Re: Patch: use SCM_CREDS authentication over PF_LOCAL sockets
От | Bruce Momjian |
---|---|
Тема | Re: Patch: use SCM_CREDS authentication over PF_LOCAL sockets |
Дата | |
Msg-id | 200108170335.f7H3Zev10533@candle.pha.pa.us обсуждение исходный текст |
Ответ на | Patch: use SCM_CREDS authentication over PF_LOCAL sockets (wollman@LCS.MIT.EDU) |
Список | pgsql-patches |
> <<On Thu, 16 Aug 2001 00:34:14 -0400 (EDT), Bruce Momjian <pgman@candle.pha.pa.us> said: > > > OK, here is a cleaned up version of the patch that will apply to current > > CVS. I worked it into the SO_PEERCRED code. I made some changes so it > > compiles on BSD/OS. I am getting "Invalid Argument" from libpq's > > sending of the credentials on BSD/OS. > > There are some funky alignment macros that you probably need to use on > BSD/OS. Also, as written this will break on NetBSD and OpenBSD for > reasons I have already noted (the structure is named something > different there), and those systems will also require the alignment > macros. (Basically, putting the two structures in another larger > structure is a shortcut in my implementation which only works because > the compiler puts the right amount of padding in; on those other > systems, more padding is required.) OK, attached is my current version of the patch. Would you download the snapshot or CVS and let me know if this works on FreeBSD. Even if you can't run it, can you tell me if it compiles. Also, attached is the BSD/OS manual page that shows the use of the macros for retrieving SCM. Can you add that and send me an updated patch? Also, can you check to see if FreeBSD requires you to send the full struct with empty cred, or if you can just send the header without the struct. You will see in my patch for the libpq client part that BSD/OS doesn't want the extra struct. Looks like 7.2 is going to have overhauled authentication, and I would really like to get this SCM stuff nailed down on as many platforms as possible before going beta, which may happen as early as September 1. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 Index: src/backend/libpq/auth.c =================================================================== RCS file: /home/projects/pgsql/cvsroot/pgsql/src/backend/libpq/auth.c,v retrieving revision 1.58 diff -c -r1.58 auth.c *** src/backend/libpq/auth.c 2001/08/16 04:27:18 1.58 --- src/backend/libpq/auth.c 2001/08/16 14:56:42 *************** *** 15,24 **** #include "postgres.h" ! #include <sys/types.h> /* needed by in.h on Ultrix */ #include <netinet/in.h> #include <arpa/inet.h> - #include "libpq/auth.h" #include "libpq/crypt.h" #include "libpq/hba.h" --- 15,29 ---- #include "postgres.h" ! #include <sys/types.h> ! #include <sys/socket.h> /* for SCM_CREDS */ ! #ifdef SCM_CREDS ! #include <sys/uio.h> /* for struct iovec */ ! #include <sys/ucred.h> ! #include <errno.h> ! #endif #include <netinet/in.h> #include <arpa/inet.h> #include "libpq/auth.h" #include "libpq/crypt.h" #include "libpq/hba.h" *************** *** 28,39 **** #include "miscadmin.h" static void sendAuthRequest(Port *port, AuthRequest areq); - static int checkPassword(Port *port, char *user, char *password); static int old_be_recvauth(Port *port); static int map_old_to_new(Port *port, UserAuth old, int status); static void auth_failed(Port *port); - static int recv_and_check_password_packet(Port *port); static int recv_and_check_passwordv0(Port *port); --- 33,42 ---- *************** *** 493,498 **** --- 496,507 ---- break; case uaIdent: + #ifdef SCM_CREDS + /* If we are doing ident on unix-domain sockets, + we are going to use SCM_CREDS, if defined. */ + if (port->raddr.sa.sa_family == AF_UNIX) + sendAuthRequest(port, AUTH_REQ_SCM_CREDS); + #endif status = authident(port); break; Index: src/backend/libpq/hba.c =================================================================== RCS file: /home/projects/pgsql/cvsroot/pgsql/src/backend/libpq/hba.c,v retrieving revision 1.63 diff -c -r1.63 hba.c *** src/backend/libpq/hba.c 2001/08/16 04:27:18 1.63 --- src/backend/libpq/hba.c 2001/08/16 14:56:42 *************** *** 19,24 **** --- 19,30 ---- #include <errno.h> #include <pwd.h> #include <sys/types.h> + #include <sys/socket.h> /* for SCM_CREDS */ + #ifdef SCM_CREDS + #include <sys/uio.h> /* for struct iovec */ + #include <sys/ucred.h> + #include <errno.h> + #endif #include <fcntl.h> #include <sys/socket.h> #include <netinet/in.h> *************** *** 863,869 **** static bool ident_unix(int sock, char *ident_user) { ! #ifdef SO_PEERCRED /* Linux style: use getsockopt(SO_PEERCRED) */ struct ucred peercred; ACCEPT_TYPE_ARG3 so_len = sizeof(peercred); --- 869,959 ---- static bool ident_unix(int sock, char *ident_user) { ! #ifdef SCM_CREDS ! struct msghdr msg; ! struct { ! struct cmsghdr hdr; ! #ifndef fc_uid ! struct cmsgcred cred; ! #define cruid cmcred_uid ! #else ! struct fcred cred; ! #define cruid fc_uid ! #endif ! } cmsg; ! struct iovec iov; ! char buf; ! char namebuf[SM_USER + 1]; ! struct passwd *pw; ! ! msg.msg_name = NULL; ! msg.msg_namelen = 0; ! msg.msg_iov = &iov; ! msg.msg_iovlen = 1; ! msg.msg_control = (char *)&cmsg; ! msg.msg_controllen = sizeof cmsg; ! msg.msg_flags = 0; ! ! /* ! * The one character which is received here is not meaningful; ! * its purposes is only to make sure that recvmsg() blocks ! * long enough for the other side to send its credentials. ! */ ! iov.iov_base = &buf; ! iov.iov_len = 1; ! ! if (recvmsg(sock, &msg, 0) < 0) { ! snprintf(PQerrormsg, PQERRORMSG_LENGTH, ! "ident_unix: error receiving credentials: %s\n", ! strerror(errno)); ! errout: ! fputs(PQerrormsg, stderr); ! pqdebug("%s", PQerrormsg); ! ! return false; ! } ! ! /* ! * Make sure we got the right kind of message. ! */ ! if (cmsg.hdr.cmsg_len != sizeof cmsg ! || cmsg.hdr.cmsg_level != SOL_SOCKET ! || cmsg.hdr.cmsg_type != SCM_CREDS) { ! snprintf(PQerrormsg, PQERRORMSG_LENGTH, ! "ident_unix: protocol error receiving credentials\n"); ! goto errout; ! } ! ! snprintf(PQerrormsg, PQERRORMSG_LENGTH, ! "ident_unix: pid %lu, uid %lu\n", ! #ifndef fc_uid ! (unsigned long)cmsg.cred.cmcred_pid, ! #else ! (unsigned long)0, /* unavailable */ ! #endif ! (unsigned long)cmsg.cred.cruid); ! pqdebug("%s", PQerrormsg); ! ! strncpy(namebuf, ident_user, SM_USER); ! namebuf[SM_USER] = '\0'; ! ! pw = getpwnam(namebuf); ! if (pw == NULL) { ! snprintf(PQerrormsg, PQERRORMSG_LENGTH, ! "ident_unix: unknown local user %s\n", ! namebuf); ! goto errout; ! } ! ! if (pw->pw_uid != cmsg.cred.cruid) { ! snprintf(PQerrormsg, PQERRORMSG_LENGTH, ! "ident_unix: %s's uid %lu != real uid %lu\n", ! namebuf, (unsigned long)pw->pw_uid, ! (unsigned long)cmsg.cred.cruid); ! goto errout; ! } ! return true; ! #elif SO_PEERCRED /* Linux style: use getsockopt(SO_PEERCRED) */ struct ucred peercred; ACCEPT_TYPE_ARG3 so_len = sizeof(peercred); *************** *** 899,905 **** return true; ! #else /* not SO_PEERCRED */ snprintf(PQerrormsg, PQERRORMSG_LENGTH, "IDENT auth is not supported on local connections on this platform\n"); --- 989,995 ---- return true; ! #else snprintf(PQerrormsg, PQERRORMSG_LENGTH, "IDENT auth is not supported on local connections on this platform\n"); *************** *** 907,913 **** pqdebug("%s", PQerrormsg); return false; ! #endif /* SO_PEERCRED */ } /* --- 997,1003 ---- pqdebug("%s", PQerrormsg); return false; ! #endif } /* Index: src/backend/libpq/pg_hba.conf.sample =================================================================== RCS file: /home/projects/pgsql/cvsroot/pgsql/src/backend/libpq/pg_hba.conf.sample,v retrieving revision 1.24 diff -c -r1.24 pg_hba.conf.sample *** src/backend/libpq/pg_hba.conf.sample 2001/08/15 18:42:15 1.24 --- src/backend/libpq/pg_hba.conf.sample 2001/08/16 14:56:47 *************** *** 125,136 **** # ident: For TCP/IP connections, authentication is done by contacting # the ident server on the client host. (CAUTION: this is only # as secure as the client machine!) On machines that support ! # SO_PEERCRED socket requests, this method also works for ! # local Unix-domain connections. AUTH_ARGUMENT is required: ! # it determines how to map remote user names to Postgres user ! # names. The AUTH_ARGUMENT is a map name found in the ! # $PGDATA/pg_ident.conf file. The connection is accepted if ! # that file contains an entry for this map name with the # ident-supplied username and the requested Postgres username. # The special map name "sameuser" indicates an implied map # (not in pg_ident.conf) that maps each ident username to the --- 125,136 ---- # ident: For TCP/IP connections, authentication is done by contacting # the ident server on the client host. (CAUTION: this is only # as secure as the client machine!) On machines that support ! # SO_PEERCRED or SCM_CREDS socket requests, this method also ! # works for local Unix-domain connections. AUTH_ARGUMENT is ! # required: it determines how to map remote user names to ! # Postgres user names. The AUTH_ARGUMENT is a map name found ! # in the $PGDATA/pg_ident.conf file. The connection is accepted ! # if that file contains an entry for this map name with the # ident-supplied username and the requested Postgres username. # The special map name "sameuser" indicates an implied map # (not in pg_ident.conf) that maps each ident username to the Index: src/include/libpq/pqcomm.h =================================================================== RCS file: /home/projects/pgsql/cvsroot/pgsql/src/include/libpq/pqcomm.h,v retrieving revision 1.57 diff -c -r1.57 pqcomm.h *** src/include/libpq/pqcomm.h 2001/08/16 04:27:18 1.57 --- src/include/libpq/pqcomm.h 2001/08/16 14:56:48 *************** *** 133,138 **** --- 133,139 ---- #define AUTH_REQ_PASSWORD 3 /* Password */ #define AUTH_REQ_CRYPT 4 /* crypt password */ #define AUTH_REQ_MD5 5 /* md5 password */ + #define AUTH_REQ_SCM_CREDS 6 /* transfer SCM credentials */ typedef uint32 AuthRequest; Index: src/interfaces/libpq/fe-auth.c =================================================================== RCS file: /home/projects/pgsql/cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v retrieving revision 1.50 diff -c -r1.50 fe-auth.c *** src/interfaces/libpq/fe-auth.c 2001/08/15 21:08:21 1.50 --- src/interfaces/libpq/fe-auth.c 2001/08/16 14:56:49 *************** *** 40,50 **** --- 40,57 ---- #else #include <unistd.h> #include <fcntl.h> + #ifdef SCM_CREDS + #include <sys/uio.h> /* for struct iovec */ + #include <sys/ucred.h> + #include <errno.h> + #endif #include <sys/param.h> /* for MAXHOSTNAMELEN on most */ #ifndef MAXHOSTNAMELEN #include <netdb.h> /* for MAXHOSTNAMELEN on some */ #endif #include <pwd.h> + #include <sys/types.h> + #include <sys/socket.h> /* for SCM_CREDS */ #endif #ifdef HAVE_CRYPT_H *************** *** 432,437 **** --- 439,490 ---- #endif /* KRB5 */ + #ifdef SCM_CREDS + static int + pg_local_sendauth(char *PQerrormsg, PGconn *conn) + { + char buf; + struct iovec iov; + struct { + struct cmsghdr hdr; + /* We don't pass the credentials structure. Kernel fills it in. */ + } cmsg; + struct msghdr