From: Michael Meffie Date: Mon, 5 Mar 2012 15:47:45 +0000 (-0500) Subject: audit: remove static local realms X-Git-Tag: upstream/1.8.0_pre1^2~2511 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=0dd7c980acda0756150f11992a0d2236f340e0c2;p=packages%2Fo%2Fopenafs.git audit: remove static local realms Remove the static list of local realms and use the auth interace to do the local realm check. A callback function is registered by the servers to avoid a circular dependency between audit and auth. Change-Id: Ic0f25cd79da7987704de68bade14054490b26c80 Reviewed-on: http://gerrit.openafs.org/6879 Tested-by: BuildBot Reviewed-by: Derrick Brashear --- diff --git a/src/audit/audit.c b/src/audit/audit.c index 749d62b38..a0a03b499 100644 --- a/src/audit/audit.c +++ b/src/audit/audit.c @@ -46,6 +46,11 @@ extern struct osi_audit_ops audit_file_ops; extern struct osi_audit_ops audit_sysvmq_ops; #endif +static struct { + void *rock; + int (*islocal)(void *rock, char *name, char *inst, char *cell); +} audit_user_check = { NULL, NULL }; + static struct { const char *name; const struct osi_audit_ops *ops; @@ -404,7 +409,7 @@ osi_auditU(struct rx_call *call, char *audEvent, int errCode, ...) struct rx_peer *peer; afs_int32 secClass; afs_int32 code; - char afsName[MAXKTCNAMELEN]; + char afsName[MAXKTCNAMELEN + MAXKTCNAMELEN + MAXKTCREALMLEN + 3]; afs_int32 hostId; va_list vaList; @@ -427,8 +432,6 @@ osi_auditU(struct rx_call *call, char *audEvent, int errCode, ...) char tcell[MAXKTCREALMLEN]; char name[MAXKTCNAMELEN]; char inst[MAXKTCNAMELEN]; - char vname[256]; - int ilen, clen; code = rxkad_GetServerInfo(conn, NULL, NULL, name, inst, tcell, @@ -437,62 +440,26 @@ osi_auditU(struct rx_call *call, char *audEvent, int errCode, ...) osi_audit("AFS_Aud_NoAFSId", (-1), AUD_STR, audEvent, AUD_END); strcpy(afsName, "--NoName--"); } else { - strncpy(vname, name, sizeof(vname)); - if ((ilen = strlen(inst))) { - if (strlen(vname) + 1 + ilen >= sizeof(vname)) - goto done; - strcat(vname, "."); - strcat(vname, inst); - } - if ((clen = strlen(tcell))) { - static char local_realms[AFS_NUM_LREALMS][AFS_REALM_SZ]; - static int num_lrealms = -1; - int i, lrealm_match; - - if (num_lrealms == -1) { - for (i = 0; i < AFS_NUM_LREALMS; i++) { - if (afs_krb_get_lrealm(local_realms[i], i) != 0 /*KSUCCESS*/) - break; - } - - num_lrealms = i; - } - - /* Check to see if the ticket cell matches one of the local realms */ - lrealm_match = 0; - for (i = 0; i < num_lrealms ; i++ ) { - if (!strcasecmp(local_realms[i], tcell)) { - lrealm_match = 1; - break; - } - } - /* If yes, then make sure that the name is not present in - * an exclusion list */ - if (lrealm_match) { - char uname[256]; - if (inst[0]) - snprintf(uname,sizeof(uname),"%s.%s@%s",name,inst,tcell); - else - snprintf(uname,sizeof(uname),"%s@%s",name,tcell); - - if (afs_krb_exclusion(uname)) - lrealm_match = 0; - } - - if (!lrealm_match) { - if (strlen(vname) + 1 + clen >= sizeof(vname)) - goto done; - strcat(vname, "@"); - strcat(vname, tcell); - } - } - strcpy(afsName, vname); - } + afs_int32 islocal = 0; + if (audit_user_check.islocal) { + islocal = + audit_user_check.islocal(audit_user_check.rock, + name, inst, tcell); + } + strlcpy(afsName, name, sizeof(afsName)); + if (inst[0]) { + strlcat(afsName, ".", sizeof(afsName)); + strlcat(afsName, inst, sizeof(afsName)); + } + if (tcell[0] && !islocal) { + strlcat(afsName, "@", sizeof(afsName)); + strlcat(afsName, tcell, sizeof(afsName)); + } + } } else { /* Unauthenticated & unknown */ osi_audit("AFS_Aud_UnknSec", (-1), AUD_STR, audEvent, AUD_END); strcpy(afsName, "--Unknown--"); } - done: peer = rx_PeerOf(conn); /* conn -> peer */ if (peer) hostId = rx_HostOf(peer); /* peer -> host */ @@ -576,6 +543,15 @@ osi_audit_interface(const char *interface) return 1; } +void +osi_audit_set_user_check(void *rock, + int (*islocal) (void *rock, char *name, char *inst, + char *cell)) +{ + audit_user_check.rock = rock; + audit_user_check.islocal = islocal; +} + void audit_PrintStats(FILE *out) { diff --git a/src/audit/audit.h