port from RHEL-4; upgrade to 2.5

2005-10-03 17:56:03 +00:00 · 2005-10-03 17:56:03 +00:00 · ad2f3483d4
commit ad2f3483d4
parent 467ac156a2
4 changed files with 321 additions and 0 deletions
--- a/README.RedHat.Security
+++ b/README.RedHat.Security
@ -0,0 +1,72 @@
+		Red Hat Security Enhancements for tog-pegasus
+		~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ Access to the Pegasus services:
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+   By default, with the configuration as shipped, the upstream Open Group Pegasus
+   release allowed any user with an account on the machine (including root) to
+   use the network HTTPS port 5989 (by default) and HTTP port 5988 services.
+   On authentication failures, though there was the standard PAM authentication
+   failure delay, no messages were logged to syslog. This meant that potentially
+   a long-running cracker process could try millions of root passwords over the
+   network and could possibly discover the root password .  If users were unwise
+   enough to enable the HTTP service on port 5988, then root passwords could be
+   sent unencrypted over the network.
+
+   This situation was deemed unacceptable by Red Hat RHEL QA test and Security
+   Response team engineers.
+ 
+   So for the Red Hat tog-pegasus release, PAM access control was enabled, to 
+   remove these vulnerabilities. There is now a "pegasus" user created during
+   install, and users are recommended to use only that user to invoke CIM 
+   operations over the network.
+
+   By default:
+
+   o root password authentication for CIM operations invoked over the network 
+     HTTPS/HTTP services is denied - the root user is unable to invoke pegasus
+     services over the network - only the "pegasus" user may do so.
+
+   o the root user may invoke CIM operations over the HTTPS/HTTP ports on the
+     local machine.
+ 
+   o any user other than "pegasus" or "root" may not invoke pegasus services
+     over the HTTPS/HTTP ports at all.
+     
+   o any PAM authentication failure will be logged to syslog 
+
+   NOTE: after installation, you must set the password for the pegasus user -
+         issue this command as root :
+         # passwd pegasus
+         - to enable CIM operation network service, if the pegasus user is 
+         a local system user.
+
+   Note also that even though a non-root user's password is used to authenticate
+   with the cimserver, the cimserver and all CIM Operation Providers run as root.
+   This was another reason to restrict use of CIM Operations to only one user.  
+
+   The "pegasus" user may of course be a NIS, Kerberos, or LDAP user, which
+   could be used as configured in /etc/nsswitch.conf or with the PAM stack.
+
+   You may configure this differently, and at your own risk, by modifying the
+   pam_access configuration file /etc/Pegasus/access.conf, or by removing the
+   line:
+       account required pam_access.so accessfile=/etc/Pegasus/access.conf
+   from /etc/pam.d/wbem - then tog-pegasus' authentication behaviour would
+   be the same as that of the upstream release.
+
+ SELinux
+ ~~~~~~~
+   There is an SELinux policy for tog-pegasus shipped in selinux-policy-targeted-1.17.30-2.110+ .
+   When SELinux is enabled in enforcing mode, the cimserver and providers are restricted to the
+   operations allowed to the 'pegasus_t' security context. Also only the pegasus_exec_t context
+   may modify the repository, and only the pegasus_exec_conf_t context may modify the pegasus 
+   configuration files which are of pegasus_conf_t file context.
+
+
+ ExecShield
+ ~~~~~~~~~~
+   All tog-pegasus binary executables are compiled with ExecShield enabled, which make it nearly
+   impossible to modify them or to poke executable code into them.
+
--- a/access.conf
+++ b/access.conf
@ -0,0 +1,43 @@
+##############################################################################
+# Pegasus WBEM HTTP/HTTPS Network Service User Access Control Table:
+# 
+# This file controls access to the Pegasus WBEM Network services by users
+# with the PAM pam_access module .