msg; + + /* + * The backend doesn't care what we send here, but it wants + * exactly one character to force recvmsg() to block and wait + * for us. + */ + buf = '\0'; + iov.iov_base = &buf; + iov.iov_len = 1; + + cmsg.hdr.cmsg_len = sizeof cmsg; + cmsg.hdr.cmsg_level = SOL_SOCKET; + cmsg.hdr.cmsg_type = SCM_CREDS; + /* + * cmsg.cred will get filled in with the correct information + * by the kernel when this message is sent. + */ + + msg.msg_name = NULL; + msg.msg_namelen = 0; + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + msg.msg_control = &cmsg; + msg.msg_controllen = sizeof cmsg; + msg.msg_flags = 0; + + if (sendmsg(conn->sock, &msg, 0) == -1) { + snprintf(PQerrormsg, PQERRORMSG_LENGTH, + "pg_local_sendauth: sendmsg: %s\n", strerror(errno)); + return STATUS_ERROR; + } + return STATUS_OK; + } + #endif + static int pg_password_sendauth(PGconn *conn, const char *password, AuthRequest areq) { *************** *** 442,447 **** --- 495,504 ---- switch (areq) { + case AUTH_REQ_PASSWORD: + /* discard const so we can assign it */ + crypt_pwd = (char *)password; + break; case AUTH_REQ_CRYPT: crypt_pwd = crypt(password, conn->salt); break; *************** *** 472,482 **** break; } default: ! /* discard const so we can assign it */ ! crypt_pwd = (char *)password; ! break; } - ret = pqPacketSend(conn, crypt_pwd, strlen(crypt_pwd) + 1); if (areq == AUTH_REQ_MD5) free(crypt_pwd); --- 529,536 ---- break; } default: ! return STATUS_ERROR; } ret = pqPacketSend(conn, crypt_pwd, strlen(crypt_pwd) + 1); if (areq == AUTH_REQ_MD5) free(crypt_pwd); *************** *** 549,554 **** --- 603,620 ---- return STATUS_ERROR; } break; + + case AUTH_REQ_SCM_CREDS: + #ifdef SCM_CREDS + if (pg_local_sendauth(PQerrormsg, conn) != STATUS_OK) + return STATUS_ERROR; + #else + snprintf(PQerrormsg, PQERRORMSG_LENGTH, + libpq_gettext("SCM_CRED authentication method not supported\n")); + return STATUS_ERROR; + #endif + break; + default: snprintf(PQerrormsg, PQERRORMSG_LENGTH, libpq_gettext("authentication method %u not supported\n"), areq); Index: src/interfaces/odbc/connection.c =================================================================== RCS file: /home/projects/pgsql/cvsroot/pgsql/src/interfaces/odbc/connection.c,v retrieving revision 1.33 diff -c -r1.33 connection.c *** src/interfaces/odbc/connection.c 2001/08/15 18:42:16 1.33 --- src/interfaces/odbc/connection.c 2001/08/16 14:56:50 *************** *** 722,727 **** --- 722,732 ---- self->errornumber = CONN_AUTH_TYPE_UNSUPPORTED; return 0; + case AUTH_REQ_SCM_CREDS: + self->errormsg = "Unix socket credential authentication not supported"; + self->errornumber = CONN_AUTH_TYPE_UNSUPPORTED; + return 0; + default: self->errormsg = "Unknown authentication type"; self->errornumber = CONN_AUTH_TYPE_UNSUPPORTED; Index: src/interfaces/odbc/connection.h =================================================================== RCS file: /home/projects/pgsql/cvsroot/pgsql/src/interfaces/odbc/connection.h,v retrieving revision 1.25 diff -c -r1.25 connection.h *** src/interfaces/odbc/connection.h 2001/08/15 18:42:16 1.25 --- src/interfaces/odbc/connection.h 2001/08/16 14:56:52 *************** *** 94,99 **** --- 94,100 ---- #define AUTH_REQ_PASSWORD 3 #define AUTH_REQ_CRYPT 4 #define AUTH_REQ_MD5 5 + #define AUTH_REQ_SCM_CREDS 6 /* Startup Packet sizes */ #define SM_DATABASE 64 RECV(2) BSD Programmer's Manual RECV(2) NAME recv, recvfrom, recvmsg - receive a message from a socket SYNOPSIS #include <sys/types.h> #include <sys/socket.h> ssize_t recv(int s, void *buf, size_t len, int flags); ssize_t recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *from, socklen_t *fromlen); ssize_t