commit tog-pegasus for openSUSE:Factory
Hello community, here is the log from the commit of package tog-pegasus for openSUSE:Factory checked in at Fri May 29 12:18:46 CEST 2009. -------- --- tog-pegasus/tog-pegasus.changes 2009-05-18 09:38:06.000000000 +0200 +++ /mounts/work_src_done/STABLE/tog-pegasus/tog-pegasus.changes 2009-05-25 19:13:11.000000000 +0200 @@ -1,0 +2,11 @@ +Mon May 25 16:50:44 CEST 2009 - mhrusecky@suse.cz + +- repository is owned by pegasus user and daemon is running as pegasus as well +- 'rctog-pegasus start' fixed so second run wouldn't try to run same daemon again + +------------------------------------------------------------------- +Thu May 21 15:38:31 CEST 2009 - mhrusecky@suse.cz + +- updated to version 2.9.0 + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- pegasus-2.8.0-gcc44.patch pegasus-2.8.0.tar.bz2 pegasus-config.patch pegasus-local-or-remote-auth.patch New: ---- pegasus-2.9.0-config.patch pegasus-2.9.0-defineable-user.patch pegasus-2.9.0-gcc44.patch pegasus-2.9.0-local-or-remote-auth.patch pegasus-2.9.0.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tog-pegasus.spec ++++++ --- /var/tmp/diff_new_pack.w27124/_old 2009-05-29 12:17:59.000000000 +0200 +++ /var/tmp/diff_new_pack.w27124/_new 2009-05-29 12:17:59.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package tog-pegasus (Version 2.8.0) +# spec file for package tog-pegasus (Version 2.9.0) # # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,9 +19,10 @@ Name: tog-pegasus -BuildRequires: cim-schema e2fsprogs-devel fdupes gcc-c++ libicu-devel net-snmp-devel openslp-devel openssl openssl-devel pam-devel pwdutils python-httplib2 -Version: 2.8.0 -Release: 5 +BuildRequires: cim-schema e2fsprogs-devel fdupes gcc-c++ libicu-devel net-snmp-devel +BuildRequires: openslp-devel openssl openssl-devel pam-devel pwdutils python-httplib2 +Version: 2.9.0 +Release: 1 # Summary: OpenPegasus WBEM Services for Linux Group: System/Management @@ -48,14 +49,16 @@ Source15: tog-pegasus.pc # Patch1: pegasus-pam-wbem.patch -Patch2: pegasus-config.patch +Patch2: pegasus-2.9.0-config.patch Patch3: pegasus-no-strip.patch -Patch5: pegasus-local-or-remote-auth.patch +Patch5: pegasus-2.9.0-local-or-remote-auth.patch Patch11: pegasus-2.7.0-strncat.patch Patch12: pegasus-2.8.0-notests.patch -# PATH-FIX-UPSTREAM pegasus-2.8.0-gcc44.patch [ upstream#8496 ] mhrusecky@suse.cz -- Fixed problematic elif - fixes compilation with gcc44 +# PATCH-FIX-UPSTREAM pegasus-2.9.0-gcc44.patch [ upstream#8496 ] mhrusecky@suse.cz -- Fixed problematic elif - fixes compilation with gcc44 # http://bugzilla.openpegasus.org/show_bug.cgi?id=8496 -Patch13: pegasus-2.8.0-gcc44.patch +Patch13: pegasus-2.9.0-gcc44.patch +# PATCH-FEATURE-SUSE pegasus-2.9.0-defineable-user.patch [] mhrusecky@suse.cz -- possibility to use other user then cimsrv +Patch14: pegasus-2.9.0-defineable-user.patch # Provides: tog-pegasus-cimserver Provides: cim-server @@ -67,7 +70,10 @@ PreReq: python-pywbem >= 0.6.20080201.1 PreReq: cim-schema >= 2.17 # due to bug in python package (bnc#427987) +# Should be fixed in 11.2 +%if 0%{?suse_version} < 1120 && 0%{?suse_version} > 0 PreReq: python-devel +%endif Requires: bash, sed, grep, coreutils, procps, openssl >= 0.9.6, pam Requires: bind-utils, net-tools Obsoletes: pegasus-wbem @@ -91,6 +97,7 @@ Summary: OpenPegasus WBEM Services for Linux Group: System/Management Obsoletes: tog-pegasus-sdk +Provides: tog-pegasus-sdk Conflicts: sblim-cmpi-devel