Attachment 1598 Details for Bug 1423 – Updated patch to check for mbr_check_service_membership() for SACL support.

[patch] Updated patch to check for mbr_check_service_membership() for SACL support.

sacl.patch (text/plain), 4.97 KB, created by Disco Vince Giffin on 2009-01-23 12:43:36 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Disco Vince Giffin

Created: 2009-01-23 12:43:36 AEDT

Size: 4.97 KB

patch

obsolete

>diff -uNr ../openssh-5.1p1.orig/auth.c ./auth.c
>--- ../openssh-5.1p1.orig/auth.c	2008-07-09 03:54:51.000000000 -0700
>+++ ./auth.c	2009-01-22 17:36:18.000000000 -0800
>@@ -71,6 +71,12 @@
> #endif
> #include "monitor_wrap.h"
> 
>+#ifdef HAVE_MBR_CHECK_SERVICE_MEMBERSHIP
>+/* Our membershipPriv.h is not yet API, so I will define the prototypes that I need here. */
>+int mbr_user_name_to_uuid(const char *name, uuid_t uu);
>+int mbr_check_service_membership(const uuid_t user, const char *servicename, int *ismember);
>+#endif
>+
> /* import */
> extern ServerOptions options;
> extern int use_privsep;
>@@ -235,6 +241,46 @@
> 		ga_free();
> 	}
> 
>+	if( options.sacl_support )
>+	{
>+#ifdef HAVE_MBR_CHECK_SERVICE_MEMBERSHIP
>+		/*
>+	 	* Here we check with memberd if the Service ACLs allow this user to
>+	 	* use the ssh service.
>+	 	*/
>+
>+		debug("Checking with Service ACLs for ssh login restrictions");
>+
>+		uuid_t user_uuid;
>+		int isMember = 0;
>+		int mbrErr = 0;
>+	
>+		// get the uuid
>+		if ( mbr_user_name_to_uuid(pw->pw_name, user_uuid) )
>+		{
>+			debug("call to mbr_user_name_to_uuid with <%s> failed to retrieve user_uuid", pw->pw_name);
>+			return 0;
>+		}	
>+		debug("call to mbr_user_name_to_uuid with <%s> suceeded to retrieve user_uuid", pw->pw_name);
>+	
>+		// check the sacl
>+		if((mbrErr = mbr_check_service_membership(user_uuid, "ssh", &isMember)))
>+		{
>+			debug("Called mbr_check_service_membership with isMember <%d> with status <%d>", isMember, mbrErr);
>+			if(mbrErr == ENOENT)	// no ACL exists
>+			{
>+				return 1;	
>+			} else {
>+				return 0;
>+			}
>+		}
>+		debug("Call to mbr_check_service_membership failed with status <%d>", mbrErr);
>+		return isMember;
>+#endif /* HAVE_MBR_CHECK_SERVICE_MEMBERSHIP */
>+	}
>+
>+
>+
> #ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
> 	if (!sys_auth_allowed_user(pw, &loginmsg))
> 		return 0;
>diff -uNr ../openssh-5.1p1.orig/config.h.in ./config.h.in
>--- ../openssh-5.1p1.orig/config.h.in	2008-07-21 01:30:49.000000000 -0700
>+++ ./config.h.in	2009-01-22 17:36:18.000000000 -0800
>@@ -587,6 +587,9 @@
> /* Define to 1 if you have the <maillock.h> header file. */
> #undef HAVE_MAILLOCK_H
> 
>+/* Define to 1 if you have the `mbr_check_service_membership' function. */
>+#undef HAVE_MBR_CHECK_SERVICE_MEMBERSHIP
>+
> /* Define to 1 if you have the `md5_crypt' function. */
> #undef HAVE_MD5_CRYPT
> 
>diff -uNr ../openssh-5.1p1.orig/configure ./configure
>--- ../openssh-5.1p1.orig/configure	2008-07-21 01:30:50.000000000 -0700
>+++ ./configure	2009-01-22 17:36:18.000000000 -0800
>@@ -12657,6 +12657,7 @@
> 
> 
> 
>+
> for ac_func in \
> 	arc4random \
> 	arc4random_buf \
>@@ -12692,6 +12693,7 @@
> 	inet_ntop \
> 	innetgr \
> 	login_getcapbool \
>+	mbr_check_service_membership \
> 	md5_crypt \
> 	memmove \
> 	mkdtemp \
>diff -uNr ../openssh-5.1p1.orig/configure.ac ./configure.ac
>--- ../openssh-5.1p1.orig/configure.ac	2008-07-09 04:07:19.000000000 -0700
>+++ ./configure.ac	2009-01-22 17:36:18.000000000 -0800
>@@ -1335,6 +1335,7 @@
> 	inet_ntop \
> 	innetgr \
> 	login_getcapbool \
>+	mbr_check_service_membership \
> 	md5_crypt \
> 	memmove \
> 	mkdtemp \
>diff -uNr ../openssh-5.1p1.orig/servconf.c ./servconf.c
>--- ../openssh-5.1p1.orig/servconf.c	2008-07-03 20:51:12.000000000 -0700
>+++ ./servconf.c	2009-01-22 17:36:18.000000000 -0800
>@@ -99,6 +99,7 @@
> 	options->permit_empty_passwd = -1;
> 	options->permit_user_env = -1;
> 	options->use_login = -1;
>+	options->sacl_support = -1;
> 	options->compression = -1;
> 	options->allow_tcp_forwarding = -1;
> 	options->allow_agent_forwarding = -1;
>@@ -302,6 +303,7 @@
> 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
> 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
> 	sUsePrivilegeSeparation, sAllowAgentForwarding,
>+	sSACLSupport,
> 	sDeprecated, sUnsupported
> } ServerOpCodes;
> 
>@@ -409,6 +411,7 @@
> 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
> 	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
> 	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
>+	{ "saclsupport", sSACLSupport },
> 	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
> 	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
>  	{ "match", sMatch, SSHCFG_ALL },
>@@ -922,6 +925,10 @@
> 		charptr = &options->xauth_location;
> 		goto parse_filename;
> 
>+	case sSACLSupport:
>+		intptr = &options->sacl_support;
>+		goto parse_flag;
>+
> 	case sStrictModes:
> 		intptr = &options->strict_modes;
> 		goto parse_flag;
>diff -uNr ../openssh-5.1p1.orig/servconf.h ./servconf.h
>--- ../openssh-5.1p1.orig/servconf.h	2008-06-10 06:01:51.000000000 -0700
>+++ ./servconf.h	2009-01-22 17:36:18.000000000 -0800
>@@ -143,6 +143,7 @@
> 	char   *adm_forced_command;
> 
> 	int	use_pam;		/* Enable auth via PAM */
>+	int	sacl_support;		/* Enable use of SACLs */
> 
> 	int	permit_tun;
> 
>diff -uNr ../openssh-5.1p1.orig/sshd_config ./sshd_config
>--- ../openssh-5.1p1.orig/sshd_config	2008-07-02 05:35:43.000000000 -0700
>+++ ./sshd_config	2009-01-22 17:36:18.000000000 -0800
>@@ -61,6 +61,9 @@
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
> 
>+# SACL options
>+#SACLSupport yes
>+
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
>

Actions: View | Diff

Attachments on bug 1423: 1420 | 1598