Hello community,
here is the log from the commit of package sblim-sfcb
checked in at Wed Jul 9 18:09:47 CEST 2008.
--------
--- sblim-sfcb/sblim-sfcb.changes 2008-05-17 00:43:01.000000000 +0200
+++ sblim-sfcb/sblim-sfcb.changes 2008-05-29 23:11:18.000000000 +0200
@@ -2 +2,10 @@
-Fri May 16 16:42:30 MDT 2008 - bart@novell.com
+Thu May 29 15:10:06 MDT 2008 - bwhiteley@suse.de
+
+- Enhanced to support HTTP connections over unix domain sockets,
+ including unix socket peer credential authentication without
+ passwords.
+- Changed authentication module to only allow users with uid 0
+ to log in.
+
+-------------------------------------------------------------------
+Fri May 16 16:42:30 MDT 2008 - bwhiteley@suse.de
New:
----
sblim-sfcb-1.3.0-method_out_params.patch
sblim-sfcb-1.3.0-root_only_auth.patch
sblim-sfcb-1.3.0-uds_auth.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sblim-sfcb.spec ++++++
--- /var/tmp/diff_new_pack.H29582/_old 2008-07-09 18:09:27.000000000 +0200
+++ /var/tmp/diff_new_pack.H29582/_new 2008-07-09 18:09:27.000000000 +0200
@@ -14,7 +14,7 @@
Name: sblim-sfcb
Version: 1.3.0
-Release: 2
+Release: 10
Group: System/Management
License: Other uncritical OpenSource License; CPL 1.0
Url: http://sblim.sf.net/
@@ -23,7 +23,11 @@
Source2: sblim-sfcb.init
%endif
Patch0: sblim-sfcb-1.3.0-curl_7.18.patch
+Patch1: sblim-sfcb-1.3.0-uds_auth.patch
+Patch2: sblim-sfcb-1.3.0-root_only_auth.patch
+Patch3: sblim-sfcb-1.3.0-method_out_params.patch
Provides: cimserver
+Provides: cim-server
%if 0%{?suse_version} >= 1030
BuildRequires: libcurl-devel
%else
@@ -52,6 +56,9 @@
%prep
%setup -T -b 0 -n %{name}-%{version}
%patch0 -b .curl_7.18.patch
+%patch1 -b .uds_auth.patch
+%patch2 -b .root_only_auth.patch
+%patch3 -b .method_out_params.patch
export PATCH_GET=0
%build
@@ -60,11 +67,6 @@
make
%install
-if [ `id -ur` != 0 ]
-then
-# paranoia check
- rm -rf $RPM_BUILD_ROOT
-fi
make DESTDIR=$RPM_BUILD_ROOT install
# comment out - NWP - removing schema pkg
#make DESTDIR=$RPM_BUILD_ROOT install-cimschema
@@ -136,7 +138,13 @@
%files -f _pkg_list
%changelog
-* Fri May 16 2008 bart@novell.com
+* Thu May 29 2008 bwhiteley@suse.de
+- Enhanced to support HTTP connections over unix domain sockets,
+ including unix socket peer credential authentication without
+ passwords.
+- Changed authentication module to only allow users with uid 0
+ to log in.
+* Fri May 16 2008 bwhiteley@suse.de
- Moved back to 1.3.0. 1.3.1 has problems. Removed schema
package, and placed a dependency on cim-schema package
instead.
++++++ sblim-sfcb-1.3.0-method_out_params.patch ++++++
--- ./cimXmlGen.c.method_out_params.patch 2008-01-31 15:08:13.000000000 -0700
+++ ./cimXmlGen.c 2008-06-24 00:14:44.000000000 -0600
@@ -629,18 +629,25 @@
sb->ft->appendBlock(sb, bTag,bTagLen);
sb->ft->appendChars(sb, (char *) name->hdl);
if (param) SFCB_APPENDCHARS_BLOCK(sb, "\" PARAMTYPE=\"");
- else if (bTag) {
- SFCB_APPENDCHARS_BLOCK(sb, "\" TYPE=\"");
- if(data->type & CMPI_instance || data->type & CMPI_class) {
- SFCB_APPENDCHARS_BLOCK(sb, "string");
- } else {
- sb->ft->appendChars(sb, dataType(data->type));
- }
+ else if (bTag) SFCB_APPENDCHARS_BLOCK(sb, "\" TYPE=\"");
+ if (data->type == CMPI_refA) {
+ SFCB_APPENDCHARS_BLOCK(sb, "reference");
+ }
+ else if(data->type & ~CMPI_ARRAY == CMPI_instance
+ || data->type & ~CMPI_ARRAY == CMPI_class) {
+ SFCB_APPENDCHARS_BLOCK(sb, "string");
+ } else {
+ sb->ft->appendChars(sb, dataType(data->type));
}
SFCB_APPENDCHARS_BLOCK(sb, "\">\n");
if (qsb) sb->ft->appendChars(sb, (char *) qsb->hdl);
if (data->state == 0) {
- SFCB_APPENDCHARS_BLOCK(sb, "\n");
+ if (data->type == CMPI_refA) {
+ SFCB_APPENDCHARS_BLOCK(sb, "\n");
+ }
+ else {
+ SFCB_APPENDCHARS_BLOCK(sb, "\n");
+ }
for (j = 0; j < ac; j++) {
d = CMGetArrayElementAt(ar, j, NULL);
if ((d.state & CMPI_nullValue)==0) {
@@ -651,7 +658,11 @@
}
}
}
- SFCB_APPENDCHARS_BLOCK(sb, "\n");
+ if (data->type == CMPI_refA) {
+ SFCB_APPENDCHARS_BLOCK(sb, "\n");
+ } else {
+ SFCB_APPENDCHARS_BLOCK(sb, "\n");
+ }
}
}
@@ -692,11 +703,9 @@
sb->ft->appendBlock(sb, bTag, bTagLen);
sb->ft->appendChars(sb, (char *) name->hdl);
if (param) SFCB_APPENDCHARS_BLOCK(sb, "\" PARAMTYPE=\"");
- else if (bTag) {
- SFCB_APPENDCHARS_BLOCK(sb, "\" TYPE=\"");
- sb->ft->appendChars(sb, type);
- SFCB_APPENDCHARS_BLOCK(sb, "\">\n");
- }
+ else if (bTag) SFCB_APPENDCHARS_BLOCK(sb, "\" TYPE=\"");
+ sb->ft->appendChars(sb, type);
+ SFCB_APPENDCHARS_BLOCK(sb, "\">\n");
if (qsb) sb->ft->appendChars(sb, (char *) qsb->hdl);
if (data->state == 0) value2xml(*data, sb, 1);
}
++++++ sblim-sfcb-1.3.0-root_only_auth.patch ++++++
--- ./sfcBasicPAMAuthentication.c.orig 2008-05-29 14:17:19.000000000 -0600
+++ ./sfcBasicPAMAuthentication.c 2008-05-29 14:40:07.000000000 -0600
@@ -23,6 +23,10 @@
#include
#include
#include
+#include
+#include
+#include
+
#include
@@ -58,7 +62,23 @@
};
pam_handle_t *pamh = NULL;
int rc, retval;
+
+ struct passwd pwdbuf;
+ struct passwd* pwdbufp;
+ int buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
+ char buf[buflen];
+ // Only allow root user to log in
+ rc = getpwnam_r(user, &pwdbuf, buf, buflen, &pwdbufp);
+ if (rc != 0) {
+ return 0;
+ }
+ if (pwdbufp == NULL) {
+ return 0;
+ }
+ if (pwdbufp->pw_uid != 0) {
+ return 0;
+ }
rc = pam_start(SFCB_PAM_APP, user, &sfcConvStruct, & pamh);
++++++ sblim-sfcb-1.3.0-uds_auth.patch ++++++
--- ./control.c.uds_auth.patch 2007-11-12 17:47:59.000000000 -0700
+++ ./control.c 2008-05-28 20:08:17.000000000 -0600
@@ -59,6 +59,7 @@
Control init[] = {
{"httpPort", 1, "5988"},
{"enableHttp", 2, "true"},
+ {"enableUds", 2, "true"},
{"httpProcs", 1, "8"},
{"httpsPort", 1, "5989"},
{"enableHttps", 2, "false"},
@@ -78,6 +79,7 @@
{"provProcs", 1, "32"},
{"basicAuthLib", 0, "sfcBasicAuthentication"},
{"doBasicAuth", 2, "false"},
+ {"doUdsAuth", 2, "false"},
{"useChunking", 2, "false"},
{"chunkSize", 1, "50000"},
@@ -100,6 +102,7 @@
{"sslClientCertificate", 0, "ignore" },
{"certificateAuthLib", 0, "sfcCertificateAuthentication"},
{"localSocketPath", 0, "/tmp/sfcbLocalSocket"},
+ {"httpSocketPath", 0, "/tmp/sfcbHttpSocket"},
{"traceFile", 0, "stderr"},
{"traceLevel", 1, "0"},
--- ./sfcb.cfg.pre.in.uds_auth.patch 2007-02-22 09:04:27.000000000 -0700
+++ ./sfcb.cfg.pre.in 2008-05-28 20:08:17.000000000 -0600
@@ -2,12 +2,14 @@
# Sample Configuration for Small Footprint CIM Broker
httpPort: 5988
enableHttp: @SFCB_CONF_HTTP@
+enableUds: true
httpProcs: 8
httpsPort: 5989
enableHttps: @SFCB_CONF_HTTPS@
httpsProcs: 8
provProcs: 32
doBasicAuth: @SFCB_CONF_DOBASICAUTH@
+doUdsAuth: true
basicAuthLib: @SFCB_CONF_BASICAUTHLIB@
useChunking: true
keepaliveTimeout: 1
--- ./sfcBroker.c.uds_auth.patch 2008-04-07 13:35:08.000000000 -0600
+++ ./sfcBroker.c 2008-05-28 20:08:17.000000000 -0600
@@ -533,7 +533,7 @@
int c, i;
long tmask = 0, sslMode=0,sslOMode=0, tracelevel=0;
char * tracefile = NULL;
- int enableHttp=0,enableHttps=0,useChunking=0,doBa=0,enableInterOp=0,httpLocalOnly=0;
+ int enableUds=0,enableHttp=0,enableHttps=0,useChunking=0,doBa=0,enableInterOp=0,httpLocalOnly=0;
long dSockets,sSockets,pSockets;
char *pauseStr;
@@ -656,13 +656,16 @@
if (getControlBool("enableHttp", &enableHttp))
enableHttp=1;
+
+ if (getControlBool("enableUds", &enableUds))
+ enableUds=1;
#if defined USE_SSL
if (getControlBool("enableHttps", &enableHttps))
enableHttps=0;
sslMode=enableHttps;
- sslOMode=sslMode & !enableHttp;
+ sslOMode=sslMode & !enableHttp & !enableUds;
#else
mlogf(M_INFO,M_SHOW,"--- SSL not configured\n");
enableHttps=0;
--- ./httpAdapter.c.uds_auth.patch 2008-04-02 10:00:26.000000000 -0600
+++ ./httpAdapter.c 2008-05-28 20:27:58.000000000 -0600
@@ -62,6 +62,7 @@
static char *name;
static int debug;
static int doBa;
+static int doUdsAuth;
static int doFork = 0;
int noChunking = 0;
int sfcbSSLMode = 0;
@@ -800,7 +801,17 @@
}
#endif
- if (!discardInput && doBa) {
+ int authorized = 0;
+ if (!discardInput && doUdsAuth) {
+ struct ucred cr;
+ int cl = sizeof(cr);
+ if (getsockopt(conn_fd.socket, SOL_SOCKET, SO_PEERCRED, &cr, &cl) == 0) {
+ if (cr.uid == 0) {
+ authorized = 1;
+ }
+ }
+ }
+ if (!authorized && !discardInput && doBa) {
if (!(inBuf.authorization && baValidate(inBuf.authorization,&inBuf.principal))) {
char more[]="WWW-Authenticate: Basic realm=\"cimom\"\r\n";
genError(conn_fd, &inBuf, 401, "Unauthorized", more);
@@ -1355,12 +1366,18 @@
#else
struct sockaddr_in sin;
#endif
+ struct sockaddr_un sun;
- socklen_t sz,sin_len;
- int i,ru;
+ socklen_t sz,sin_len,sun_len;
+ int i,ru,rc;
char *cp;
long procs, port;
- int listenFd, connFd;
+ int listenFd=-1, udsListenFd=-1, connFd;
+ int enableUds=0,enableHttp=0;
+ fd_set httpfds;
+ int maxfdp1;
+
+ static char *udsPath=NULL;
name = argv[0];
debug = 1;
@@ -1382,6 +1399,8 @@
else {
if (getControlNum("httpPort", &port))
port = 5988;
+ if (getControlChars("httpSocketPath", &udsPath))
+ udsPath = "/tmp/sfcbHttpSocket";
hBase=htBase;
hMax=htMax;
}
@@ -1392,12 +1411,23 @@
} else {
if (getControlNum("httpProcs", &procs))
procs = 10;
+ if (getControlBool("enableHttp", &enableHttp))
+ enableHttp=1;
+ if (getControlBool("enableUds", &enableUds))
+ enableUds=1;
+ if (!enableUds)
+ udsPath = NULL;
+ if (!enableHttp)
+ port = -1;
}
initHttpProcCtl(procs,sslMode);
if (getControlBool("doBasicAuth", &doBa))
doBa=0;
+ if (getControlBool("doUdsAuth", &doUdsAuth))
+ doUdsAuth=0;
+
if (getControlNum("keepaliveTimeout", &keepaliveTimeout))
keepaliveTimeout = 15;
@@ -1439,11 +1469,12 @@
if (sslMode) mlogf(M_INFO,M_SHOW,"--- %s HTTPS Daemon V" sfcHttpDaemonVersion " started - %d - port %ld\n",
name, currentProc,port);
- else mlogf(M_INFO,M_SHOW,"--- %s HTTP Daemon V" sfcHttpDaemonVersion " started - %d - port %ld\n",
- name, currentProc,port);
+ else mlogf(M_INFO,M_SHOW,"--- %s HTTP Daemon V" sfcHttpDaemonVersion " started - %d - port %ld, %s\n",
+ name, currentProc,port,udsPath);
if (doBa) mlogf(M_INFO,M_SHOW,"--- Using Basic Authentication\n");
+ if (doUdsAuth) mlogf(M_INFO,M_SHOW,"--- Using Unix Socket Peer Cred Authentication\n");
if (keepaliveTimeout == 0) {
mlogf(M_INFO,M_SHOW,"--- Keep-alive timeout disabled\n");
@@ -1452,51 +1483,80 @@
mlogf(M_INFO,M_SHOW,"--- Maximum requests per connection: %ld\n",keepaliveMaxRequest);
}
-#ifdef USE_INET6
- listenFd = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP);
- if (listenFd < 0) {
- mlogf(M_INFO,M_SHOW,"--- Using IPv4 address\n");
- listenFd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+ ru = 1;
+ if (enableUds) {
+ udsListenFd = socket(PF_UNIX, SOCK_STREAM, 0);
}
+ if (enableHttp || sslMode) {
+#ifdef USE_INET6
+ listenFd = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP);
+ if (listenFd < 0) {
+ mlogf(M_INFO,M_SHOW,"--- Using IPv4 address\n");
+ listenFd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+ }
#else
- listenFd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+ listenFd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
#endif
+ setsockopt(listenFd, SOL_SOCKET, SO_REUSEADDR, (char *) &ru, sizeof(ru));
+ }
sin_len = sizeof(sin);
-
- ru = 1;
- setsockopt(listenFd, SOL_SOCKET, SO_REUSEADDR, (char *) &ru, sizeof(ru));
+ sun_len = sizeof(sun);
memset(&sin,0,sin_len);
+ memset(&sun,0,sun_len);
+
+ if (udsListenFd >= 0) {
+ if (getControlChars("httpSocketPath", &udsPath)) {
+ mlogf(M_ERROR,M_SHOW,"--- No unix socket path defined for HTTP\n");
+ sleep(1);
+ kill(sfcbPid,3);
+ }
+ sun.sun_family=AF_UNIX;
+ strcpy(sun.sun_path,udsPath);
+ }
- if (getControlBool("httpLocalOnly", &httpLocalOnly))
- httpLocalOnly=0;
+ if (listenFd >= 0) {
+ if (getControlBool("httpLocalOnly", &httpLocalOnly))
+ httpLocalOnly=0;
#ifdef USE_INET6
- sin.sin6_family = AF_INET6;
- if (httpLocalOnly)
- sin.sin6_addr = in6addr_loopback;
- else
- sin.sin6_addr = in6addr_any;
- sin.sin6_port = htons(port);
+ sin.sin6_family = AF_INET6;
+ if (httpLocalOnly)
+ sin.sin6_addr = in6addr_loopback;
+ else
+ sin.sin6_addr = in6addr_any;
+ sin.sin6_port = htons(port);
#else
- sin.sin_family = AF_INET;
- if (httpLocalOnly) {
- char* loopback_int = "127.0.0.1";
- inet_aton(loopback_int, &sin.sin_addr); /* not INADDR_LOOPBACK ? */
- }
- else
- sin.sin_addr.s_addr = INADDR_ANY;
- sin.sin_port = htons(port);
+ sin.sin_family = AF_INET;
+ if (httpLocalOnly) {
+ char* loopback_int = "127.0.0.1";
+ inet_aton(loopback_int, &sin.sin_addr); /* not INADDR_LOOPBACK ? */
+ }
+ else
+ sin.sin_addr.s_addr = INADDR_ANY;
+ sin.sin_port = htons(port);
#endif
-
- if (bind(listenFd, (struct sockaddr *) &sin, sin_len) ||
- listen(listenFd, 0)) {
- mlogf(M_ERROR,M_SHOW,"--- Cannot listen on port %ld (%s)\n", port, strerror(errno));
- sleep(1);
- kill(sfcbPid,3);
}
+ if (listenFd >= 0) {
+ if (bind(listenFd, (struct sockaddr *) &sin, sin_len) ||
+ listen(listenFd, 10)) {
+ mlogf(M_ERROR,M_SHOW,"--- Cannot listen on port %ld (%s)\n", port, strerror(errno));
+ sleep(1);
+ kill(sfcbPid,3);
+ }
+ }
+ if (udsListenFd >= 0) {
+ unlink(udsPath);
+ if (bind(udsListenFd, (struct sockaddr *) &sun, sun_len) ||
+ listen(udsListenFd, 10)) {
+ mlogf(M_ERROR,M_SHOW,"--- Cannot listen on unix socket %s (%s)\n", udsPath, strerror(errno));
+ sleep(1);
+ kill(sfcbPid,3);
+ }
+ }
+
if (!debug) {
int rc = fork();
if (rc == -1) {
@@ -1558,23 +1618,56 @@
}
#endif
+ maxfdp1 = (listenFd > udsListenFd? listenFd : udsListenFd) + 1;
for (;;) {
- char *emsg;
- listen(listenFd, 1);
- sz = sizeof(sin);
- if ((connFd = accept(listenFd, (__SOCKADDR_ARG) & sin, &sz))<0) {
+ char *emsg;
+ // listen(listenFd, 1);
+ FD_ZERO(&httpfds);
+ if (listenFd >= 0) {
+ FD_SET(listenFd, &httpfds);
+ }
+ if (udsListenFd >= 0) {
+ FD_SET(udsListenFd, &httpfds);
+ }
+ rc = select(maxfdp1, &httpfds, NULL, NULL, NULL);
+ if (rc < 0) {
if (errno == EINTR || errno == EAGAIN) {
if (stopAccepting) break;
continue;
- }
- emsg=strerror(errno);
- mlogf(M_ERROR,M_SHOW,"--- accept error %s\n",emsg);
- _SFCB_ABORT();
+ }
}
- _SFCB_TRACE(1, ("--- Processing http request"));
+ if (listenFd >= 0 && FD_ISSET(listenFd, &httpfds)) {
+ sz = sin_len;
+ if ((connFd = accept(listenFd, (__SOCKADDR_ARG) &sin, &sz))<0) {
+ if (errno == EINTR || errno == EAGAIN) {
+ if (stopAccepting) break;
+ continue;
+ }
+ emsg=strerror(errno);
+ mlogf(M_ERROR,M_SHOW,"--- accept error %s\n",emsg);
+ _SFCB_ABORT();
+ }
+ _SFCB_TRACE(1, ("--- Processing http request"));
- handleHttpRequest(connFd);
- close(connFd);
+ handleHttpRequest(connFd);
+ close(connFd);
+ }
+ if (udsListenFd >= 0 && FD_ISSET(udsListenFd, &httpfds)) {
+ sz = sun_len;
+ if ((connFd = accept(udsListenFd, (__SOCKADDR_ARG) &sun, &sz))<0) {
+ if (errno == EINTR || errno == EAGAIN) {
+ if (stopAccepting) break;
+ continue;
+ }
+ emsg=strerror(errno);
+ mlogf(M_ERROR,M_SHOW,"--- accept error %s\n",emsg);
+ _SFCB_ABORT();
+ }
+ _SFCB_TRACE(1, ("--- Processing http request"));
+
+ handleHttpRequest(connFd);
+ close(connFd);
+ }
}
remProcCtl();
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org