Requires: tog-pegasus >= %{version} Requires: gcc-c++ @@ -135,12 +142,13 @@ %prep %setup -q -n pegasus %patch1 -%patch2 -b .pegasus-config.patch +%patch2 %patch3 %patch5 %patch11 %patch12 -b .pegasus-2.8.0-notests.patch %patch13 +%patch14 %build cp -fp %_sourcedir/README.SUSE.Security doc @@ -170,7 +178,7 @@ export PEGASUS_PLATFORM=$PEGASUS_PLATFORM export PEGASUS_ROOT=`pwd` export PEGASUS_HOME=\$PEGASUS_ROOT/_build -export PEGASUS_EXTRA_C_FLAGS="%optflags -Wno-unused" +export PEGASUS_EXTRA_C_FLAGS="%optflags -Wno-unused -fno-strict-aliasing" export PEGASUS_EXTRA_CXX_FLAGS=\$PEGASUS_EXTRA_C_FLAGS export PEGASUS_STAGING_DIR=%buildroot export PEGASUS_ARCH_LIB=%_lib @@ -180,12 +188,13 @@ export PEGASUS_BUILD_TEST_RPM=1 export PEGASUS_ENABLE_MAKE_INSTALL=yes export PEGASUS_SKIP_MOST_TEST_DIRS=true +export PEGASUS_CIMSERVERMAIN_USER=pegasus EOF . rpm-env # vvv remove this when #337901 / gcc.gnu.org/PR31081 gets fixed -mv src/Pegasus/Client/tests/DeleteNamespace/DeleteNamespace.cpp{,.disabled} -echo -e '#include <stdio.h>\nint main() { puts("test disabled"); return 0; }' \ -> src/Pegasus/Client/tests/DeleteNamespace/DeleteNamespace.cpp +# mv src/Pegasus/Client/tests/DeleteNamespace/DeleteNamespace.cpp{,.disabled} +# echo -e '#include <stdio.h>\nint main() { puts("test disabled"); return 0; }' \ +# > src/Pegasus/Client/tests/DeleteNamespace/DeleteNamespace.cpp # ^^^ make -f Makefile.Release create_ProductVersionFile make -f Makefile.Release create_CommonProductDirectoriesInclude @@ -242,7 +251,12 @@ # Create pkg-config file install -d %{buildroot}/usr/%_lib/pkgconfig sed -e "s,@VERSION@,%{version}," %{S:15} > %{buildroot}/usr/%_lib/pkgconfig/%{name}.pc +# Final cleanups %fdupes -s $RPM_BUILD_ROOT/usr/bin +%fdupes -s $RPM_BUILD_ROOT/usr/share/Pegasus/samples +rm -f $RPM_BUILD_ROOT/usr/share/Pegasus/samples/{lib,obj,lib}/target +chmod a-x $RPM_BUILD_ROOT/usr/share/Pegasus/mof/Pegasus/* \ + $RPM_BUILD_ROOT/etc/Pegasus/cimserver_planned.conf ### end of %install %clean @@ -255,10 +269,6 @@ /usr/sbin/groupadd -r pegasus >/dev/null 2>&1 || : /usr/sbin/useradd -r -g pegasus -s /sbin/nologin -d /var/lib/Pegasus \ -c "tog-pegasus OpenPegasus WBEM/CIM services" pegasus >/dev/null 2>&1 || : -/usr/sbin/groupadd -r cimsrvr >/dev/null 2>&1 || : -/usr/sbin/useradd -r -g cimsrvr -s /sbin/nologin \ - -d /var/lib/Pegasus -c "tog-pegasus OpenPegasus WBEM/CIM services" \ - cimsrvr >/dev/null 2>&1 || : # upgrade the repository on package update if test -e %curr_repo; then if test -x /etc/init.d/tog-pegasus && /etc/init.d/tog-pegasus status>/dev/null @@ -311,7 +321,7 @@ if test -d %prev_repo; then echo "running repupgrade to upgrade repository" >&2 /usr/sbin/repupgrade - chown -R cimsrvr.cimsrvr %curr_repo + chown -R pegasus.pegasus %curr_repo rm -rf %prev_repo fi if test -e %restart_flag; then @@ -356,9 +366,9 @@ /var/lib/Pegasus/cache %dir /var/lib/Pegasus/log %attr(0600,root,root) /var/lib/Pegasus/log/install.log -%dir %attr(0700,cimsrvr,cimsrvr) /var/lib/Pegasus/repository -%attr(-,cimsrvr,cimsrvr) /var/lib/Pegasus/repository/* -%attr(755,cimsrvr,cimsrvr) /var/run/tog-pegasus +%dir %attr(0700,pegasus,pegasus) /var/lib/Pegasus/repository +%attr(-,pegasus,pegasus) /var/lib/Pegasus/repository/* +%attr(755,pegasus,pegasus) /var/run/tog-pegasus %dir /usr/share/Pegasus /usr/share/Pegasus/mof %doc /usr/share/man/man[18]/* @@ -379,6 +389,11 @@ # automatically updated from it in the binary RPMS %changelog +* Mon May 25 2009 mhrusecky@suse.cz +- repository is owned by pegasus user and daemon is running as pegasus as well +- 'rctog-pegasus start' fixed so second run wouldn't try to run same daemon again +* Thu May 21 2009 mhrusecky@suse.cz +- updated to version 2.9.0 * Mon May 18 2009 mhrusecky@suse.cz - fixed build in Factory * Tue May 12 2009 mhrusecky@suse.cz ++++++ cimserver_planned.conf ++++++ --- /var/tmp/diff_new_pack.w27124/_old 2009-05-29 12:17:59.000000000 +0200 +++ /var/tmp/diff_new_pack.w27124/_new 2009-05-29 12:17:59.000000000 +0200 @@ -284,16 +284,6 @@ repositoryDir=/var/lib/Pegasus/repository ############################################################################## -# slp -# Description: When set to true, OpenPegasus activates an SLP -# SA and issues DMTF defined SLP advertisements to this SA on -# startup. -# Default Value: false -# Dynamic: No -############################################################################## -slp=false - -############################################################################## # socketWriteTimeout # Description: If the CIM Server receives an EWOULDBLOCK/EAGAIN # error on a non-blocking write, socketWriteTimeout defines the ++++++ pegasus-2.9.0-config.patch ++++++ Index: src/Clients/repupgrade/RepositoryUpgrade.cpp =================================================================== --- src/Clients/repupgrade/RepositoryUpgrade.cpp.orig +++ src/Clients/repupgrade/RepositoryUpgrade.cpp @@ -291,10 +291,10 @@ const char* RepositoryUpgrade::_ALL = "a const String NEW_REPOSITORY_PATH = "/wbem_var/opt/wbem/repository"; const String RepositoryUpgrade::_LOG_PATH = "/wbem_var/opt/wbem/upgrade"; # elif defined(PEGASUS_OS_LINUX) - const String OLD_REPOSITORY_PATH = "/var/opt/tog-pegasus/prev_repository"; - const String NEW_REPOSITORY_PATH = "/var/opt/tog-pegasus/repository"; + const String OLD_REPOSITORY_PATH = "/var/lib/Pegasus/prev_repository"; + const String NEW_REPOSITORY_PATH = "/var/lib/Pegasus/repository"; const String RepositoryUpgrade::_LOG_PATH = - "/var/opt/tog-pegasus/log/upgrade"; + "/var/lib/Pegasus/log/install.log"; # else # undef REPUPGRADE_USE_RELEASE_DIRS const String RepositoryUpgrade::_LOG_PATH = "./"; ++++++ pegasus-2.9.0-defineable-user.patch ++++++ Index: mak/config.mak =================================================================== --- mak/config.mak.orig +++ mak/config.mak @@ -1317,7 +1317,9 @@ ifdef PEGASUS_ENABLE_PRIVILEGE_SEPARATIO ## Defines the user context of the cimservermain process when privilege ## separation is enabled. - PEGASUS_CIMSERVERMAIN_USER = cimsrvr + ifndef PEGASUS_CIMSERVERMAIN_USER + PEGASUS_CIMSERVERMAIN_USER = cimsrvr + endif DEFINES += -DPEGASUS_CIMSERVERMAIN_USER=\"$(PEGASUS_CIMSERVERMAIN_USER)\" endif ++++++ pegasus-2.8.0-gcc44.patch -> pegasus-2.9.0-gcc44.patch ++++++ --- tog-pegasus/pegasus-2.8.0-gcc44.patch 2009-05-18 14:38:41.000000000 +0200 +++ /mounts/work_src_done/STABLE/tog-pegasus/pegasus-2.9.0-gcc44.patch 2009-05-26 11:29:55.000000000 +0200 @@ -2,18 +2,12 @@ =================================================================== --- src/Pegasus/Provider/CMPI/CmpiImpl.cpp.orig +++ src/Pegasus/Provider/CMPI/CmpiImpl.cpp -@@ -3240,11 +3240,13 @@ CmpiBooleanData CmpiFalse(false); +@@ -3238,7 +3238,7 @@ CmpiBooleanData CmpiFalse(false); #ifdef CMPI_VER_200 static CMPIBroker __providerBaseBroker = {0,0,0,0,0}; -#elif CMPI_VER_100 -+#else -+#ifdef CMPI_VER_100 ++#elif defined(CMPI_VER_100) static CMPIBroker __providerBaseBroker = {0,0,0,0}; #else static CMPIBroker __providerBaseBroker = {0,0,0}; - #endif -+#endif - - CmpiProviderBase::CmpiProviderBase() - { ++++++ pegasus-2.9.0-local-or-remote-auth.patch ++++++ Index: src/Executor/Messages.h =================================================================== --- src/Executor/Messages.h.orig +++ src/Executor/Messages.h @@ -198,6 +198,7 @@ struct ExecutorAuthenticatePasswordReque { char username[EXECUTOR_BUFFER_SIZE]; char password[EXECUTOR_BUFFER_SIZE]; + int isRemoteUser; }; struct ExecutorAuthenticatePasswordResponse Index: src/Executor/PAMAuth.h =================================================================== --- src/Executor/PAMAuth.h.orig +++ src/Executor/PAMAuth.h @@ -43,6 +43,7 @@ #include <stdio.h> #include <errno.h> #include <string.h> +#include <syslog.h> #include <Executor/Strlcpy.h> #include <Executor/Strlcat.h> #include <security/pam_appl.h> @@ -393,35 +394,66 @@ static int PAMValidateUserCallback( */ static int PAMAuthenticateInProcess( - const char* username, const char* password) + const char* username, const char* password, int isRemoteUser) { PAMData data; struct pam_conv pconv; - pam_handle_t* handle; + pam_handle_t* phandle; + int retcode; + const char *pam_tty_val = isRemoteUser ? "wbemNetwork" : "wbemLocal"; data.password = password; pconv.conv = PAMAuthenticateCallback; pconv.appdata_ptr = &data; - if (pam_start("wbem", username, &pconv, &handle) != PAM_SUCCESS) - return -1; + // NOTE: if any pam call should log anything, our syslog socket will + // be redirected to the AUTH facility, so we need to redirect it + // back after each pam call. - if (pam_authenticate(handle, 0) != PAM_SUCCESS) + if ((retcode = pam_start("wbem", username, &pconv, &phandle)) != PAM_SUCCESS) { - pam_end(handle, 0); + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_start failed: %s", pam_strerror(phandle, retcode)); return -1; } - - if (pam_acct_mgmt(handle, 0) != PAM_SUCCESS) + if ((retcode = pam_set_item(phandle, PAM_TTY, pam_tty_val)) != PAM_SUCCESS ) { - pam_end(handle, 0); + pam_end(phandle, 0); + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_set_item(PAM_TTY=%s) failed: %s", pam_tty_val, + pam_strerror(phandle, retcode)); return -1; } - pam_end(handle, 0); + if ((retcode = pam_authenticate(phandle, 0)) != PAM_SUCCESS) + { + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_authenticate failed: %s", + pam_strerror(phandle, retcode)); + goto auth_failed; + } + + if (pam_acct_mgmt(phandle, 0) != PAM_SUCCESS) + { + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_acct_mgmt failed: %s", + pam_strerror(phandle, retcode)); + goto auth_failed; + } + pam_end(phandle, 0); return 0; + +auth_failed: + pam_end(phandle, 0); + syslog(LOG_ERR, "PAM authentication failed for %s user: %s", + isRemoteUser ? "remote" : "local", username); + return -1; } /* @@ -439,15 +471,23 @@ static int PAMValidateUserInProcess(cons PAMData data; struct pam_conv pconv; pam_handle_t* phandle; + int retcode; pconv.conv = PAMValidateUserCallback; pconv.appdata_ptr = &data; - if (pam_start("wbem", username, &pconv, &phandle) != PAM_SUCCESS) + if ((retcode = pam_start("wbem", username, &pconv, &phandle)) != PAM_SUCCESS) + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_start failed: %s", pam_strerror(phandle, retcode)); return -1; - if (pam_acct_mgmt(phandle, 0) != PAM_SUCCESS) + if ((retcode = pam_acct_mgmt(phandle, 0)) != PAM_SUCCESS) { + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_acct_mgmt failed: %s", + pam_strerror(phandle, retcode)); pam_end(phandle, 0); return -1; } @@ -467,12 +507,13 @@ static int PAMValidateUserInProcess(cons **============================================================================== */ -static int PAMAuthenticate(const char* username, const char* password) +static int PAMAuthenticate(const char* username, const char* password, + int isRemoteUser) { #ifdef PEGASUS_USE_PAM_STANDALONE_PROC return CimserveraProcessOperation("authenticate", username, password); #else - return PAMAuthenticateInProcess(username, password); + return PAMAuthenticateInProcess(username, password, isRemoteUser); #endif } Index: src/Executor/Parent.c =================================================================== --- src/Executor/Parent.c.orig +++ src/Executor/Parent.c @@ -623,7 +623,8 @@ static void HandleAuthenticatePasswordRe #if defined(PEGASUS_PAM_AUTHENTICATION) - if (PAMAuthenticate(request.username, request.password) != 0) + if (PAMAuthenticate(request.username, request.password, + request.isRemoteUser) != 0) { status = -1; break; Index: src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c =================================================================== --- src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c.orig +++ src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c @@ -49,7 +49,7 @@ int main() sprintf(prompt, "Enter password for %s: ", PEGASUS_CIMSERVERMAIN_USER); pw = getpass(prompt); - if (PAMAuthenticate(PEGASUS_CIMSERVERMAIN_USER, pw) == 0) + if (PAMAuthenticate(PEGASUS_CIMSERVERMAIN_USER, pw, 0) == 0) printf("Correct password\n"); else printf("Wrong password\n"); Index: src/Pegasus/Common/AuthenticationInfo.h =================================================================== --- src/Pegasus/Common/AuthenticationInfo.h.orig +++ src/Pegasus/Common/AuthenticationInfo.h @@ -354,6 +354,22 @@ public: return _rep->getRemotePrivilegedUserAccessChecked(); } + /** Indicate whether the user is Remote + */ + Boolean isRemoteUser() const + { + CheckRep(_rep); + return _rep->isRemoteUser(); + } + + /** Set the Remote User flag + */ + void setRemoteUser(Boolean remoteUser) + { + CheckRep(_rep); + _rep->setRemoteUser(remoteUser); + } + private: AuthenticationInfo(AuthenticationInfoRep* rep) : _rep(rep) Index: src/Pegasus/Common/AuthenticationInfoRep.cpp =================================================================== --- src/Pegasus/Common/AuthenticationInfoRep.cpp.orig +++ src/Pegasus/Common/AuthenticationInfoRep.cpp @@ -44,7 +44,8 @@ const String AuthenticationInfoRep::AUTH AuthenticationInfoRep::AuthenticationInfoRep(Boolean flag) : _connectionAuthenticated(false), - _wasRemotePrivilegedUserAccessChecked(false) + _wasRemotePrivilegedUserAccessChecked(false), + _remoteUser(true) { PEG_METHOD_ENTER( TRC_AUTHENTICATION, "AuthenticationInfoRep::AuthenticationInfoRep"); @@ -166,5 +167,15 @@ void AuthenticationInfoRep::setClientCer PEG_METHOD_EXIT(); } + +void AuthenticationInfoRep::setRemoteUser(Boolean remoteUser) +{ + PEG_METHOD_ENTER(TRC_AUTHENTICATION, + "AuthenticationInfoRep::setRemoteUser"); + + _remoteUser = remoteUser; + + PEG_METHOD_EXIT(); +} PEGASUS_NAMESPACE_END Index: src/Pegasus/Common/AuthenticationInfoRep.h =================================================================== --- src/Pegasus/Common/AuthenticationInfoRep.h.orig +++ src/Pegasus/Common/AuthenticationInfoRep.h @@ -165,6 +165,13 @@ public: return _wasRemotePrivilegedUserAccessChecked; } + Boolean