439 lines
16 KiB
Diff
439 lines
16 KiB
Diff
diff -Nur pegasus.orig/src/Pegasus/Common/AuthenticationInfo.h pegasus/src/Pegasus/Common/AuthenticationInfo.h
|
|
--- pegasus.orig/src/Pegasus/Common/AuthenticationInfo.h 2006-11-10 12:14:57.000000000 -0600
|
|
+++ pegasus/src/Pegasus/Common/AuthenticationInfo.h 2007-02-23 00:34:45.000000000 -0600
|
|
@@ -352,6 +352,22 @@
|
|
return _rep->getRemotePrivilegedUserAccessChecked();
|
|
}
|
|
|
|
+ /** Indicate whether the user is Remote
|
|
+ */
|
|
+ Boolean isRemoteUser() const
|
|
+ {
|
|
+ _checkRep();
|
|
+ return _rep->isRemoteUser();
|
|
+ }
|
|
+
|
|
+ /** Set the Remote User flag
|
|
+ */
|
|
+ void setRemoteUser(Boolean remoteUser)
|
|
+ {
|
|
+ _checkRep();
|
|
+ _rep->setRemoteUser(remoteUser);
|
|
+ }
|
|
+
|
|
private:
|
|
|
|
AuthenticationInfo(AuthenticationInfoRep* rep) : _rep(rep)
|
|
diff -Nur pegasus.orig/src/Pegasus/Common/AuthenticationInfoRep.cpp pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp
|
|
--- pegasus.orig/src/Pegasus/Common/AuthenticationInfoRep.cpp 2006-11-08 06:41:27.000000000 -0600
|
|
+++ pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp 2007-02-23 00:34:45.000000000 -0600
|
|
@@ -51,7 +51,8 @@
|
|
_privileged(false),
|
|
_authType(String::EMPTY),
|
|
_authStatus(NEW_REQUEST),
|
|
- _wasRemotePrivilegedUserAccessChecked(false)
|
|
+ _wasRemotePrivilegedUserAccessChecked(false),
|
|
+ _remoteUser(true)
|
|
{
|
|
PEG_METHOD_ENTER(
|
|
TRC_AUTHENTICATION, "AuthenticationInfoRep::AuthenticationInfoRep");
|
|
@@ -59,6 +60,16 @@
|
|
PEG_METHOD_EXIT();
|
|
}
|
|
|
|
+void AuthenticationInfoRep::setRemoteUser(Boolean remoteUser)
|
|
+{
|
|
+ PEG_METHOD_ENTER(TRC_AUTHENTICATION,
|
|
+ "AuthenticationInfoRep::setRemoteUser");
|
|
+
|
|
+ _remoteUser = remoteUser;
|
|
+
|
|
+ PEG_METHOD_EXIT();
|
|
+}
|
|
+
|
|
|
|
AuthenticationInfoRep::~AuthenticationInfoRep()
|
|
{
|
|
diff -Nur pegasus.orig/src/Pegasus/Common/AuthenticationInfoRep.h pegasus/src/Pegasus/Common/AuthenticationInfoRep.h
|
|
--- pegasus.orig/src/Pegasus/Common/AuthenticationInfoRep.h 2006-11-10 12:14:57.000000000 -0600
|
|
+++ pegasus/src/Pegasus/Common/AuthenticationInfoRep.h 2007-02-23 00:34:45.000000000 -0600
|
|
@@ -142,6 +142,13 @@
|
|
void setSecurityAssociation();
|
|
#endif
|
|
|
|
+ Boolean isRemoteUser() const
|
|
+ {
|
|
+ return _remoteUser;
|
|
+ }
|
|
+
|
|
+ void setRemoteUser(Boolean remoteUser);
|
|
+
|
|
//PEP187
|
|
Array<SSLCertificateInfo*> getClientCertificateChain()
|
|
{
|
|
@@ -186,6 +193,7 @@
|
|
Boolean _wasRemotePrivilegedUserAccessChecked;
|
|
|
|
Array<SSLCertificateInfo*> _clientCertificate;
|
|
+ Boolean _remoteUser;
|
|
};
|
|
|
|
PEGASUS_NAMESPACE_END
|
|
diff -Nur pegasus.orig/src/Pegasus/Common/HTTPConnection.cpp pegasus/src/Pegasus/Common/HTTPConnection.cpp
|
|
--- pegasus.orig/src/Pegasus/Common/HTTPConnection.cpp 2006-12-01 15:03:27.000000000 -0600
|
|
+++ pegasus/src/Pegasus/Common/HTTPConnection.cpp 2007-02-23 00:34:45.000000000 -0600
|
|
@@ -2030,6 +2030,30 @@
|
|
message->dest = _outputMessageQueue->getQueueId();
|
|
// SendForget(message);
|
|
|
|
+ // Allow authenticators to differentiate Remote and Local users:
|
|
+ struct sockaddr_in sin_peer, sin_svr; // don't need to worry about IPv6 yet ...