recvmsg(int s, struct msghdr *msg, int flags); DESCRIPTION The recvfrom() and recvmsg() calls are used to receive messages from a socket, and may be used to receive data on a socket whether or not it is connection-oriented. If from is non-null, and the socket is not connection-oriented, the source address of the message is filled in. The fromlen pointer refers to a value-result parameter; it should initially contain the amount of space pointed to by from; on return that location will contain the actual length (in bytes) of the address returned. If the buffer provided is too small, the name is truncated and the full size is returned in the loca- tion to which fromlen points. If from is null, the value pointed to by fromlen is not modified. Otherwise, if the socket is connection-orient- ed, the address buffer will not be modified, and the value pointed to by fromlen will be set to zero. The recv() call is normally used only on a connected socket (see connect(2)) and is identical to recvfrom() with a nil from parameter. As it is redundant, it may not be supported in future releases. All three routines return the length of the message on successful comple- tion. If a message is too long to fit in the supplied buffer, excess bytes may be discarded depending on the type of socket the message is re- ceived from (see socket(2)). If no messages are available at the socket, the receive call waits for a message to arrive, unless the socket is nonblocking (see fcntl(2)) in which case the value -1 is returned and the external variable errno set to EAGAIN. The receive calls normally return any data available, up to the requested amount, rather than waiting for receipt of the full amount requested; this behavior is affected by the socket-level options SO_RCVLOWAT and SO_RCVTIMEO described in getsockopt(2). The select(2) call may be used to determine when more data arrive. The flags argument to a recv call is formed by or'ing one or more of the values: MSG_OOB process out-of-band data MSG_PEEK peek at incoming message MSG_WAITALL wait for full request or error The MSG_OOB flag requests receipt of out-of-band data that would not be received in the normal data stream. Some protocols place expedited data at the head of the normal data queue, and thus this flag cannot be used with such protocols. The MSG_PEEK flag causes the receive operation to return data from the beginning of the receive queue without removing that data from the queue. Thus, a subsequent receive call will return the same data. The MSG_WAITALL flag requests that the operation block until the full request is satisfied. However, the call may still return less data than requested if a signal is caught, an error or disconnect occurs, or the next data to be received is of a different type than that re- turned. The recvmsg() call uses a msghdr structure to minimize the number of di- rectly supplied parameters. This structure has the following form, as defined in <sys/socket.h>: struct msghdr { caddr_t msg_name; /* optional address */ u_int msg_namelen; /* size of address */ struct iovec *msg_iov; /* scatter/gather array */ u_int msg_iovlen; /* # elements in msg_iov */ caddr_t msg_control; /* ancillary data, see below */ u_int msg_controllen; /* ancillary data buffer len */ int msg_flags; /* flags on received message */ }; If msg_name is non-null, and the socket is not connection-oriented, the source address of the message is filled in. The amount of space avail- able for the address is provided by msg_namelen, which is modified on re- turn to reflect the length of the stored address. If the buffer is too small, the address is truncated; this is indicated