/conga.spec.in.in 2006/10/24 21:59:55 1.45.2.1 @@ -40,7 +40,10 @@ BuildRequires: python-devel >= 2.4.1 %endif BuildRequires: glibc-devel gcc-c++ libxml2-devel sed -BuildRequires: openssl-devel dbus-devel pam-devel pkgconfig file +#BuildRequires: pam-devel +BuildRequires: cyrus-sasl-devel >= 2.1 +BuildRequires: openssl-devel dbus-devel pkgconfig file + %description Conga is a project developing management system for remote stations. @@ -182,7 +185,7 @@ Summary: Remote Management System - Managed Station Requires: initscripts -Requires: oddjob dbus openssl pam +Requires: oddjob dbus openssl pam cyrus-sasl >= 2.1 Requires: sed util-linux Requires: modcluster >= 0.8 @@ -279,6 +282,7 @@ %changelog + * Wed Oct 16 2006 Stanko Kupcevic 0.8-20 - Minor GUI nits --- conga/make/version.in 2006/10/16 21:01:40 1.21 +++ conga/make/version.in 2006/10/24 21:59:55 1.21.2.1 @@ -1,2 +1,2 @@ VERSION=0.8 -RELEASE=20 +RELEASE=20.4 --- conga/ricci/init.d/ricci 2006/08/16 02:57:52 1.8 +++ conga/ricci/init.d/ricci 2006/10/24 21:59:55 1.8.2.1 @@ -90,6 +90,8 @@ fi fi + service saslauthd start > /dev/null 2>&1 + ssl_certs_ok if [ "1$?" != "10" ] ; then generate_ssl_certs --- conga/ricci/ricci/Auth.cpp 2006/08/12 00:38:36 1.4 +++ conga/ricci/ricci/Auth.cpp 2006/10/24 21:59:55 1.4.2.1 @@ -22,33 +22,35 @@ #include "Auth.h" -#include "ricci_defines.h" +#include "Mutex.h" +#include -#include -#include -#include -#include -#include -using namespace std; +static int +sasl_getopts_callback(void* context, + const char* plugin_name, + const char* option, + const char** result, + unsigned int* len); -static void -close_fd(int fd) -{ - int e; - do { - e = close(fd); - } while (e && (errno == EINTR)); -} +static Mutex mutex; // global sasl_lib protection mutex +static bool inited = false; // sasl_lib initialized? +const static +sasl_callback_t callbacks[] = { + {SASL_CB_GETOPT, (int (*)()) sasl_getopts_callback, NULL}, + {SASL_CB_LIST_END, NULL, NULL}, +}; -Auth::Auth() : - _path(AUTH_HELPER_PATH) -{} +Auth::Auth() +{ + if (!initialize_auth_system()) + throw String("Failed to initialize authentication engine"); +} Auth::~Auth() {} @@ -57,77 +59,87 @@ bool Auth::authenticate(const String& passwd) const { - if (access(_path.c_str(), X_OK)) - throw String("missing auth helper"); + MutexLocker l(mutex); - int _stdin_pipe[2]; - - if (pipe(_stdin_pipe) == -1) - throw String("failure creating pipe"); - - int pid = fork(); - if (pid == -1) { - close_fd(_stdin_pipe[0]); - close_fd(_stdin_pipe[1]); - throw String("fork failed"); + sasl_conn_t *conn = 0; + try { + bool success = false; + + int ret = sasl_server_new("ricci", // servicename + NULL, // hostname + NULL, // realm + NULL, // local ip:port + NULL, // remote ip:port + callbacks, + 0, // connection flags + &conn); + if (ret != SASL_OK) + throw String("authentication engine error"); + + ret = sasl_checkpass(conn, + "root", 4, + passwd.c_str(), passwd.size()); + if (ret == SASL_OK) + success = true; + else + if (ret != SASL_BADAUTH) + throw String("authentication engine error"); + + sasl_dispose(&conn); conn = 0; + return success; + } catch ( ... ) { + if (conn) { + sasl_dispose(&conn); + conn = 0; + } + throw; } +} + + + +bool +Auth::initialize_auth_system() +{ + MutexLocker l(mutex); - if (pid == 0) { - /* child */ - close_fd(0); - close_fd(1); - close_fd(2); - - close_fd(_stdin_pipe[1]); - dup2(_stdin_pipe[0], 0); - close_fd(_stdin_pipe[0]); - - // restore signals - for (int x = 1; x < _NSIG; x++) - signal(x, SIG_DFL); - sigset_t set; - sigfillset(&set); - sigprocmask(SIG_UNBLOCK, &set, NULL); - - /* exec */ - execl(_path.c_str(), _path.c_str(), NULL); - _exit(1); + if (!inited) { + int ret = sasl_server_init(callbacks, "ricci"); + inited = (ret == SASL_OK); } - - - /* parent */ - - close_fd(_stdin_pipe[0]); - + return inited; +} + +int +sasl_getopts_callback(void* context, + const char* plugin_name, + const char* option, + const char** result, + unsigned * len) +{ try { - String pass = passwd + "\n"; - do { - int size = write(_stdin_pipe[1], pass.c_str(), pass.size()); - if (size == -1) { - if (errno == EINTR) - continue; - else { - cout << errno << endl; - throw String("write() error"); - } + static const char authd_option[] = "pwcheck_method"; + static const char authd_result[] = "saslauthd"; + + static const char authd_version_option[] = "saslauthd_version"; + static const char authd_version_result[] = "2"; + + + if (result) { + *result = 0; + if (strcmp(option, authd_option) == 0) + *result = authd_result; + else if (strcmp(option, authd_version_option) == 0) + *result = authd_version_result; + else { + // modify more options we'd like to use } - pass = pass.substr(size, pass.npos); - } while (!pass.empty()); + } + if (len) + *len = 0; + + return SASL_OK; } catch ( ... ) { - close_fd(_stdin_pipe[1]); - throw; - } - close_fd(_stdin_pipe[1]); - - bool success = false; - int ret, status; - do { - ret = waitpid(pid, &status, 0); - } while ((ret < 0) && (errno == EINTR)); - - if (WIFEXITED(status)) { - status = WEXITSTATUS(status); - success = (status == 0); + return SASL_FAIL; } - return success; } --- conga/ricci/ricci/Auth.h 2006/08/10 22:53:09 1.2 +++ conga/ricci/ricci/Auth.h 2006/10/24 21:59:55 1.2.2.1 @@ -27,6 +27,9 @@ #include "String.h" +// thread safe + + class Auth { public: @@ -34,9 +37,10 @@ virtual ~Auth(); bool authenticate(const String& passwd) const; - private: - String _path; + + static bool initialize_auth_system(); // to be called@start-up (not required) + }; --- conga/ricci/ricci/Makefile 2006/08/22 23:01:17 1.16 +++ conga/ricci/ricci/Makefile 2006/10/24 21:59:55 1.16.2.1 @@ -44,7 +44,8 @@ LDFLAGS += `pkg-config --libs dbus-1` -all: ${TARGET} ${TARGET_AUTH} ${TARGET_WORKER} +#all: ${TARGET} ${TARGET_AUTH} ${TARGET_WORKER} +all: ${TARGET} ${TARGET_WORKER} *.o: *.h ../include/*.h @@ -52,7 +53,7 @@ $(INSTALL_DIR) ${sbindir} $(INSTALL_BIN) ${TARGET} ${sbindir} $(INSTALL_DIR) ${libexecdir}/ricci - install -m 4755 ${TARGET_AUTH} ${libexecdir}/ricci + #install -m 4755 ${TARGET_AUTH} ${libexecdir}/ricci $(INSTALL_BIN) ${TARGET_WORKER} ${libexecdir}/ricci $(INSTALL_DIR) ${localstatedir}/lib/ricci/queue $(INSTALL_DIR) ${localstatedir}/lib/ricci/certs @@ -77,10 +78,14 @@ $(TARGET): $(OBJECTS) - $(CXX) -o $(TARGET) $(OBJECTS) $(LDFLAGS) + $(CXX) -o $(TARGET) $(OBJECTS) $(LDFLAGS) -lsasl2 ${TARGET_AUTH}: $(TARGET_AUTH_OBJECTS) $(CXX) -o ${TARGET_AUTH} $(TARGET_AUTH_OBJECTS) ${LDFLAGS} -lpam ${TARGET_WORKER}: ${TARGET_WORKER_OBJECTS} $(CXX) -o ${TARGET_WORKER} ${TARGET_WORKER_OBJECTS} ${LDFLAGS} + + +Auth_test: Auth_test.o Auth.o + $(CXX) -o Auth_test Auth_test.o Auth.o ${LDFLAGS} -lsasl2