|
|
+ socklen_t slen1=sizeof(struct sockaddr_in), slen2=sizeof(struct sockaddr_in);
|
|
+ uint32_t sock = _socket.get()->getSocket() ;
|
|
+ memset(&sin_peer,'\0',slen1);
|
|
+ memset(&sin_svr, '\0',slen2);
|
|
+ if ( ( ::getpeername( sock, (struct sockaddr*)&sin_peer, &slen1) == 0 )
|
|
+ ||( ::getsockname( sock, (struct sockaddr*)&sin_svr, &slen2) == 0 )
|
|
+ )
|
|
+ {
|
|
+ if( sin_peer.sin_family == AF_INET )
|
|
+ {
|
|
+ if( ((ntohl( sin_peer.sin_addr.s_addr ) >> 24) & 0xff) == 127 )
|
|
+ // message was sent FROM localhost interface
|
|
+ message->fromRemoteHost = false;
|
|
+ }
|
|
+ if( sin_svr.sin_family == AF_INET )
|
|
+ {
|
|
+ if( ((ntohl( sin_svr.sin_addr.s_addr ) >> 24) & 0xff) == 127 )
|
|
+ // message was sent TO localhost interface
|
|
+ message->fromRemoteHost = false;
|
|
+ }
|
|
+ }
|
|
+
|
|
//
|
|
// Set the entry status to BUSY.
|
|
//
|
|
diff -Nur pegasus.orig/src/Pegasus/Common/HTTPMessage.cpp pegasus/src/Pegasus/Common/HTTPMessage.cpp
|
|
--- pegasus.orig/src/Pegasus/Common/HTTPMessage.cpp 2006-11-08 16:24:00.000000000 -0600
|
|
+++ pegasus/src/Pegasus/Common/HTTPMessage.cpp 2007-02-23 00:34:45.000000000 -0600
|
|
@@ -109,7 +109,8 @@
|
|
queueId(queueId_),
|
|
authInfo(0),
|
|
acceptLanguagesDecoded(false),
|
|
- contentLanguagesDecoded(false)
|
|
+ contentLanguagesDecoded(false),
|
|
+ fromRemoteHost(true)
|
|
{
|
|
if (cimException_)
|
|
cimException = *cimException_;
|
|
diff -Nur pegasus.orig/src/Pegasus/Common/HTTPMessage.h pegasus/src/Pegasus/Common/HTTPMessage.h
|
|
--- pegasus.orig/src/Pegasus/Common/HTTPMessage.h 2006-11-10 12:14:58.000000000 -0600
|
|
+++ pegasus/src/Pegasus/Common/HTTPMessage.h 2007-02-23 00:34:45.000000000 -0600
|
|
@@ -75,6 +75,7 @@
|
|
ContentLanguageList contentLanguages;
|
|
Boolean acceptLanguagesDecoded;
|
|
Boolean contentLanguagesDecoded;
|
|
+ Boolean fromRemoteHost;
|
|
CIMException cimException;
|
|
|
|
void parse(
|
|
diff -Nur pegasus.orig/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp
|
|
--- pegasus.orig/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp 2006-11-08 06:41:28.000000000 -0600
|
|
+++ pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp 2007-02-23 00:34:45.000000000 -0600
|
|
@@ -139,7 +139,7 @@
|
|
}
|
|
authInfo->setRemotePrivilegedUserAccessChecked();
|
|
|
|
- authenticated = _basicAuthenticator->authenticate(userName, password);
|
|
+ authenticated = _basicAuthenticator->authenticate(userName, password, authInfo->isRemoteUser());
|
|
|
|
// Log audit message.
