pcp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [pcp] user/group access control question

from [Dave Brolley] [Permanent Link][Original]
To: Ken McDonell <kenj@xxxxxxxxxxxxxxxx>, pcp@xxxxxxxxxxx
Subject: Re: [pcp] user/group access control question
From: Dave Brolley <brolley@xxxxxxxxxx>
Date: Tue, 28 Oct 2014 13:48:15 -0400
Delivered-to: pcp@xxxxxxxxxxx
In-reply-to: <001f01cff196$66cf3e00$346dba00$@internode.on.net>
References: <001f01cff196$66cf3e00$346dba00$@internode.on.net>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0 
On 10/26/2014 11:30 PM, Ken McDonell wrote:

I think this one for Dave Brolley, but I'd welcome insight from any quarter.
Not completely my domain, but I have worked in this area and don't mind having a look. 
qa/944 seems to be failing in the client connecting to pmcd which is
returning an error code of -95.  The problem seems to be in the logic around
DoCreds() where we never get to CheckAccountAccess() because the earlier
call to __pmSecureServerHandshake() fails, with, er, -95.

I am not sure how things are supposed to work in this config setup, but the
patch below makes qa/944 pass on at least one of these failing platforms.
Note this is for the "not secure sockets" variant of the implementation of
pmSecureServerHandshake() (there are two implementations in the code).

Could someone who knows please take a look and let me know if this is even
close to the "correct" way to fix this issue?
Looks like you made a good catch and your are definitely on the right track. The non-secure server implementation of __pmSecureServerHandshake() definitely needs to handle PDU_FLAG_CREDS_REQD. However we need one additional bit from the secure server implementation. Here is an updated patch for which PDU_FLAG_CREDS_REQD is still not supported unless the connection is from a unix domain socket.
I'll test it here, but would appreciate it if you could test it in your failing environment. 

Nathan, can you please also review the updated patch?

Thanks,
Dave

-------------------------------------------
diff --git a/src/libpcp/src/auxserver.c b/src/libpcp/src/auxserver.c
index 498bac4..f863b58 100644
--- a/src/libpcp/src/auxserver.c
+++ b/src/libpcp/src/auxserver.c
@@ -867,7 +867,23 @@ __pmSecureServerHandshake(int fd, int flags, __pmHashCtl *attrs) 
     (void)fd;
     (void)flags;
     (void)attrs;
-    return -EOPNOTSUPP;
+
+    /* for things that require a secure server, return -EOPNOTSUPP */
+    if ((flags & (PDU_FLAG_SECURE | PDU_FLAG_SECURE_ACK | PDU_FLAG_COMPRESS
+                  | PDU_FLAG_AUTH)) != 0)
+       return -EOPNOTSUPP;
+
+    /* CREDS_REQD is a special case that does not need a secure server, but
+       does require a unix domain socket in the absence of secure server
+       support. */
+    if ((flags & PDU_FLAG_CREDS_REQD) != 0) {
+       if (__pmHashSearch(PCP_ATTR_USERID, attrs) != NULL)
+            return 0;  /* unix domain socket */
+       return -EOPNOTSUPP;
+    }
+
+    /* otherwise the flags are not expected */
+    return PM_ERR_IPC;
 }

 int
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  PCP Updates: Incorrect pmLogIndom Record Description in pcp-archive(5), Dave Brolley
Next by Date:  QA Failures: 660 and 752, Dave Brolley
Previous by Thread:  user/group access control question, Ken McDonell
Next by Thread:  Re: [pcp] user/group access control question, Dave Brolley
Indexes:  [Date] [Thread] [Top] [All Lists]