+#
+# The format of the access control table is three fields separated by a
+# ":" character:
+# 
+# 	permission : users : origins
+# 
+# The first field should be a "+" (access granted) or "-" (access denied)
+# character. 
+#
+# The second field should be a list of one or more login names, group
+# names, or ALL (always matches). A pattern of the form user@host is
+# matched when the login name matches the "user" part, and when the
+# "host" part matches the local machine name.
+#
+# If you run NIS you can use @netgroupname in host or user patterns; this
+# even works for @usergroup@@hostgroup patterns. Weird.
+#
+# The EXCEPT operator makes it possible to write very compact rules.
+#
+# The group file is searched only when a name does not match that of the
+# logged-in user. Both the user's primary group is matched, as well as
+# groups in which users are explicitly listed.
+#
+# The third field must be 'wbemNetwork', to control access by users from
+# remote hosts, or 'wbemLocal', to control access by users from the local host.
+##############################################################################
+# 
+# Pegasus PAM Access Rules:
+# 1. The Remote host user access rule:
+#    By default, ONLY the pegasus user can use remote network HTTP/S service:
+#
+-: ALL EXCEPT pegasus:wbemNetwork
+#
+#
+# 2. The Local host user access rule:
+#    By default, ONLY the pegasus and root users can use pegasus local HTTP/S service:
+#
+-: ALL EXCEPT pegasus root:wbemLocal
--- a/66
+++ b/66
@ -0,0 +1,66 @@
+#!/bin/bash
+#
+#  Set up the openssl certificates for the tog-pegasus cimserver
+#
+#  Arguments:
+#    If a single host name argument is given that resolves to a host
+#    IP address, then the script will attempt to copy the certificate
+#    files from that host name.
+#
+#  Without any arguments:
+# 
+#  Modify entries in ssl.cnf, then
+#  Generate a self signed node certificate
+#
+PEGASUS_CONFIG_DIR=${PEGASUS_CONFIG_DIR:=/etc/Pegasus}
+INSTALL_LOG=${INSTALL_LOG:=/var/log/Pegasus/install.log}
+PEGASUS_SSL_CERT_FILE=${PEGASUS_SSL_CERT_FILE:=server.pem}
+PEGASUS_SSL_KEY_FILE=${PEGASUS_SSL_KEY_FILE:=file.pem}
+PEGASUS_SSL_TRUSTSTORE=${PEGASUS_SSL_TRUSTSTORE:=client.pem}
+cnfChanged=0;
+if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
+    mkdir -p ${INSTALL_LOG%/*}
+    mkdir -p $PEGASUS_CONFIG_DIR
+    echo "[ req ]" > $PEGASUS_CONFIG_DIR/ssl.cnf
+    echo "distinguished_name     = req_distinguished_name"  >> $PEGASUS_CONFIG_DIR/ssl.cnf
+    echo "prompt                 = no"  >> $PEGASUS_CONFIG_DIR/ssl.cnf