|
|
PEG_AUDIT_LOG(logBasicAuthentication(
|
|
diff -Nur pegasus.orig/src/Pegasus/Security/Authentication/BasicAuthenticator.h pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h
|
|
--- pegasus.orig/src/Pegasus/Security/Authentication/BasicAuthenticator.h 2006-01-30 10:18:28.000000000 -0600
|
|
+++ pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h 2007-02-23 00:34:45.000000000 -0600
|
|
@@ -67,7 +67,8 @@
|
|
*/
|
|
virtual Boolean authenticate(
|
|
const String& userName,
|
|
- const String& password) = 0;
|
|
+ const String& password,
|
|
+ Boolean isRemoteUser) = 0;
|
|
|
|
/** Construct and return the HTTP Basic authentication challenge header
|
|
@return A string containing the authentication challenge header.
|
|
diff -Nur pegasus.orig/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h
|
|
--- pegasus.orig/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h 2006-08-09 16:13:04.000000000 -0500
|
|
+++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h 2007-02-23 00:36:06.000000000 -0600
|
|
@@ -73,7 +73,8 @@
|
|
*/
|
|
Boolean authenticate(
|
|
const String& userName,
|
|
- const String& password);
|
|
+ const String& password,
|
|
+ Boolean isRemoteUser);
|
|
|
|
/** Verify PAM account management for the requesting user.
|
|
@param userName String containing the user name
|
|
@@ -102,7 +103,8 @@
|
|
|
|
Boolean _authenticateByPAM(
|
|
const String& userName,
|
|
- const String& password);
|
|
+ const String& password,
|
|
+ Boolean isRemoteUser);
|
|
|
|
void _createPAMStandalone();
|
|
|
|
@@ -158,7 +160,8 @@
|
|
*/
|
|
Boolean authenticate(
|
|
const String& userName,
|
|
- const String& password);
|
|
+ const String& password,
|
|
+ Boolean isRemoteUser);
|
|
|
|
/** Verify whether the user is valid.
|
|
@param userName String containing the user name
|
|
@@ -220,7 +223,8 @@
|
|
|
|
Boolean _authenticateByPAM(
|
|
const String& userName,
|
|
- const String& password);
|
|
+ const String& password,
|
|
+ Boolean isRemoteUser);
|
|
|
|
#if defined(PEGASUS_USE_PAM_STANDALONE_PROC)
|
|
PAMBasicAuthenticatorStandAlone _pamBasicAuthenticatorStandAlone;
|
|
diff -Nur pegasus.orig/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp
|
|
--- pegasus.orig/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp 2006-01-30 10:18:28.000000000 -0600
|
|
+++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp 2007-02-23 00:34:45.000000000 -0600
|
|
@@ -92,7 +92,8 @@
|
|
|
|
Boolean PAMBasicAuthenticator::authenticate(
|
|
const String& userName,
|
|
- const String& password)
|
|
+ const String& password,
|
|
+ Boolean isRemoteUser)
|
|
{
|
|
PEG_METHOD_ENTER(TRC_AUTHENTICATION,
|
|
"PAMBasicAuthenticator::authenticate()");
|
|
diff -Nur pegasus.orig/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp
|
|
--- pegasus.orig/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp 2006-11-01 16:42:47.000000000 -0600
|
|
+++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp 2007-02-23 00:34:45.000000000 -0600
|
|
@@ -48,6 +48,8 @@
|
|
#include <prot.h>
|
|
#endif
|
|
|
|
+#include <syslog.h>
|
|
+
|
|
#if defined (PEGASUS_USE_PAM_STANDALONE_PROC)
|
|
#include <Pegasus/Common/Logger.h>
|
|
#include <pwd.h>
|
|
@@ -130,7 +132,8 @@
|
|
|
|
Boolean PAMBasicAuthenticator::authenticate(
|
|
const String& userName,
|
|
- const String& password)
|
|
+ const String& password,
|
|
+ Boolean isRemoteUser)
|
|
{
|
|
PEG_METHOD_ENTER(TRC_AUTHENTICATION,
|
|
"PAMBasicAuthenticator::authenticate()");
|
|
@@ -138,7 +141,7 @@
|
|
Boolean authenticated;
|
|
|
|
#if !defined(PEGASUS_USE_PAM_STANDALONE_PROC)
|
|
- authenticated = _authenticateByPAM(userName, password);
|
|
+ authenticated = _authenticateByPAM(userName, password, isRemoteUser);
|
|
#else
|
|
//
|
|
// Mutex to Serialize Authentication calls.
