? gssapi-local.h ? gssapi.c ? gssapi_openssl.h Index: Makefile.in =================================================================== RCS file: /local/reps/lcgware/DPM-FTP/Makefile.in,v retrieving revision 1.4 diff -u -r1.4 Makefile.in --- Makefile.in 29 Sep 2005 15:19:37 -0000 1.4 +++ Makefile.in 8 Dec 2005 15:03:12 -0000 @@ -66,12 +66,21 @@ DPMLIBDIR=-L../../../../../../../LCG-DM/lib DPM_CFLAGS= +# +# TODO FIXME make configure-time dependent +# +VOMS_FLAGS=-DUSE_VOMS -DVIRTUAL_ID +#VOMS_FLAGS=-DVIRTUAL_ID +VOMS_LIBDIR=-L/opt/edg/lib/ +VOMS_LIB=-lvomsc_gcc32dbg $(VOMS_LIBDIR) + LIBS=$(DPMLIB) @LIBS@ \ @GSSAPI_LDFLAGS@ \ @GSSAPI_LIBS@ \ @AFS_LDFLAGS@ \ @AFS_LIBS@ \ - $(GLOBUS_DATA_LIBS) + $(GLOBUS_DATA_LIBS) \ + $(VOMS_LIB) UTIL_SRC = COPYRIGHT.c vers.c UTIL_OBJS = COPYRIGHT.o vers.o @@ -97,7 +106,7 @@ $(GSSAPI_OBJS) $(AFS_OBJS) $(DPM_OBJS) .c.o: - $(COMPILE) $(CFLAGS) $(DPM_CFLAGS) $(DPMINC) -I. -I.. -I$(srcdir) -I$(srcdir)/.. -I../support -c -o $@ $< + $(COMPILE) $(CFLAGS) $(DPM_CFLAGS) $(VOMS_FLAGS) $(DPMINC) -I. -I.. -I$(srcdir) -I$(srcdir)/.. -I../support -c -o $@ $< all: ftpd ftpcount ftpshut ftprestart ckconfig @@ -108,19 +117,19 @@ mv -f y.tab.c ftpcmd.c ftpcount: ${UTIL_OBJS} ftpcount.o - $(LINK) $(CFLAGS) $(DPM_CFLAGS) -o $@ ${UTIL_OBJS} ftpcount.o $(DPMLIBDIR) -L../support $(LDFLAGS) $(LIBS) + $(LINK) $(CFLAGS) $(DPM_CFLAGS) -o $@ ${UTIL_OBJS} ftpcount.o $(DPMLIBDIR) -L../support $(LDFLAGS) $(LIBS) $(VOMS_LIB) ftpshut: ${UTIL_OBJS} ftpshut.o rdservers.o - $(LINK) $(CFLAGS) $(DPM_CFLAGS) -o $@ ${UTIL_OBJS} ftpshut.o rdservers.o -L../support $(LDFLAGS) $(DPMLIBDIR) $(LIBS) + $(LINK) $(CFLAGS) $(DPM_CFLAGS) -o $@ ${UTIL_OBJS} ftpshut.o rdservers.o -L../support $(LDFLAGS) $(DPMLIBDIR) $(LIBS) $(VOMS_LIB) ftprestart: ${UTIL_OBJS} ftprestart.o rdservers.o - $(LINK) $(CFLAGS) $(DPM_CFLAGS) -o $@ ${UTIL_OBJS} ftprestart.o rdservers.o -L../support $(LDFLAGS) $(DPMLIBDIR) $(LIBS) + $(LINK) $(CFLAGS) $(DPM_CFLAGS) -o $@ ${UTIL_OBJS} ftprestart.o rdservers.o -L../support $(LDFLAGS) $(DPMLIBDIR) $(LIBS) $(VOMS_LIB) ckconfig: ${UTIL_OBJS} ckconfig.o rdservers.o - $(LINK) $(CFLAGS) $(DPM_CFLAGS) -o $@ ${UTIL_OBJS} ckconfig.o rdservers.o -L../support $(LDFLAGS) $(DPMLIBDIR) $(LIBS) + $(LINK) $(CFLAGS) $(DPM_CFLAGS) -o $@ ${UTIL_OBJS} ckconfig.o rdservers.o -L../support $(LDFLAGS) $(DPMLIBDIR) $(LIBS) $(VOMS_LIB) ftpd: ${OBJS} - $(LINK) $(CFLAGS) $(DPM_CFLAGS) -o $@ ${OBJS} -L../support $(LDFLAGS) $(DPMLIBDIR) $(LIBS) + $(LINK) $(CFLAGS) $(DPM_CFLAGS) -o $@ ${OBJS} -L../support $(LDFLAGS) $(DPMLIBDIR) $(LIBS) $(VOMS_LIB) vers.c: ftpcmd.c sh $(srcdir)/newvers.sh Index: dpm-gsiftp.scripts =================================================================== RCS file: /local/reps/lcgware/DPM-FTP/dpm-gsiftp.scripts,v retrieving revision 1.3 diff -u -r1.3 dpm-gsiftp.scripts --- dpm-gsiftp.scripts 24 Nov 2005 17:51:25 -0000 1.3 +++ dpm-gsiftp.scripts 8 Dec 2005 15:03:12 -0000 @@ -19,6 +19,7 @@ . /etc/sysconfig/dpm-gsiftp export CSEC_MECH=ID +export