when msg_namelen is less than the length embedded in the address (sa_len). If msg_name is null, msg_namelen is not modified. Otherwise, if the socket is connec- tion-oriented, the address buffer will not be modified, and msg_namelen will be set to zero. Msg_iov and msg_iovlen describe scatter gather locations, as discussed in read(2). Msg_control, which has length msg_controllen, points to a buffer for other protocol control related messages or other miscellaneous ancillary data. The messages are of the form: struct cmsghdr { u_int cmsg_len; /* data byte count, including hdr */ int cmsg_level; /* originating protocol */ int cmsg_type; /* protocol-specific type */ /* followed by u_char cmsg_data[]; */ }; As an example, one could use this to learn of changes in the data-stream in XNS/SPP, or in ISO, to obtain user-connection-request data by request- ing a recvmsg with no data buffer provided immediately after an accept() call. Open file descriptors are now passed as ancillary data for AF_LOCAL do- main sockets, with cmsg_level set to SOL_SOCKET and cmsg_type set to SCM_RIGHTS. The msg_flags field is set on return according to the message received. MSG_EOR indicates end-of-record; the data returned completed a record (generally used with sockets of type SOCK_SEQPACKET). MSG_TRUNC indicates that the trailing portion of a datagram was discarded because the data- gram was larger than the buffer supplied. MSG_CTRUNC indicates that some control data were discarded due to lack of space in the buffer for ancil- lary data. MSG_OOB is returned to indicate that expedited or out-of-band data were received. RETURN VALUES These calls return the number of bytes received, or -1 if an error oc- curred. EXAMPLES The following code is an example of parsing the control information re- turned in the msg_control field. This example shows how to parse the control messages for a localdomain(4) socket to obtain passed file de- scriptors and the sender's credentials. #include <sys/param.h> #include <sys/socket.h> #include <sys/ucred.h> struct msghdr msghdr; struct cmsghdr *cm; struct fcred *fc; /* Pointer to the credentials */ int fdcnt; /* The number of file descriptors passed */ int *fds; /* The passed array of file descriptors */ #define ENOUGH_CMSG(p, size) ((p)->cmsg_len >= ((size) + sizeof(*(p)))) fc = NULL; fdcnt = 0; fds = NULL; if (msghdr.msg_controllen >= sizeof (struct cmsghdr) && (msghdr.msg_flags & MSG_CTRUNC) == 0) { for (cm = CMSG_FIRSTHDR(&msghdr); cm != NULL && cm->cmsg_len >= sizeof(*cm); cm = CMSG_NXTHDR(&msghdr, cm)) { if (cm->cmsg_level != SOL_SOCKET) continue; switch (cm->cmsg_type) { case SCM_RIGHTS: fdcnt = (cm->cmsg_len - sizeof(*cm)) / sizeof(int); fds = (int *)CMSG_DATA(cm); break; case SCM_CREDS: if (ENOUGH_CMSG(cm, sizeof(*fc))) fc = (struct fcred *)CMSG_DATA(cm); break; } } } ERRORS The calls fail if: [EBADF] The argument s is an invalid descriptor. [ENOTCONN] The socket is associated with a connection-oriented protocol and has not been connected (see connect(2) and accept(2)). [ENOTSOCK] The argument s does not refer to a socket. [EAGAIN] The socket is marked non-blocking, and the receive operation would block, or a receive timeout had been set, and the time- out expired before data were received. [EINTR] The receive was interrupted by delivery of a signal before any data were available. [EFAULT] The receive buffer pointer(s) point outside the process's ad- dress space. SEE ALSO fcntl(2), read(2), select(2), getsockopt(2), socket(2), ip(4), lo- cal(4) HISTORY The recv function call appeared in 4.2BSD. 4.3-Reno Berkeley Distribution February 21, 1994 4
В списке pgsql-patches по дате отправления: