From owner-p4-projects@FreeBSD.ORG Sat Sep 9 18:56:10 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 1FEE716A415; Sat, 9 Sep 2006 18:56:10 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC5FA16A407 for ; Sat, 9 Sep 2006 18:56:09 +0000 (UTC) (envelope-from netchild@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E2B143D4C for ; Sat, 9 Sep 2006 18:56:09 +0000 (GMT) (envelope-from netchild@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k89Iu9O0090216 for ; Sat, 9 Sep 2006 18:56:09 GMT (envelope-from netchild@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k89Iu9lN090213 for perforce@freebsd.org; Sat, 9 Sep 2006 18:56:09 GMT (envelope-from netchild@freebsd.org) Date: Sat, 9 Sep 2006 18:56:09 GMT Message-Id: <200609091856.k89Iu9lN090213@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to netchild@freebsd.org using -f From: Alexander Leidinger To: Perforce Change Reviews Cc: Subject: PERFORCE change 105906 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Sep 2006 18:56:10 -0000 http://perforce.freebsd.org/chv.cgi?CH=105906 Change 105906 by netchild@netchild_magellan on 2006/09/09 18:56:01 Current Linux getsockopt() does not support SO_PEERCRED option used to fetch UNIX domain socket peer PID, UID and GID. Without this option ORACLE 10i Express Edition lsnrctl is unable to issue commands to a running listener (including "status" and "stop"). All invocations result in the message: TNS-01189: The listener could not authenticate the user Linux lsnrctl using so called "OS Authentication" mode probes if UNIX socket connection peer is the process run under to privileged "dba" group (or another group listed in the DBA_GROUP parameter of the $ORACLE_HOME/network/admin/listener.ora file). Security of this patch is not tested. Known problem: Peer PID recognition is not done, we always return zero. PR: 102956 Submitted by: Marcin Cieslak Affected files ... .. //depot/projects/linuxolator/src/sys/amd64/linux32/linux.h#2 edit .. //depot/projects/linuxolator/src/sys/compat/linux/linux_socket.c#2 edit .. //depot/projects/linuxolator/src/sys/i386/linux/linux.h#2 edit Differences ... ==== //depot/projects/linuxolator/src/sys/amd64/linux32/linux.h#2 (text+ko) ==== @@ -659,6 +659,7 @@ #define LINUX_SO_NO_CHECK 11 #define LINUX_SO_PRIORITY 12 #define LINUX_SO_LINGER 13 +#define LINUX_SO_PEERCRED 17 #define LINUX_IP_TOS 1 #define LINUX_IP_TTL 2 ==== //depot/projects/linuxolator/src/sys/compat/linux/linux_socket.c#2 (text+ko) ==== @@ -35,6 +35,7 @@ #include #include +#include #include #include #include @@ -49,6 +50,7 @@ #include #include #include +#include #include #include @@ -292,6 +294,8 @@ return (SO_OOBINLINE); case LINUX_SO_LINGER: return (SO_LINGER); + case LINUX_SO_PEERCRED: + return (LOCAL_PEERCRED); } return (-1); } @@ -1171,7 +1175,13 @@ caddr_t val; int *avalsize; } */ bsd_args; - int error, name; + struct linux_ucred { + uint32_t pid; + uint32_t uid; + uint32_t gid; + } linux_ucred; + struct xucred xuc; + int error, name, optlen, rc, xuclen; if ((error = copyin(args, &linux_args, sizeof(linux_args)))) return (error); @@ -1193,12 +1203,43 @@ name = -1; break; } - if (name == -1) + if (name == -1) { + log(LOG_WARNING, "LINUX: 'getsockopt' level=0x%04x" + "optname=0x%04x not implemented\n", + linux_args.level, linux_args.optname); return (EINVAL); + }; bsd_args.name = name; - bsd_args.val = PTRIN(linux_args.optval); - bsd_args.avalsize = PTRIN(linux_args.optlen); + if (bsd_args.level == SOL_SOCKET && name == LOCAL_PEERCRED) { + if ((error = copyin(PTRIN(linux_args.optval), + &linux_ucred, sizeof(linux_ucred)))) + return (error); + if ((error = copyin(PTRIN(linux_args.optlen), + &optlen, sizeof(optlen)))) + return (error); + if (optlen < sizeof(linux_ucred)) + return (EFAULT); + xuclen = sizeof(xuc); + if ((rc = error = kern_getsockopt(td, bsd_args.s, + 0, bsd_args.name, + (caddr_t) &xuc, UIO_SYSSPACE, &xuclen))) + return (error); + if (xuc.cr_version != XUCRED_VERSION) + return (EINVAL); + /* XXX get PID */ + linux_ucred.pid = 0; + linux_ucred.uid = xuc.cr_uid; + linux_ucred.gid = xuc.cr_gid; + if ((error = copyout(&linux_ucred, + PTRIN(linux_args.optval), sizeof(linux_ucred)))) + return (error); + return (rc); + } else { + bsd_args.val = PTRIN(linux_args.optval); + bsd_args.avalsize = PTRIN(linux_args.optlen); + return (getsockopt(td, &bsd_args)); + } if (name == IPV6_NEXTHOP) { error = getsockopt(td, &bsd_args); ==== //depot/projects/linuxolator/src/sys/i386/linux/linux.h#2 (text+ko) ==== @@ -633,6 +633,7 @@ #define LINUX_SO_NO_CHECK 11 #define LINUX_SO_PRIORITY 12 #define LINUX_SO_LINGER 13 +#define LINUX_SO_PEERCRED 17 #define LINUX_IP_TOS 1 #define LINUX_IP_TTL 2