X509_CERT_DIR=/etc/grid-security/certificates ############### Standard Globus configuration ###################### Index: dpm_callhandlers.c =================================================================== RCS file: /local/reps/lcgware/DPM-FTP/dpm_callhandlers.c,v retrieving revision 1.2 diff -u -r1.2 dpm_callhandlers.c --- dpm_callhandlers.c 30 Jun 2005 05:18:15 -0000 1.2 +++ dpm_callhandlers.c 8 Dec 2005 15:03:12 -0000 @@ -29,6 +29,16 @@ typedef struct stage_hsm stage_hsm_t; extern int rfio_HsmIf_AddCnsFileDescriptor(int, int, stage_hsm_t *); +#ifdef USE_VOMS +typedef struct gssapi_voms_ctx { + char *voname; + char **fqan; + int nbfqan; + +} gssapi_voms_ctx_t; +extern gssapi_voms_ctx_t voms_ctx; +#endif + int dpm_handle_open(char *path, int flags, int mode) { uid_t euid; @@ -48,6 +58,9 @@ if (rc) { /* remote file */ rfio_client_setAuthorizationId (pw->pw_uid, pw->pw_gid, "GSI", gssapi_identity()); +#ifdef USE_VOMS + rfio_client_setVOMS_data (voms_ctx.voname, voms_ctx.fqan, voms_ctx.nbfqan); +#endif seteuid (0); rc = rfio_open64 (path, flags, mode); seteuid (euid); @@ -61,6 +74,10 @@ hsmfile->r_token = malloc (CA_MAXDPMTOKENLEN+1); dpm_client_setAuthorizationId (pw->pw_uid, pw->pw_gid, "GSI", gssapi_identity()); +#ifdef USE_VOMS + dpm_client_setVOMS_data (voms_ctx.voname, voms_ctx.fqan, voms_ctx.nbfqan); +#endif + seteuid (0); turl = dpm_getturl (path, flags, (u_signed64) 0, hsmfile->r_token); seteuid (euid); @@ -72,6 +89,9 @@ if (rfio_parse (path, &host, &filename)) { rfio_client_setAuthorizationId (pw->pw_uid, pw->pw_gid, "GSI", gssapi_identity()); +#ifdef USE_VOMS + rfio_client_setVOMS_data (voms_ctx.voname, voms_ctx.fqan, voms_ctx.nbfqan); +#endif seteuid (0); rc = rfio_open64 (path, flags, mode); seteuid (euid); @@ -150,6 +170,9 @@ strcpy (p, filename); Cns_client_setAuthorizationId (pw->pw_uid, pw->pw_gid, "GSI", gssapi_identity()); +#ifdef USE_VOMS + dpns_client_setVOMS_data (voms_ctx.voname, voms_ctx.fqan, voms_ctx.nbfqan); +#endif seteuid (0); rc = Cns_accessr (sfn1, (flags & (O_WRONLY|O_TRUNC|O_CREAT)) ? W_OK : R_OK); seteuid (euid); @@ -184,6 +207,9 @@ if (rc) { /* remote file */ rfio_client_setAuthorizationId (pw->pw_uid, pw->pw_gid, "GSI", gssapi_identity()); +#ifdef USE_VOMS + rfio_client_setVOMS_data (voms_ctx.voname, voms_ctx.fqan, voms_ctx.nbfqan); +#endif seteuid (0); rc = rfio_stat64 (path, st); seteuid (euid); @@ -193,6 +219,9 @@ if (host) { /* DPM managed file */ Cns_client_setAuthorizationId (pw->pw_uid, pw->pw_gid, "GSI", gssapi_identity()); +#ifdef USE_VOMS + dpns_client_setVOMS_data (voms_ctx.voname, voms_ctx.fqan, voms_ctx.nbfqan); +#endif seteuid (0); rc = rfio_stat64 (path, st); seteuid (euid); @@ -223,6 +252,9 @@ strcpy (p, filename); Cns_client_setAuthorizationId (pw->pw_uid, pw->pw_gid, "GSI", gssapi_identity()); +#ifdef USE_VOMS + dpns_client_setVOMS_data (voms_ctx.voname, voms_ctx.fqan, voms_ctx.nbfqan); +#endif seteuid (0); rc = Cns_statr (sfn1, &statbuf); seteuid (euid); Index: ftpd.c =================================================================== RCS