isRemoteUser() const + { + return _remoteUser; + } + + void setRemoteUser(Boolean remoteUser); + private: /** Constructors */ @@ -190,6 +197,7 @@ private: Boolean _wasRemotePrivilegedUserAccessChecked; Array<SSLCertificateInfo*> _clientCertificate; + Boolean _remoteUser; }; PEGASUS_NAMESPACE_END Index: src/Pegasus/Common/Executor.cpp =================================================================== --- src/Pegasus/Common/Executor.cpp.orig +++ src/Pegasus/Common/Executor.cpp @@ -125,7 +125,8 @@ public: virtual int authenticatePassword( const char* username, - const char* password) = 0; + const char* password, + Boolean isRemoteUser) = 0; virtual int validateUser( const char* username) = 0; @@ -555,10 +556,11 @@ public: virtual int authenticatePassword( const char* username, - const char* password) + const char* password, + Boolean isRemoteUser) { #if defined(PEGASUS_PAM_AUTHENTICATION) - return PAMAuthenticate(username, password); + return PAMAuthenticate(username, password, isRemoteUser); #else // ATTN: not handled so don't call in this case. return -1; @@ -897,7 +899,8 @@ public: virtual int authenticatePassword( const char* username, - const char* password) + const char* password, + Boolean isRemoteUser) { AutoMutex autoMutex(_mutex); @@ -915,6 +918,7 @@ public: memset(&request, 0, sizeof(request)); Strlcpy(request.username, username, EXECUTOR_BUFFER_SIZE); Strlcpy(request.password, password, EXECUTOR_BUFFER_SIZE); + request.isRemoteUser = isRemoteUser; if (SendBlock(_sock, &request, sizeof(request)) != sizeof(request)) return -1; @@ -1165,10 +1169,11 @@ int Executor::reapProviderAgent( int Executor::authenticatePassword( const char* username, - const char* password) + const char* password, + Boolean isRemoteUser) { once(&_executorImplOnce, _initExecutorImpl); - return _executorImpl->authenticatePassword(username, password); + return _executorImpl->authenticatePassword(username, password, isRemoteUser); } int Executor::validateUser( Index: src/Pegasus/Common/Executor.h =================================================================== --- src/Pegasus/Common/Executor.h.orig +++ src/Pegasus/Common/Executor.h @@ -183,7 +183,8 @@ public: */ static int authenticatePassword( const char* username, - const char* password); + const char* password, + Boolean isRemoteUser); /** Check whether the given user is valid for the underlying authentcation mechanism. Index: src/Pegasus/Common/HTTPConnection.cpp =================================================================== --- src/Pegasus/Common/HTTPConnection.cpp.orig +++ src/Pegasus/Common/HTTPConnection.cpp @@ -2151,6 +2151,50 @@ void HTTPConnection::_handleReadEvent() _incomingBuffer).get())); } + // Allow authenticators to differentiate Remote and Local users: + struct sockaddr_in6 sin_peer, sin_svr; + socklen_t slen1=sizeof(sin_peer), slen2=sizeof(sin_svr); + uint32_t sock = _socket.get()->getSocket() ; + memset(&sin_peer,'\0',slen1); + memset(&sin_svr, '\0',slen2); + if (::getpeername( sock, (struct sockaddr*)&sin_peer, &slen1) == 0 || + ::getsockname( sock, (struct sockaddr*)&sin_svr, &slen2) == 0) + { + if (sin_peer.sin6_family == AF_INET) + { + struct sockaddr_in sin; + memcpy(&sin, &sin_peer, sizeof(sin)); + if ((ntohl(sin.sin_addr.s_addr) >> 24) & 0xff == 127) + // message was sent FROM localhost interface + message->fromRemoteHost = false; + } + if (sin_svr.sin6_family == AF_INET) + { + struct sockaddr_in sin; + memcpy(&sin, &sin_svr, sizeof(sin)); + if ((ntohl( sin.sin_addr.s_addr) >> 24) & 0xff == 127) + // message was sent TO localhost interface + message->fromRemoteHost = false; + } + if (sin_peer.sin6_family == AF_INET6) + { + // ::ffff:127.x.x.x + static char ipv4_localhost[] = + {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 127}; + if (memcmp(&sin_peer.sin6_addr, ipv4_localhost, + sizeof(ipv4_localhost)) == 0) + { + message->fromRemoteHost = false; + } + // ::1 + if (memcmp(&sin_peer.sin6_addr, &in6addr_loopback, + sizeof(struct in6_addr)) == 0) + { + message->fromRemoteHost = false; + } + } + } + // // increment request count // Index: src/Pegasus/Common/HTTPMessage.cpp =================================================================== --- src/Pegasus/Common/HTTPMessage.cpp.orig +++ src/Pegasus/Common/HTTPMessage.cpp @@ -133,7 +133,8 @@ HTTPMessage::HTTPMessage( queueId(queueId_), authInfo(0), acceptLanguagesDecoded(false), - contentLanguagesDecoded(false) + contentLanguagesDecoded(false), + fromRemoteHost(true) { if (cimException_) cimException = *cimException_; Index: src/Pegasus/Common/HTTPMessage.h =================================================================== --- src/Pegasus/Common/HTTPMessage.h.orig +++ src/Pegasus/Common/HTTPMessage.h @@ -73,6 +73,7 @@ public: ContentLanguageList contentLanguages; Boolean acceptLanguagesDecoded; Boolean contentLanguagesDecoded; + Boolean fromRemoteHost; CIMException cimException; void parse( Index: src/Pegasus/Common/tests/Executor/TestExecutor.cpp =================================================================== --- src/Pegasus/Common/tests/Executor/TestExecutor.cpp.orig +++ src/Pegasus/Common/tests/Executor/TestExecutor.cpp @@ -76,7 +76,7 @@ void testExecutorLoopbackImpl() #endif PEGASUS_TEST_ASSERT(Executor::authenticatePassword( - "xnonexistentuserx", "wrongpassword") == -1); + "xnonexistentuserx", "wrongpassword", 0) == -1); PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") == -1); char challengeFilePath[EXECUTOR_BUFFER_SIZE]; @@ -115,7 +115,7 @@ void testExecutorSocketImpl() PEGASUS_TEST_ASSERT(Executor::reapProviderAgent(123) == 0); PEGASUS_TEST_ASSERT(Executor::authenticatePassword( - "xnonexistentuserx", "wrongpassword") == -1); + "xnonexistentuserx", "wrongpassword", 0) == -1); PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") == -1); char challengeFilePath[EXECUTOR_BUFFER_SIZE]; Index: src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp =================================================================== --- src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp.orig +++ src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp @@ -152,7 +152,8 @@ Boolean BasicAuthenticationHandler::auth } authInfo->setRemotePrivilegedUserAccessChecked(); - authenticated = _basicAuthenticator->authenticate(userName, password); + authenticated = _basicAuthenticator->authenticate(userName, password, + authInfo->isRemoteUser()); // Log audit message. PEG_AUDIT_LOG(logBasicAuthentication( Index: src/Pegasus/Security/Authentication/BasicAuthenticator.h =================================================================== --- src/Pegasus/Security/Authentication/BasicAuthenticator.h.orig +++ src/Pegasus/Security/Authentication/BasicAuthenticator.h @@ -65,7 +65,8 @@ public: */ virtual Boolean authenticate( const String& userName, - const String& password) = 0; + const String& password, + Boolean isRemoteUser) = 0; /** Construct and return the HTTP Basic authentication