b/src/audit/audit.h index 0014f86f0..7a93f5f7c 100644 --- a/src/audit/audit.h +++ b/src/audit/audit.h @@ -294,4 +294,5 @@ int osi_auditU(struct rx_call *call, char *audEvent, int errCode, ...); int osi_audit_file(const char *filename); void osi_audit_init(void); int osi_audit_interface(const char *interface); +void osi_audit_set_user_check(void *rock, int (*islocal)(void *rock, char *name, char *inst, char *cell)); void audit_PrintStats(FILE *out); diff --git a/src/bozo/bosserver.c b/src/bozo/bosserver.c index 169685b35..4bc6d40d9 100644 --- a/src/bozo/bosserver.c +++ b/src/bozo/bosserver.c @@ -99,6 +99,24 @@ bozo_rxstat_userok(struct rx_call *call) return afsconf_SuperUser(bozo_confdir, call, NULL); } +/** + * Return true if this name is a member of the local realm. + */ +int +bozo_IsLocalRealmMatch(void *rock, char *name, char *inst, char *cell) +{ + struct afsconf_dir *dir = (struct afsconf_dir *)rock; + afs_int32 islocal = 0; /* default to no */ + int code; + + code = afsconf_IsLocalRealmMatch(dir, &islocal, name, inst, cell); + if (code) { + bozo_Log("Failed local realm check; code=%d, name=%s, inst=%s, cell=%s\n", + code, name, inst, cell); + } + return islocal; +} + /* restart bozo process */ int bozo_ReBozo(void) @@ -1121,6 +1139,9 @@ main(int argc, char **argv, char **envp) } } + /* initialize audit user check */ + osi_audit_set_user_check(tdir, bozo_IsLocalRealmMatch); + /* read init file, starting up programs */ if ((code = ReadBozoFile(0))) { bozo_Log diff --git a/src/budb/server.c b/src/budb/server.c index add09f469..e8516f99e 100644 --- a/src/budb/server.c +++ b/src/budb/server.c @@ -72,6 +72,24 @@ BU_rxstat_userok(struct rx_call *call) return afsconf_SuperUser(BU_conf, call, NULL); } +/** + * Return true if this name is a member of the local realm. + */ +int +BU_IsLocalRealmMatch(void *rock, char *name, char *inst, char *cell) +{ + struct afsconf_dir *dir = (struct afsconf_dir *)rock; + afs_int32 islocal = 0; /* default to no */ + int code; + + code = afsconf_IsLocalRealmMatch(dir, &islocal, name, inst, cell); + if (code) { + LogError(code, "Failed local realm check; name=%s, inst=%s, cell=%s\n", + name, inst, cell); + } + return islocal; +} + int convert_cell_to_ubik(struct afsconf_cell *cellinfo, afs_uint32 *myHost, afs_uint32 *serverList) @@ -480,6 +498,9 @@ main(int argc, char **argv) ERROR(code); } + /* initialize audit user check */ + osi_audit_set_user_check(BU_conf, BU_IsLocalRealmMatch); + /* initialize ubik */ ubik_SetClientSecurityProcs(afsconf_ClientAuth, afsconf_UpToDate, BU_conf); ubik_SetServerSecurityProcs(afsconf_BuildServerSecurityObjects, diff --git a/src/kauth/kaserver.c b/src/kauth/kaserver.c index c54bf6a82..7a45adaf1 100644 --- a/src/kauth/kaserver.c +++ b/src/kauth/kaserver.c @@ -69,6 +69,25 @@ KA_rxstat_userok(struct rx_call *call) return afsconf_SuperUser(KA_conf, call, NULL); } +/** + * Return true if this name is a member of the local realm. + */ +static int +KA_IsLocalRealmMatch(void *rock, char *name, char *inst, char *cell) +{ + struct afsconf_dir *dir = (struct afsconf_dir *)rock; + afs_int32 islocal = 0; /* default to no */ + int code; + + code = afsconf_IsLocalRealmMatch(dir, &islocal, name, inst, cell); + if (code) { + ViceLog(0, + ("Failed local realm check; code=%d, name=%s, inst=%s, cell=%s\n", + code, name, inst, cell)); + } + return islocal; +} + afs_int32 es_Report(char *fmt, ...) { @@ -331,6 +350,9 @@ main(int argc, char *argv[]) ViceLog(0, ("Using server list from %s cell database.