|
|
@@ -146,7 +149,7 @@
|
|
Tracer::trace(TRC_AUTHENTICATION, Tracer::LEVEL4,
|
|
"Authentication Mutex lock.");
|
|
AutoMutex lock(_authSerializeMutex);
|
|
- authenticated = _pamBasicAuthenticatorStandAlone.authenticate(
|
|
+ authenticated = _pamBasicAuthenticatorStandAlone->authenticate(
|
|
userName, password);
|
|
#endif
|
|
|
|
@@ -156,7 +159,8 @@
|
|
|
|
Boolean PAMBasicAuthenticator::_authenticateByPAM(
|
|
const String& userName,
|
|
- const String& password)
|
|
+ const String& password,
|
|
+ Boolean isRemoteUser)
|
|
{
|
|
PEG_METHOD_ENTER(TRC_AUTHENTICATION,
|
|
"PAMBasicAuthenticator::_authenticateByPAM()");
|
|
@@ -166,6 +170,7 @@
|
|
pam_handle_t *phandle;
|
|
char *name;
|
|
APP_DATA mydata;
|
|
+ int retcode;
|
|
|
|
//
|
|
// Store the password for PAM authentication
|
|
@@ -180,12 +185,28 @@
|
|
// "PAMBasicAuthenticator::_authenticateByPAM() - userName = %s; userPassword = %s",
|
|
// (const char *)userName.getCString(), (const char *)password.getCString());
|
|
|
|
+ // NOTE: if any pam call should log anything, our syslog socket will be redirected
|
|
+ // to the AUTH facility, so we need to redirect it back after each pam call.
|
|
+
|
|
//
|
|
//Call pam_start since you need to before making any other PAM calls
|
|
//
|
|
- if ( ( pam_start(service,
|
|
+ if ( ( retcode = pam_start(service,
|
|
(const char *)userName.getCString(), &pconv, &phandle) ) != PAM_SUCCESS )
|
|
{
|
|
+ closelog();
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
|
+ syslog( LOG_ERR, "pam_start failed: %s", pam_strerror(phandle, retcode));
|
|
+ PEG_METHOD_EXIT();
|
|
+ return (authenticated);
|
|
+ }
|
|
+
|
|
+ if ( (retcode = pam_set_item(phandle, PAM_TTY, isRemoteUser ? "wbemNetwork" : "wbemLocal")) != PAM_SUCCESS )
|
|
+ {
|
|
+ pam_end(phandle, 0);
|
|
+ closelog();
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
|
+ syslog( LOG_ERR, "pam_set_item(PAM_TTY=wbem) failed: %s", pam_strerror(phandle, retcode));
|
|
PEG_METHOD_EXIT();
|
|
return (authenticated);
|
|
}
|
|
@@ -193,7 +214,7 @@
|
|
//
|
|
//Call pam_authenticate to authenticate the user
|
|
//
|
|
- if ( ( pam_authenticate(phandle, 0) ) == PAM_SUCCESS )
|
|
+ if ( ( retcode = pam_authenticate(phandle, 0) ) == PAM_SUCCESS )
|
|
{
|
|
Tracer::trace(TRC_AUTHENTICATION, Tracer::LEVEL4,
|
|
"pam_authenticate successful.");
|
|
@@ -202,21 +223,41 @@
|
|
//checking for password and account expiration, as well as verifying access
|
|
//hour restrictions.