file: /local/reps/lcgware/DPM-FTP/ftpd.c,v retrieving revision 1.4 diff -u -r1.4 ftpd.c --- ftpd.c 14 Oct 2005 07:55:56 -0000 1.4 +++ ftpd.c 8 Dec 2005 15:03:13 -0000 @@ -220,6 +220,13 @@ #include "gssapi-local.h" +#ifdef USE_VOMS + +#include "dpns_api.h" +#include "dpm_api.h" + +#endif + /* User has passed all GSSAPI authentication and authorization checks */ int gssapi_user_is_good = 0; @@ -347,6 +354,8 @@ extern char * g_perf_log_file_name; #endif +/* for preserving the VOMS context */ +gssapi_voms_ctx_t voms_ctx; /* File containing login names NOT to be used on this machine. Commonly used * to disallow uucp. */ @@ -2131,6 +2140,13 @@ { char *cp; char *shell; +#ifdef VIRTUAL_ID + char username[256]; + uid_t uid; + gid_t gid; + /* this has to be static, as it is pointed to by the global struct *pw */ + static struct passwd tmp_pw; +#endif #ifdef BSD_AUTH char *auth; #endif @@ -2170,18 +2186,77 @@ */ if (strcmp(name, ":globus-mapping:") == 0) { char *identity; - +#ifdef USE_VOMS + gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; + gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL; + gss_cred_id_t del_cred = GSS_C_NO_CREDENTIAL; +#endif /* USE_VOMS */ +#ifdef VIRTUAL_ID + int c; +#endif + memset(&voms_ctx, 0, sizeof(voms_ctx)); identity = gssapi_identity(); if (identity == NULL) { reply(530, "Must authenticate first"); return; } +#ifdef USE_VOMS + del_cred = gssapi_get_gss_cred_id_t(); + ctx = gssapi_get_gss_ctx_id_t(); + user_cred_handle = find_gss_cred_id_t(identity, del_cred, ctx); + if (user_cred_handle == GSS_C_NO_CREDENTIAL) + { + syslog(LOG_INFO, "Cannot find a valid user credential\n"); + return; + } + if (gssapi_get_voms_creds(&voms_ctx, user_cred_handle) == -1) { + syslog(LOG_INFO, "VOMS processing returned error\n"); + reply(530, "Internal VOMS error when processing cert\n"); + return; + } +#endif +#ifdef VIRTUAL_ID + /* values are bogus, but we need the cert there */ + dpns_client_setAuthorizationId (-1, -1, "GSI", identity); +#ifdef USE_VOMS + if (voms_ctx.voname && voms_ctx.fqan) + syslog(LOG_INFO, "calling setVOMS with %s %s %d\n", voms_ctx.voname, + voms_ctx.fqan[0], voms_ctx.nbfqan); + dpns_client_setVOMS_data (voms_ctx.voname, voms_ctx.fqan, voms_ctx.nbfqan); +#endif + if ((c = dpns_getidmap (identity, voms_ctx.nbfqan, voms_ctx.fqan, &uid, &gid))) { + syslog(LOG_INFO, "getidmap() returned error\n"); + reply (530, "Could not get virtual id!\n"); + return; + } + syslog(LOG_INFO, "obtained uid %d gid %d from nameserver\n", uid, gid); + /* get the username (the DN, actually) */ + dpns_client_setAuthorizationId (uid, gid, "GSI", identity); + if ((c = dpns_getusrbyuid(uid, username))) { + syslog(LOG_INFO, "getusrbyuid retrned %d\n"); + reply(530, "getusrbyuid() NS call failed\n"); + return; + } + syslog(LOG_INFO, "setting username to %s\n", username); + name = &username[0]; + + /* prepare the proxy pwent structure to be used later for real pw_ent */ + memset(&tmp_pw, 0, sizeof(struct passwd)); + tmp_pw.pw_uid = uid; + tmp_pw.pw_gid = gid; + tmp_pw.pw_name = strdup(name); + tmp_pw.pw_shell = "/bin/bash"; + tmp_pw.pw_dir = "/"; + tmp_pw.pw_passwd = "password"; + pw = &tmp_pw; +#else name = globus_local_name(identity); if (name == NULL) { reply(530, "No local mapping for Globus ID"); return; } +#endif /* VIRTUAL_ID */ if (debug) syslog(LOG_INFO, "Globus user maps to local user %s", name); } @@ -2461,9 +2536,11 @@ #endif } #endif - +#ifndef VIRTUAL_ID if ((pw = sgetpwnam(name)) != NULL) { - +#else + if (pw = &tmp_pw) { +#endif if ((denieduid(pw->pw_uid) && !alloweduid(pw->pw_uid)) || (deniedgid(pw->pw_gid) && !allowedgid(pw->pw_gid))) { #ifndef HELP_CRACKERS @@ -2526,9 +2603,16 @@ char *gssapi_name = gssapi_identity(); /* Check authorization of already authenticated user */ + /* If we are not using VOMS/VIRTUAL_IDs, perform the standard grid-mapfile mapping. + * Otherwirse the authorization is handled by the directory rights + * so if authenticated, then OK + */ +#ifndef VIRTUAL_ID gssapi_user_is_good = (gssapi_check_authorization(gssapi_name, name) == 0); - +#else + gssapi_user_is_good = 1; +#endif syslog((gssapi_user_is_good ? LOG_INFO : LOG_ERR), "GSSAPI user \"%s\" is%s authorized as %s", gssapi_name, @@ -2570,13 +2654,13 @@ #endif return; } - else if (use_accessfile) /* see above. _H */ + else if (use_accessfile) { /* see above. _H */ acl_setfunctions(); + } #ifdef BSD_AUTH if ((cp = start_auth(auth, name, pw)) != NULL) { char *s; - for (;;) { s = strsep(&cp, "\n"); if (cp == NULL || *cp == '\0') @@ -3046,18 +3130,18 @@ /* ******** REGULAR/GUEST USER PASSWORD PROCESSING ********** */ if (!anonymous) { /* "ftp" is only account allowed no password */ #ifndef HELP_CRACKERS - if (DenyLoginAfterPassword) { - pr_mesg(530, DelayedMessageFile); - reply(530, "Login incorrect."); - acl_remove(); - pw = NULL; - if (++login_attempts >= lgi_failure_threshold) { - syslog(LOG_NOTICE, "repeated login failures from %s", - remoteident); - exit(0); + if (DenyLoginAfterPassword) { + pr_mesg(530, DelayedMessageFile); + reply(530, "Login incorrect."); + acl_remove(); + pw = NULL; + if (++login_attempts >= lgi_failure_threshold) { + syslog(LOG_NOTICE, "repeated login failures from %s", + remoteident); + exit(0); + } + return; } - return; - } #endif if (*passwd == '-') passwd++; @@ -3114,7 +3198,7 @@ } else { #endif /* BSD_AUTH */ - *guestpw = '\0'; + *guestpw = '\0'; if (pw == NULL || strlen(pw->pw_passwd) == 0) salt = "xx"; else @@ -3162,7 +3246,7 @@ * User has alreay been authenticated (in auth_data()) and * authorized (in user()) */ - rval = 0; + rval = 0; } else #endif /* GSSAPI */ @@ -3224,6 +3308,7 @@ } else { /*sec_login_get_pwent(lhdl, &pw, &status); */ + rval = 0; } } @@ -3388,6 +3473,7 @@ /* END AUTHENTICATION */ login_attempts = 0; /* this time successful */ /* SET GROUP ID STARTS HERE */ + syslog(LOG_INFO, "setting gid to %d\n", (int)pw->pw_gid); #ifndef AIX (void) setegid((gid_t) pw->pw_gid); #else @@ -3465,7 +3551,7 @@ } else #endif - + /* * New chroot logic. * @@ -3715,6 +3801,7 @@ getgidx(ID_EFFECTIVE), getgidx(ID_SAVED), getgidx(ID_LOGIN)); #endif #else + syslog(LOG_INFO, "setting uid to %d\n", (int)pw->pw_uid); #ifdef HAVE_SETREUID if (setreuid(-1, (uid_t) pw->pw_uid) < 0) { #else @@ -5265,6 +5352,9 @@ Cns_client_setAuthorizationId (pw->pw_uid, pw->pw_gid, "GSI", gssapi_identity()); +#ifdef USE_VOMS + dpns_client_setVOMS_data (voms_ctx.voname, voms_ctx.fqan, voms_ctx.nbfqan); +#endif seteuid (0); if (Cns_stat (path, &statbuf) < 0) { seteuid (euid); @@ -7653,6 +7743,10 @@ if (strncmp (name, "/dpm/", 5) == 0) { Cns_client_setAuthorizationId (pw->pw_uid, pw->pw_gid, "GSI", gssapi_identity()); +#ifdef USE_VOMS + syslog(LOG_INFO, "delete: calling setVOMS with %s %s %d\n", voms_ctx.voname, voms_ctx.fqan[0], voms_ctx.nbfqan); + dpns_client_setVOMS_data (voms_ctx.voname, voms_ctx.fqan, voms_ctx.nbfqan); +#endif seteuid (0); } if (lstat(name, &st) < 0) { @@ -7896,6 +7990,10 @@ if (strncmp (name, "/dpm/", 5) == 0) { Cns_client_setAuthorizationId (pw->pw_uid, pw->pw_gid, "GSI", gssapi_identity()); +#ifdef USE_VOMS + syslog(LOG_INFO, "makedir: calling setVOMS with %s %s %d\n", voms_ctx.voname, voms_ctx.fqan[0], voms_ctx.nbfqan); + dpns_client_setVOMS_data (voms_ctx.voname, voms_ctx.fqan, voms_ctx.nbfqan); +#endif seteuid (0); } if (mkdir(name, d_mode) < 0) { @@ -8020,6 +8118,10 @@ if (strncmp (name, "/dpm/", 5) == 0) { Cns_client_setAuthorizationId (pw->pw_uid, pw->pw_gid, "GSI", gssapi_identity()); +#ifdef USE_VOMS + syslog(LOG_INFO, "rmdir: calling setVOMS with %s %s %d\n", voms_ctx.voname, voms_ctx.fqan[0], voms_ctx.nbfqan); + dpns_client_setVOMS_data (voms_ctx.voname, voms_ctx.fqan, voms_ctx.nbfqan); +#endif seteuid (0); } if (rmdir(name) < 0) { @@ -8109,6 +8211,10 @@ if (strncmp (name, "/dpm/", 5) == 0) { Cns_client_setAuthorizationId (pw->pw_uid, pw->pw_gid, "GSI", gssapi_identity()); +#ifdef USE_VOMS + syslog(LOG_INFO, "renamefrom: calling setVOMS with %s %s %d\n", voms_ctx.voname, voms_ctx.fqan[0], voms_ctx.nbfqan); + dpns_client_setVOMS_data (voms_ctx.voname, voms_ctx.fqan, voms_ctx.nbfqan); +#endif seteuid (0); } if (lstat(name, &st) < 0) { @@ -8272,6 +8378,10 @@ if (strncmp (from, "/dpm/", 5) == 0) { Cns_client_setAuthorizationId (pw->pw_uid, pw->pw_gid, "GSI", gssapi_identity()); +#ifdef USE_VOMS + syslog(LOG_INFO, "rename: calling setVOMS with %s %s %d\n", voms_ctx.voname, voms_ctx.fqan[0], voms_ctx.nbfqan); + dpns_client_setVOMS_data (voms_ctx.voname, voms_ctx.fqan, voms_ctx.nbfqan); +#endif seteuid (0); } if (rename(from, to) < 0) { Index: globus_hack.c =================================================================== RCS file: /local/reps/lcgware/DPM-FTP/globus_hack.c,v retrieving revision 1.2 diff -u -r1.2 globus_hack.c --- globus_hack.c 25 Jul 2005 11:49:13 -0000 1.2 +++ globus_hack.c 8 Dec 2005 15:03:13 -0000 @@ -1067,7 +1067,7 @@ #endif FILE *instrorig = instr; int rfiofd = -1; - + G_ENTER(); error_buf[0] = '\0'; @@ -1180,7 +1180,6 @@ handle, &g_perf_address, &tmp_i); - if(l_timed_out) { goto connect_err;