Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 9 Sep 2006 18:56:09 GMT
From:      Alexander Leidinger <netchild@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 105906 for review
Message-ID:  <200609091856.k89Iu9lN090213@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=105906

Change 105906 by netchild@netchild_magellan on 2006/09/09 18:56:01

	       Current Linux getsockopt() does not support SO_PEERCRED option used to
	       fetch UNIX domain socket peer PID, UID and GID.
	
	       Without this option ORACLE 10i Express Edition lsnrctl is unable to
	       issue commands to a running listener (including "status" and "stop").
	       All invocations result in the message:
	               TNS-01189: The listener could not authenticate the user
	
	       Linux lsnrctl using so called "OS Authentication" mode probes if UNIX
	       socket connection peer is the process run under to privileged "dba"
	       group (or another group listed in the DBA_GROUP parameter of the
	       $ORACLE_HOME/network/admin/listener.ora file).
	
	       Security of this patch is not tested.
	
	       Known problem: Peer PID recognition is not done, we always return zero.
	
	PR:		102956
	Submitted by:	Marcin Cieslak <saper@SYSTEM.PL>

Affected files ...

.. //depot/projects/linuxolator/src/sys/amd64/linux32/linux.h#2 edit
.. //depot/projects/linuxolator/src/sys/compat/linux/linux_socket.c#2 edit
.. //depot/projects/linuxolator/src/sys/i386/linux/linux.h#2 edit

Differences ...

==== //depot/projects/linuxolator/src/sys/amd64/linux32/linux.h#2 (text+ko) ====

@@ -659,6 +659,7 @@
 #define	LINUX_SO_NO_CHECK	11
 #define	LINUX_SO_PRIORITY	12
 #define	LINUX_SO_LINGER		13
+#define	LINUX_SO_PEERCRED	17
 
 #define	LINUX_IP_TOS		1
 #define	LINUX_IP_TTL		2

==== //depot/projects/linuxolator/src/sys/compat/linux/linux_socket.c#2 (text+ko) ====

@@ -35,6 +35,7 @@
 
 #include <sys/param.h>
 #include <sys/proc.h>
+#include <sys/syslog.h>
 #include <sys/systm.h>
 #include <sys/sysproto.h>
 #include <sys/fcntl.h>
@@ -49,6 +50,7 @@
 #include <sys/syscallsubr.h>
 #include <sys/uio.h>
 #include <sys/syslog.h>
+#include <sys/un.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -292,6 +294,8 @@
 		return (SO_OOBINLINE);
 	case LINUX_SO_LINGER:
 		return (SO_LINGER);
+	case LINUX_SO_PEERCRED:
+		return (LOCAL_PEERCRED);
 	}
 	return (-1);
 }
@@ -1171,7 +1175,13 @@
 		caddr_t val;
 		int *avalsize;
 	} */ bsd_args;
-	int error, name;
+	struct linux_ucred {
+		uint32_t pid;
+		uint32_t uid;
+		uint32_t gid;
+	} linux_ucred;
+	struct xucred xuc;
+	int error, name, optlen, rc, xuclen;
 
 	if ((error = copyin(args, &linux_args, sizeof(linux_args))))
 		return (error);
@@ -1193,12 +1203,43 @@
 		name = -1;
 		break;
 	}
-	if (name == -1)
+	if (name == -1) {
+		log(LOG_WARNING, "LINUX: 'getsockopt' level=0x%04x"
+			"optname=0x%04x not implemented\n",
+			linux_args.level, linux_args.optname);
 		return (EINVAL);
+	};
 
 	bsd_args.name = name;
-	bsd_args.val = PTRIN(linux_args.optval);
-	bsd_args.avalsize = PTRIN(linux_args.optlen);
+	if (bsd_args.level == SOL_SOCKET && name == LOCAL_PEERCRED) {
+		if ((error = copyin(PTRIN(linux_args.optval),
+			&linux_ucred, sizeof(linux_ucred))))
+			return (error);
+		if ((error = copyin(PTRIN(linux_args.optlen),
+			&optlen, sizeof(optlen))))
+			return (error);
+		if (optlen < sizeof(linux_ucred))
+			return (EFAULT);
+		xuclen = sizeof(xuc);
+		if ((rc = error = kern_getsockopt(td, bsd_args.s,
+			0, bsd_args.name,
+			(caddr_t) &xuc, UIO_SYSSPACE, &xuclen)))
+			return (error);
+		if (xuc.cr_version != XUCRED_VERSION)
+			return (EINVAL);
+		/* XXX get PID */
+		linux_ucred.pid = 0;
+		linux_ucred.uid = xuc.cr_uid;
+		linux_ucred.gid = xuc.cr_gid;
+		if ((error = copyout(&linux_ucred,
+			PTRIN(linux_args.optval), sizeof(linux_ucred))))
+			return (error);
+		return (rc);
+	} else {
+		bsd_args.val = PTRIN(linux_args.optval);
+		bsd_args.avalsize = PTRIN(linux_args.optlen);
+		return (getsockopt(td, &bsd_args));
+	}
 
 	if (name == IPV6_NEXTHOP) {
 		error = getsockopt(td, &bsd_args);

==== //depot/projects/linuxolator/src/sys/i386/linux/linux.h#2 (text+ko) ====

@@ -633,6 +633,7 @@
 #define	LINUX_SO_NO_CHECK	11
 #define	LINUX_SO_PRIORITY	12
 #define	LINUX_SO_LINGER		13
+#define	LINUX_SO_PEERCRED	17
 
 #define	LINUX_IP_TOS		1
 #define	LINUX_IP_TTL		2



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609091856.k89Iu9lN090213>