|
|
//
|
|
- if ( ( pam_acct_mgmt(phandle, 0) ) == PAM_SUCCESS )
|
|
+ if ( ( retcode = pam_acct_mgmt(phandle, 0) ) == PAM_SUCCESS )
|
|
{
|
|
Tracer::trace(TRC_AUTHENTICATION, Tracer::LEVEL4,
|
|
"pam_acct_mgmt successful.");
|
|
authenticated = true;
|
|
}
|
|
+ else
|
|
+ {
|
|
+ closelog();
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
|
+ syslog(LOG_ERR, "pam_acct_mgmt failed: %s",pam_strerror(phandle, retcode));
|
|
+ }
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ closelog();
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
|
+ syslog(LOG_ERR, "pam_authenticate failed: %s",pam_strerror(phandle, retcode));
|
|
}
|
|
|
|
//
|
|
//Call pam_end to end our PAM work
|
|
//
|
|
pam_end(phandle, 0);
|
|
+ closelog();
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
|
|
|
PEG_METHOD_EXIT();
|
|
|
|
+ if ( ! authenticated )
|
|
+ syslog(LOG_ERR, "PAM authentication failed for %s user: %s",
|
|
+ isRemoteUser ? "remote" : "local",
|
|
+ (const char*)userName.getCString()
|
|
+ );
|
|
+
|
|
return (authenticated);
|
|
}
|
|
|
|
@@ -232,6 +273,7 @@
|
|
pam_handle_t *phandle;
|
|
char *name;
|
|
APP_DATA mydata;
|
|
+ int retcode;
|
|
|
|
const char *service = "wbem";
|
|
pconv.conv = PAMBasicAuthenticator::pamValidateUserCallback;
|
|
@@ -240,28 +282,53 @@
|
|
//
|
|
// Call pam_start since you need to before making any other PAM calls
|
|
//
|
|
- if ( pam_start(service,
|
|
- (const char *)userName.getCString(), &pconv, &phandle) != PAM_SUCCESS)
|
|
+ if ( (retcode = pam_start(service,
|
|
+ (const char *)userName.getCString(), &pconv, &phandle)) != PAM_SUCCESS)
|
|
{
|
|
+ closelog();
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
|
+ syslog( LOG_ERR, "pam_start() failed: %s", pam_strerror(phandle, retcode));
|
|
PEG_METHOD_EXIT();
|
|
return (authenticated);
|
|
}
|
|
|
|
+ if ( (retcode = pam_set_item(phandle, PAM_TTY, "wbemLocal")) != PAM_SUCCESS )
|
|
+ {
|
|
+ pam_end(phandle, 0);
|
|
+ closelog();
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
|
+ syslog( LOG_ERR, "pam_set_item(PAM_TTY=wbemLocal) failed: %s", pam_strerror(phandle, retcode));
|
|
+ PEG_METHOD_EXIT();
|
|
+ return (authenticated);
|
|
+ }
|
|
+
|
|
//
|
|
// Call pam_acct_mgmt, to check if the user account is valid. This includes
|
|
// checking for account expiration, as well as verifying access
|
|
// hour restrictions.
|
|
//
|
|
- if ( pam_acct_mgmt(phandle, 0) == PAM_SUCCESS )
|
|
+ if ( (retcode = pam_acct_mgmt(phandle, 0)) == PAM_SUCCESS )
|
|
{
|
|
authenticated = true;
|
|
}
|
|
+ else
|
|
+ {
|
|
+ pam_end(phandle, 0);
|
|
+ closelog();
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
|
+ syslog( LOG_ERR, "pam_acct_mgmt() failed: %s", pam_strerror(phandle, retcode));
|
|
+ PEG_METHOD_EXIT();
|
|
+ return (authenticated);
|
|
+ }
|
|
|
|
//
|
|
//Call pam_end to end our PAM work
|
|
//
|
|
pam_end(phandle, 0);
|
|
|
|
+ closelog();
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
|
+
|
|
#else
|
|
//
|
|
// Mutex to Serialize Authentication calls.
|
|
diff -Nur pegasus.orig/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp
|
|
--- pegasus.orig/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp 2006-11-14 12:34:59.000000000 -0600
|
|
+++ pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp 2007-02-23 00:34:45.000000000 -0600
|
|
@@ -281,6 +281,9 @@
|
|
}
|
|
}
|
|
|
|
+ // Let Authenticators know whether this user is Local or Remote:
|
|
+ httpMessage->authInfo->setRemoteUser( httpMessage->fromRemoteHost );
|
|
+
|
|
//
|
|
// Handle authentication:
|
|
//
|