+    echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/ssl.cnf
+    echo "C                      = UK" >> $PEGASUS_CONFIG_DIR/ssl.cnf
+    echo "ST                     = Berkshire" >> $PEGASUS_CONFIG_DIR/ssl.cnf
+    echo "L                      = Reading" >> $PEGASUS_CONFIG_DIR/ssl.cnf
+    echo "O                      = The Open Group" >> $PEGASUS_CONFIG_DIR/ssl.cnf
+    echo "OU                     = The OpenPegasus Project" >> $PEGASUS_CONFIG_DIR/ssl.cnf
+    DN=`hostname`;
+    if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
+       DN='localhost.localdomain';
+    fi;
+    FQDN=`{ host -W1 $DN 2>/dev/null || echo "$DN has address "; } | grep 'has address' | head -1 | sed 's/\ .*$//'`;
+    if [ -z "$FQDN" ] ; then
+	FQDN="$DN";
+    fi;
+    # cannot use 'hostname --fqdn' because this can hang indefinitely
+    echo "CN                     = $FQDN"  >> $PEGASUS_CONFIG_DIR/ssl.cnf
+    chmod 400 $PEGASUS_CONFIG_DIR/ssl.cnf
+    chown root $PEGASUS_CONFIG_DIR/ssl.cnf
+    chgrp root $PEGASUS_CONFIG_DIR/ssl.cnf
+    cnfChanged=1;
+fi
+if [ $cnfChanged -eq 1 ] || [ ! -e /etc/Pegasus/$PEGASUS_SSL_CERT_FILE ] || [ ! -e /etc/Pegasus/$PEGASUS_SSL_KEY_FILE ] || [ ! -e /etc/Pegasus/$PEGASUS_SSL_TRUSTSTORE ]; then
+    /usr/bin/openssl req -x509 -days 3650 -newkey rsa:2048 \
+       -nodes -config $PEGASUS_CONFIG_DIR/ssl.cnf   \
+       -keyout $PEGASUS_CONFIG_DIR/key.pem -out $PEGASUS_CONFIG_DIR/cert.pem 2>>$INSTALL_LOG
+    chmod 700 $PEGASUS_CONFIG_DIR/*.pem
+    cat $PEGASUS_CONFIG_DIR/key.pem > $PEGASUS_CONFIG_DIR/file_2048.pem
+    chmod 400 $PEGASUS_CONFIG_DIR/file_2048.pem
+    cat $PEGASUS_CONFIG_DIR/cert.pem > $PEGASUS_CONFIG_DIR/server_2048.pem
+    chmod 400 $PEGASUS_CONFIG_DIR/server_2048.pem
+    cat $PEGASUS_CONFIG_DIR/cert.pem > $PEGASUS_CONFIG_DIR/client_2048.pem
+    chmod 400 $PEGASUS_CONFIG_DIR/client_2048.pem
+    rm -f $PEGASUS_CONFIG_DIR/key.pem $PEGASUS_CONFIG_DIR/cert.pem
+    cp -fp $PEGASUS_CONFIG_DIR/server_2048.pem $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_CERT_FILE
+    cp -fp $PEGASUS_CONFIG_DIR/file_2048.pem $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_KEY_FILE
+    chmod 400 $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_KEY_FILE
+    chmod 444 $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_CERT_FILE 
+    cp -fp $PEGASUS_CONFIG_DIR/client_2048.pem $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_TRUSTSTORE
+    chmod 444 $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_TRUSTSTORE;
+fi;
--- a/140
+++ b/140
@ -0,0 +1,140 @@
+# Pegasus RPM %build + %install environment setup: 
