From owner-p4-projects@FreeBSD.ORG Wed Sep 27 12:27:22 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 1BBC416A415; Wed, 27 Sep 2006 12:27:22 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E730316A407; Wed, 27 Sep 2006 12:27:21 +0000 (UTC) (envelope-from dunstan@freebsd.czest.pl) Received: from freebsd.czest.pl (freebsd.czest.pl [80.48.250.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CED143D46; Wed, 27 Sep 2006 12:27:21 +0000 (GMT) (envelope-from dunstan@freebsd.czest.pl) Received: from laptop.freebsd.czest.pl (gw98.internetdsl.tpnet.pl [80.53.74.98]) by freebsd.czest.pl (8.13.4/8.12.9) with ESMTP id k8RCllTd097091; Wed, 27 Sep 2006 12:47:49 GMT (envelope-from dunstan@freebsd.czest.pl) Received: from laptop.freebsd.czest.pl (localhost [127.0.0.1]) by laptop.freebsd.czest.pl (8.13.7/8.13.7) with ESMTP id k8S8aRnq003296; Thu, 28 Sep 2006 08:36:27 GMT (envelope-from dunstan@laptop.freebsd.czest.pl) Received: (from dunstan@localhost) by laptop.freebsd.czest.pl (8.13.7/8.13.4/Submit) id k8S8aQ9F003295; Thu, 28 Sep 2006 08:36:26 GMT (envelope-from dunstan) Date: Thu, 28 Sep 2006 08:36:24 +0000 From: "Wojciech A. Koszek" To: Alexander Leidinger Message-ID: <20060928083623.GA1297@FreeBSD.czest.pl> Mail-Followup-To: Alexander Leidinger , Perforce Change Reviews , saper@SYSTEM.PL References: <200609091856.k89Iu9lN090213@repoman.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline In-Reply-To: <200609091856.k89Iu9lN090213@repoman.freebsd.org> User-Agent: Mutt/1.5.11 X-Greylist: Sender DNS name whitelisted, not delayed by milter-greylist-2.0.2 (freebsd.czest.pl [80.48.250.4]); Wed, 27 Sep 2006 12:47:49 +0000 (UTC) Cc: saper@SYSTEM.PL, Perforce Change Reviews Subject: Re: PERFORCE change 105906 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Sep 2006 12:27:22 -0000 On sob, wrz 09, 2006 at 06:56:09 +0000, Alexander Leidinger wrote: > http://perforce.freebsd.org/chv.cgi?CH=105906 > > Change 105906 by netchild@netchild_magellan on 2006/09/09 18:56:01 > > Current Linux getsockopt() does not support SO_PEERCRED option used to > fetch UNIX domain socket peer PID, UID and GID. > > Without this option ORACLE 10i Express Edition lsnrctl is unable to > issue commands to a running listener (including "status" and "stop"). > All invocations result in the message: > TNS-01189: The listener could not authenticate the user > > Linux lsnrctl using so called "OS Authentication" mode probes if UNIX > socket connection peer is the process run under to privileged "dba" > group (or another group listed in the DBA_GROUP parameter of the > $ORACLE_HOME/network/admin/listener.ora file). > > Security of this patch is not tested. > > Known problem: Peer PID recognition is not done, we always return zero. > > PR: 102956 > Submitted by: Marcin Cieslak > > Affected files ... > > .. //depot/projects/linuxolator/src/sys/amd64/linux32/linux.h#2 edit > .. //depot/projects/linuxolator/src/sys/compat/linux/linux_socket.c#2 edit > .. //depot/projects/linuxolator/src/sys/i386/linux/linux.h#2 edit > > Differences ... > > ==== //depot/projects/linuxolator/src/sys/amd64/linux32/linux.h#2 (text+ko) ==== > > @@ -659,6 +659,7 @@ > #define LINUX_SO_NO_CHECK 11 > #define LINUX_SO_PRIORITY 12 > #define LINUX_SO_LINGER 13 > +#define LINUX_SO_PEERCRED 17 > > #define LINUX_IP_TOS 1 > #define LINUX_IP_TTL 2 > > ==== //depot/projects/linuxolator/src/sys/compat/linux/linux_socket.c#2 (text+ko) ==== > > @@ -35,6 +35,7 @@ > > #include > #include > +#include > #include > #include > #include > @@ -49,6 +50,7 @@ > #include > #include > #include > +#include > > #include > #include > @@ -292,6 +294,8 @@ > return (SO_OOBINLINE); > case LINUX_SO_LINGER: > return (SO_LINGER); > + case LINUX_SO_PEERCRED: > + return (LOCAL_PEERCRED); > } > return (-1); > } > @@ -1171,7 +1175,13 @@ > caddr_t val; > int *avalsize; > } */ bsd_args; > - int error, name; > + struct linux_ucred { > + uint32_t pid; > + uint32_t uid; > + uint32_t gid; > + } linux_ucred; > + struct xucred xuc; > + int error, name, optlen, rc, xuclen; > > if ((error = copyin(args, &linux_args, sizeof(linux_args)))) > return (error); > @@ -1193,12 +1203,43 @@ > name = -1; > break; > } > - if (name == -1) > + if (name == -1) { > + log(LOG_WARNING, "LINUX: 'getsockopt' level=0x%04x" > + "optname=0x%04x not implemented\n", > + linux_args.level, linux_args.optname); > return (EINVAL); > + }; > > bsd_args.name = name; > - bsd_args.val = PTRIN(linux_args.optval); > - bsd_args.avalsize = PTRIN(linux_args.optlen); > + if (bsd_args.level == SOL_SOCKET && name == LOCAL_PEERCRED) { > + if ((error = copyin(PTRIN(linux_args.optval), > + &linux_ucred, sizeof(linux_ucred)))) > + return (error); > + if ((error = copyin(PTRIN(linux_args.optlen), > + &optlen, sizeof(optlen)))) > + return (error); > + if (optlen < sizeof(linux_ucred)) > + return (EFAULT); > + xuclen = sizeof(xuc); > + if ((rc = error = kern_getsockopt(td, bsd_args.s, > + 0, bsd_args.name, > + (caddr_t) &xuc, UIO_SYSSPACE, &xuclen))) > + return (error); > + if (xuc.cr_version != XUCRED_VERSION) > + return (EINVAL); > + /* XXX get PID */ > + linux_ucred.pid = 0; > + linux_ucred.uid = xuc.cr_uid; > + linux_ucred.gid = xuc.cr_gid; > + if ((error = copyout(&linux_ucred, > + PTRIN(linux_args.optval), sizeof(linux_ucred)))) > + return (error); > + return (rc); > + } else { > + bsd_args.val = PTRIN(linux_args.optval); > + bsd_args.avalsize = PTRIN(linux_args.optlen); > + return (getsockopt(td, &bsd_args)); > + } > > if (name == IPV6_NEXTHOP) { > error = getsockopt(td, &bsd_args); > > ==== //depot/projects/linuxolator/src/sys/i386/linux/linux.h#2 (text+ko) ==== > > @@ -633,6 +633,7 @@ > #define LINUX_SO_NO_CHECK 11 > #define LINUX_SO_PRIORITY 12 > #define LINUX_SO_LINGER 13 > +#define LINUX_SO_PEERCRED 17 > > #define LINUX_IP_TOS 1 > #define LINUX_IP_TTL 2 I'm not sure if this patch is correct. I looked briefly over Marcin's report, and the code path responsible for handling translation between what Linux relies on and what FreeBSD requires. We tend to push the whole job in sogetopt() function, which in turn deploys uipc_ctloutput() function. With this mechanism, I belive it is possible to handle LOCAL_PEERCRED without a problem. The only exception is that the SOL_SOCKET has to be mapped to other value, like 0. This is what we actually do in getpeereid() case: int getpeereid(int s, uid_t *euid, gid_t *egid) { struct xucred xuc; socklen_t xuclen; int error; xuclen = sizeof(xuc); error = getsockopt(s, 0, LOCAL_PEERCRED, &xuc, &xuclen); if (error != 0) return (error); if (xuc.cr_version != XUCRED_VERSION) return (EINVAL); *euid = xuc.cr_uid; *egid = xuc.cr_gid; return (0); } -- Wojciech A. Koszek wkoszek@FreeBSD.org http://FreeBSD.czest.pl/dunstan/