challenge header @return A string containing the authentication challenge header. Index: src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h =================================================================== --- src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h.orig +++ src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h @@ -53,7 +53,8 @@ public: Boolean authenticate( const String& userName, - const String& password); + const String& password, + Boolean isRemoteUser); Boolean validateUser(const String& userName); Index: src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp =================================================================== --- src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp.orig +++ src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp @@ -73,7 +73,8 @@ PAMBasicAuthenticator::~PAMBasicAuthenti Boolean PAMBasicAuthenticator::authenticate( const String& userName, - const String& password) + const String& password, + Boolean isRemoteUser) { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "PAMBasicAuthenticator::authenticate()"); Index: src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp =================================================================== --- src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.orig +++ src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp @@ -64,13 +64,14 @@ PAMBasicAuthenticator::~PAMBasicAuthenti Boolean PAMBasicAuthenticator::authenticate( const String& userName, - const String& password) + const String& password, + Boolean isRemoteUser) { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "PAMBasicAuthenticator::authenticate()"); if (Executor::authenticatePassword( - userName.getCString(), password.getCString()) != 0) + userName.getCString(), password.getCString(), isRemoteUser) != 0) { return false; } Index: src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp =================================================================== --- src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp.orig +++ src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp @@ -236,7 +236,7 @@ Boolean SecureBasicAuthenticator::authen if (Executor::detectExecutor() == 0) { if (Executor::authenticatePassword( - userName.getCString(), password.getCString()) == 0) + userName.getCString(), password.getCString(), 0) == 0) { authenticated = true; } Index: src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp =================================================================== --- src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp.orig +++ src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp @@ -421,6 +421,9 @@ void HTTPAuthenticatorDelegator::handleH Tracer::LEVEL3, "HTTPAuthenticatorDelegator - Authentication processing start"); + // Let Authenticators know whether this user is Local or Remote: + httpMessage->authInfo->setRemoteUser( httpMessage->fromRemoteHost ); + // // Handle authentication: // ++++++ pegasus-2.8.0.tar.bz2 -> pegasus-2.9.0.tar.bz2 ++++++ ++++ 447870 lines of diff (skipped) ++++++ pegasus.init ++++++ --- /var/tmp/diff_new_pack.w27124/_old 2009-05-29 12:18:21.000000000 +0200 +++ /var/tmp/diff_new_pack.w27124/_new 2009-05-29 12:18:21.000000000 +0200 @@ -50,7 +50,7 @@ rc_status -v fi; fi; - /usr/sbin/cimserver > /dev/null 2>&1 + checkproc /usr/sbin/cimserver || /usr/sbin/cimserver > /dev/null 2>&1 rc_status -v ;; stop) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@Hilbert.suse.de