+#
+# compile options:
+#
+export PEGASUS_EXTRA_C_FLAGS="$RPM_OPT_FLAGS -fPIC -g -Wall -Wno-unused"
+export PEGASUS_EXTRA_CXX_FLAGS="$PEGASUS_EXTRA_C_FLAGS"
+export PEGASUS_EXE_LINK_FLAGS="$RPM_OPT_FLAGS -g -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack"
+export SYS_INCLUDES=-I/usr/kerberos/include
+#
+# build object directories:
+#
+export SRCNAME=pegasus
+export PEGASUS_ROOT=${RPM_BUILD_DIR}/${SRCNAME}-${RPM_PACKAGE_VERSION}
+export ROOT=$PEGASUS_ROOT
+export PEGASUS_HOME=${RPM_BUILD_ROOT}/build
+export PEGASUS_ARCH_LIB_DIR=${RPM_ARCH_LIB}
+#
+# PEGASUS_PLATFORM (hardware platform) setup:
+#
+if [ -z "$RPM_ARCH" ]; then
+    export RPM_ARCH=`/bin/uname -i`;
+fi;
+case ${RPM_ARCH} in
+  ia64|x86_64)
+    export PEGASUS_PLATFORM=LINUX_IA64_GNU;
+    ;;
+  ppc)
+    export PEGASUS_PLATFORM=LINUX_PPC_GNU;
+    ;;
+  ppc64|pseries)
+    export PEGASUS_PLATFORM=LINUX_PPC64_GNU;
+    ;;
+  s390)
+    export PEGASUS_PLATFORM=LINUX_ZSERIES_GNU;
+    export PEGASUS_EXTRA_C_FLAGS="$PEGASUS_EXTRA_C_FLAGS -fsigned-char";
+    export PEGASUS_EXTRA_CXX_FLAGS="$PEGASUS_EXTRA_C_FLAGS";
+    ;;
+  s390x|zseries)
+    export PEGASUS_PLATFORM=LINUX_ZSERIES64_GNU;
+    export PEGASUS_EXTRA_C_FLAGS="$PEGASUS_EXTRA_C_FLAGS -fsigned-char";
+    export PEGASUS_EXTRA_CXX_FLAGS="$PEGASUS_EXTRA_C_FLAGS";
+    ;;
+  i386)
+    export PEGASUS_PLATFORM=LINUX_IX86_GNU
+    ;;
+  *)
+    echo "Architecture unsupported by pegasus: $RPM_ARCH";
+    exit 1;
+    ;;
+esac;
+#
+# Pegasus Build options:
+# 
+export OPENSSL_HOME=/usr
+export PEGASUS_HAS_SSL=yes
+# per bug #368
+export PEGASUS_USE_RELEASE_DIRS=true
+export PEGASUS_USE_RELEASE_CONFIG_OPTIONS=true
+# per PEP #144
+export PEGASUS_PAM_AUTHENTICATION=true
+export PAM_CONFIG_DIR=/etc/pam.d
+#
+# export PEGASUS_USE_PAM_STANDALONE_PROC=true
+# NO, we do NOT use 'cimservera' on Red Hat platforms!
+#
+export PEGASUS_CIM_SCHEMA=CIM29
+export PEGASUS_LOCAL_DOMAIN_SOCKET=true
+export PEGASUS_USE_SYSLOGS=true
+export PEGASUS_ENABLE_CMPI_PROVIDER_MANAGER=true
+# per PEP #174
+export PEGASUS_ENABLE_USERGROUP_AUTHORIZATION=true
+export PEGASUS_HAS_PERFSTATS=true
+export PEGASUS_NOASSERTS=true
+export PEGASUS_DISABLE_CQL=true
+export PEGASUS_DISABLE_OBJECT_NORMALIZATION=true
+export PEGASUS_ENABLE_CMPI_PROVIDER_MANAGER=true
+export PEGASUS_ENABLE_USERGROUP_AUTHORIZATION=true
+export PEGASUS_USE_RELEASE_DIRS=true
+#
+# Pegasus Directory Structure:
+#
+export PEGASUS_PROD_DIR=/usr
+export PEGASUS_PRODSHARE_DIR=${PEGASUS_PROD_DIR}/share/Pegasus
+export PEGASUS_DOC_DIR=/usr/share/doc/tog-pegasus-${RPM_PACKAGE_VERSION}