\n", cell)); } + /* initialize audit user check */ + osi_audit_set_user_check(KA_conf, KA_IsLocalRealmMatch); + /* initialize ubik */ if (level == rxkad_clear) ubik_SetClientSecurityProcs(afsconf_ClientAuth, afsconf_UpToDate, diff --git a/src/ptserver/ptserver.c b/src/ptserver/ptserver.c index 89bfa9d82..d15e347da 100644 --- a/src/ptserver/ptserver.c +++ b/src/ptserver/ptserver.c @@ -192,6 +192,25 @@ pr_rxstat_userok(struct rx_call *call) return afsconf_SuperUser(prdir, call, NULL); } +/** + * Return true if this name is a member of the local realm. + */ +int +pr_IsLocalRealmMatch(void *rock, char *name, char *inst, char *cell) +{ + struct afsconf_dir *dir = (struct afsconf_dir *)rock; + afs_int32 islocal = 0; /* default to no */ + int code; + + code = afsconf_IsLocalRealmMatch(dir, &islocal, name, inst, cell); + if (code) { + ViceLog(0, ("Failed local realm check; code=%d, name=%s, inst=%s, cell=%s\n", + code, name, inst, cell)); + } + return islocal; +} + + enum optionsList { OPT_database, OPT_access, @@ -449,6 +468,9 @@ main(int argc, char **argv) } pr_realmName = info.name; + /* initialize audit user check */ + osi_audit_set_user_check(configDir, pr_IsLocalRealmMatch); + /* initialize ubik */ ubik_SetClientSecurityProcs(afsconf_ClientAuth, afsconf_UpToDate, prdir); ubik_SetServerSecurityProcs(afsconf_BuildServerSecurityObjects, diff --git a/src/viced/viced.c b/src/viced/viced.c index f747c1f27..f03ac0876 100644 --- a/src/viced/viced.c +++ b/src/viced/viced.c @@ -286,6 +286,25 @@ fs_rxstat_userok(struct rx_call *call) return afsconf_SuperUser(confDir, call, NULL); } +/** + * Return true if this name is a member of the local realm. + */ +int +fs_IsLocalRealmMatch(void *rock, char *name, char *inst, char *cell) +{ + struct afsconf_dir *dir = (struct afsconf_dir *)rock; + afs_int32 islocal = 0; /* default to no */ + int code; + + code = afsconf_IsLocalRealmMatch(dir, &islocal, name, inst, cell); + if (code) { + ViceLog(0, + ("Failed local realm check; code=%d, name=%s, inst=%s, cell=%s\n", + code, name, inst, cell)); + } + return islocal; +} + static void ResetCheckSignal(void) { @@ -1831,6 +1850,9 @@ main(int argc, char *argv[]) exit(-1); } + /* initialize audit user check */ + osi_audit_set_user_check(confDir, fs_IsLocalRealmMatch); + /* Open FileLog on stdout, stderr, fd 1 and fd2 (for perror), sigh. */ #ifndef AFS_NT40_ENV serverLogSyslogTag = "fileserver"; diff --git a/src/vlserver/vlserver.c b/src/vlserver/vlserver.c index b7230a44d..9f8827870 100644 --- a/src/vlserver/vlserver.c +++ b/src/vlserver/vlserver.c @@ -109,6 +109,25 @@ vldb_rxstat_userok(struct rx_call *call) return afsconf_SuperUser(vldb_confdir, call, NULL); } +/** + * Return true if this name is a member of the local realm. + */ +int +vldb_IsLocalRealmMatch(void *rock, char *name, char *inst, char *cell) +{ + struct afsconf_dir *dir = (struct afsconf_dir *)rock; + afs_int32 islocal = 0; /* default to no */ + int code; + + code = afsconf_IsLocalRealmMatch(dir, &islocal, name, inst, cell); + if (code) { + ViceLog(0, + ("Failed local realm check; code=%d, name=%s, inst=%s, cell=%s\n", + code, name, inst, cell)); + } + return islocal; +} + /* Main server module */ #include "AFS_component_version_number.c" @@ -323,6 +342,10 @@ main(int argc, char **argv) configDir); exit(1); } + + /* initialize audit user check */ + osi_audit_set_user_check(configDir, vldb_IsLocalRealmMatch); + #ifdef AFS_NT40_ENV /* initialize winsock */ if (afs_winsockInit() < 0) { diff --git a/src/volser/volmain.c b/src/volser/volmain.c index 8c1290243..89714951f 100644 --- a/src/volser/volmain.c +++ b/src/volser/volmain.c @@ -226,6 +226,25 @@ vol_rxstat_userok(struct rx_call *call) return afsconf_SuperUser(tdir, call, NULL); } +/** + * Return true if this name is a member of the local realm. + */ +static int +vol_IsLocalRealmMatch(void *rock, char *name, char *inst, char *cell) +{ + struct afsconf_dir *dir = (struct afsconf_dir *)rock; + afs_int32 islocal = 0; /* default to no */ + int code; + + code = afsconf_IsLocalRealmMatch(dir, &islocal, name, inst, cell); + if (code) { + ViceLog(0, + ("Failed local realm check; code=%d, name=%s, inst=%s, cell=%s\n", + code, name, inst, cell)); + } + return islocal; +} + #include "AFS_component_version_number.c" int main(int argc, char **argv) @@ -481,6 +500,10 @@ main(int argc, char **argv) AFSDIR_SERVER_ETC_DIRPATH); VS_EXIT(1); } + + /* initialize audit user check */ + osi_audit_set_user_check(tdir, vol_IsLocalRealmMatch); + afsconf_GetKey(tdir, 999, &tkey); afsconf_BuildServerSecurityObjects(tdir, &securityClasses, &numClasses); if (securityClasses[0] == NULL)