+export PEGASUS_MAN_DIR=/usr/share/man
+export PEGASUS_MANUSER_DIR=${PEGASUS_MAN_DIR}/man1
+export PEGASUS_MANADMIN_DIR=${PEGASUS_MAN_DIR}/man8
+export PEGASUS_MOF_DIR=${PEGASUS_PRODSHARE_DIR}/mof
+export PEGASUS_DEST_LIB_DIR=${PEGASUS_PROD_DIR}/${PEGASUS_ARCH_LIB_DIR}
+export PEGASUS_PROVIDER_DIR=${PEGASUS_DEST_LIB_DIR}/Pegasus/providers
+export PEGASUS_PROVIDER_LIB_DIR=${PEGASUS_PROVIDER_DIR}
+export PEGASUS_SBIN_DIR=${PEGASUS_PROD_DIR}/sbin
+export PEGASUS_BIN_DIR=${PEGASUS_PROD_DIR}/bin
+export PEGASUS_VARDATA_DIR=/var/lib/Pegasus
+export PEGASUS_REPOSITORY_PARENT_DIR=${PEGASUS_VARDATA_DIR}
+export PEGASUS_REPOSITORY_DIR=${PEGASUS_REPOSITORY_PARENT_DIR}/repository
+export PEGASUS_PREV_REPOSITORY_DIR=${PEGASUS_REPOSITORY_PARENT_DIR}/prev_repository
+export PEGASUS_CONFIG_DIR=/etc/Pegasus
+export PEGASUS_VARRUN_DIR=/var/run/tog-pegasus
+export PEGASUS_CIMSERVER_START_FILE=${PEGASUS_VARRUN_DIR}/cimserver.pid
+export PEGASUS_LOCAL_DOMAIN_SOCKET_DIR=${PEGASUS_VARRUN_DIR}
+export PEGASUS_LOCAL_DOMAIN_SOCKET_PATH=${PEGASUS_LOCAL_DOMAIN_SOCKET_DIR}/cimxml.socket
+export PEGASUS_VARDATA_CACHE_DIR=${PEGASUS_VARDATA_DIR}/cache
+export PEGASUS_LOCAL_AUTH_DIR=${PEGASUS_VARDATA_CACHE_DIR}/localauth
+export PEGASUS_TRACE_DIR=${PEGASUS_VARDATA_CACHE_DIR}/trace
+export PEGASUS_PLANNED_CONFIG_FILE=cimserver_planned.conf
+export PEGASUS_CURRENT_CONFIG_FILE=cimserver_current.conf
+export PEGASUS_PEM_DIR=${PEGASUS_CONFIG_DIR}
+export PEGASUS_LOG_DIR=/var/log/Pegasus
+export PEGASUS_SSL_KEY_FILE=file.pem
+export PEGASUS_SSL_CERT_FILE=server.pem
+export PEGASUS_SSL_TRUSTSTORE=client.pem
+export PEGASUS_SAMPLES_DIR=${PEGASUS_PRODSHARE_DIR}/samples
+export PEGASUS_INCLUDE_DIR=${PEGASUS_PROD_DIR}/include
+export PEGASUS_HTML_DIR=${PEGASUS_PRODSHARE_DIR}/html
+export PEGASUS_TEST_DIR=${PEGASUS_PRODSHARE_DIR}/test
+export PEGASUS_TEST_REPOSITORY_DIR=${PEGASUS_VARDATA_DIR}
+export PEGASUS_TEST_REPOSITORY_NAME=testrepository
+export PRODUCT_DIRECTORY_STRUCTURE=(\
+   ${PEGASUS_PROD_DIR} \
+   ${PEGASUS_PRODSHARE_DIR} \
+   ${PEGASUS_DOC_DIR} \
+   ${PEGASUS_MAN_DIR} \
+   ${PEGASUS_MANUSER_DIR} \
+   ${PEGASUS_MANADMIN_DIR} \
+   ${PEGASUS_DEST_LIB_DIR} \
+   ${PEGASUS_PROVIDER_DIR} \
+   ${PEGASUS_PROVIDER_LIB_DIR} \
+   ${PEGASUS_SBIN_DIR} \
+   ${PEGASUS_BIN_DIR} \
+   ${PEGASUS_MOF_DIR} \
+   ${PEGASUS_VARDATA_DIR} \
+   ${PEGASUS_REPOSITORY_DIR} \
+   ${PEGASUS_VARDATA_CACHE_DIR} \
+   ${PEGASUS_TRACE_DIR} \
+   ${PEGASUS_LOG_DIR} \
+   ${PEGASUS_LOCAL_AUTH_DIR} \
+   ${PEGASUS_VARRUN_DIR} \
+   ${PEGASUS_LOCAL_DOMAIN_SOCKET_DIR} \
+   ${PEGASUS_CONFIG_DIR});