mirror of
https://github.com/postgres/postgres.git
synced 2025-09-02 04:21:28 +03:00
Add SCM_CREDS to get owner of unix-domain socket on BSD-like systems.
This commit is contained in:
Bruce Momjian
@@ -8,17 +8,22 @@
|
||||
*
|
||||
*
|
||||
* IDENTIFICATION
|
||||
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.62 2001/08/17 15:44:17 momjian Exp $
|
||||
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.63 2001/08/21 00:33:27 momjian Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
|
||||
#include "postgres.h"
|
||||
|
||||
#include <sys/types.h> /* needed by in.h on Ultrix */
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h> /* for SCM_CREDS */
|
||||
#ifdef SCM_CREDS
|
||||
#include <sys/uio.h> /* for struct iovec */
|
||||
#include <sys/ucred.h>
|
||||
#include <errno.h>
|
||||
#endif
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
|
||||
#include "libpq/auth.h"
|
||||
#include "libpq/crypt.h"
|
||||
#include "libpq/hba.h"
|
||||
@@ -28,12 +33,10 @@
|
||||
#include "miscadmin.h"
|
||||
|
||||
static void sendAuthRequest(Port *port, AuthRequest areq);
|
||||
|
||||
static int checkPassword(Port *port, char *user, char *password);
|
||||
static int old_be_recvauth(Port *port);
|
||||
static int map_old_to_new(Port *port, UserAuth old, int status);
|
||||
static void auth_failed(Port *port);
|
||||
|
||||
static int recv_and_check_password_packet(Port *port);
|
||||
static int recv_and_check_passwordv0(Port *port);
|
||||
|
||||
@@ -493,6 +496,26 @@ ClientAuthentication(Port *port)
|
||||
break;
|
||||
|
||||
case uaIdent:
|
||||
#if !defined(SO_PEERCRED) && defined(SCM_CREDS)
|
||||
/*
|
||||
* If we are doing ident on unix-domain sockets,
|
||||
* use SCM_CREDS only if it is defined and SO_PEERCRED isn't.
|
||||
*/
|
||||
#ifdef fc_uid
|
||||
/* Receive credentials on next message receipt, BSD/OS */
|
||||
{
|
||||
int on = 1;
|
||||
if (setsockopt(port->sock, 0, LOCAL_CREDS, &on, sizeof(on)) < 0)
|
||||
{
|
||||
elog(FATAL,
|
||||
"pg_local_sendauth: can't do setsockopt: %s\n", strerror(errno));
|
||||
return;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
if (port->raddr.sa.sa_family == AF_UNIX)
|
||||
sendAuthRequest(port, AUTH_REQ_SCM_CREDS);
|
||||
#endif
|
||||
status = authident(port);
|
||||
break;
|
||||
|
||||
@@ -676,3 +699,4 @@ map_old_to_new(Port *port, UserAuth old, int status)
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
*
|
||||
*
|
||||
* IDENTIFICATION
|
||||
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.64 2001/08/16 16:24:15 momjian Exp $
|
||||
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.65 2001/08/21 00:33:27 momjian Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
@@ -18,9 +18,13 @@
|
||||
|
||||
#include <errno.h>
|
||||
#include <pwd.h>
|
||||
#include <sys/types.h>
|
||||
#include <fcntl.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h> /* for SCM_CREDS */
|
||||
#ifdef SCM_CREDS
|
||||
#include <sys/uio.h> /* for struct iovec */
|
||||
#include <sys/ucred.h>
|
||||
#endif
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <unistd.h>
|
||||
@@ -876,39 +880,103 @@ ident_unix(int sock, char *ident_user)
|
||||
{
|
||||
/* We didn't get a valid credentials struct. */
|
||||
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
|
||||
"Could not get valid credentials from the UNIX socket: %s\n",
|
||||
"ident_unix: error receiving credentials: %s\n",
|
||||
strerror(errno));
|
||||
fputs(PQerrormsg, stderr);
|
||||
pqdebug("%s", PQerrormsg);
|
||||
return false;
|
||||
}
|
||||
|
||||
/* Convert UID to user login name */
|
||||
pass = getpwuid(peercred.uid);
|
||||
|
||||
if (pass == NULL)
|
||||
{
|
||||
/* Error - no username with the given uid */
|
||||
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
|
||||
"There is no entry in /etc/passwd with the socket's uid\n");
|
||||
"ident_unix: unknown local user with uid %d\n",
|
||||
fputs(PQerrormsg, stderr);
|
||||
pqdebug("%s", PQerrormsg);
|
||||
return false;
|
||||
}
|
||||
|
||||
StrNCpy(ident_user, pass->pw_name, IDENT_USERNAME_MAX);
|
||||
StrNCpy(ident_user, pass->pw_name, IDENT_USERNAME_MAX+1);
|
||||
|
||||
return true;
|
||||
|
||||
#else /* not SO_PEERCRED */
|
||||
#elif defined(SCM_CREDS)
|
||||
struct msghdr msg;
|
||||
|
||||
/* Credentials structure */
|
||||
#ifndef fc_uid
|
||||
typedef struct cmsgcred Cred;
|
||||
#define cruid cmcred_uid
|
||||
#else
|
||||
typedef struct fcred Cred;
|
||||
#define cruid fc_uid
|
||||
#endif
|
||||
Cred *cred;
|
||||
|
||||
/* Compute size without padding */
|
||||
char cmsgmem[sizeof(struct cmsghdr) + sizeof(Cred)];
|
||||
/* Point to start of first structure */
|
||||
struct cmsghdr *cmsg = (struct cmsghdr *)cmsgmem;
|
||||
|
||||
struct iovec iov;
|
||||
char buf;
|
||||
struct passwd *pw;
|
||||
|
||||
memset(&msg, 0, sizeof(msg));
|
||||
msg.msg_iov = &iov;
|
||||
msg.msg_iovlen = 1;
|
||||
msg.msg_control = (char *)cmsg;
|
||||
msg.msg_controllen = sizeof(cmsgmem);
|
||||
memset(cmsg, 0, sizeof(cmsgmem));
|
||||
|
||||
/*
|
||||
* The one character which is received here is not meaningful;
|
||||
* its purposes is only to make sure that recvmsg() blocks
|
||||
* long enough for the other side to send its credentials.
|
||||
*/
|
||||
iov.iov_base = &buf;
|
||||
iov.iov_len = 1;
|
||||
|
||||
if (recvmsg(sock, &msg, 0) < 0 ||
|
||||
cmsg->cmsg_len < sizeof(cmsgmem) ||
|
||||
cmsg->cmsg_type != SCM_CREDS)
|
||||
{
|
||||
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
|
||||
"ident_unix: error receiving credentials: %s\n",
|
||||
strerror(errno));
|
||||
fputs(PQerrormsg, stderr);
|
||||
pqdebug("%s", PQerrormsg);
|
||||
return false;
|
||||
}
|
||||
|
||||
cred = (Cred *)CMSG_DATA(cmsg);
|
||||
|
||||
pw = getpwuid(cred->fc_uid);
|
||||
if (pw == NULL)
|
||||
{
|
||||
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
|
||||
"ident_unix: unknown local user with uid %d\n",
|
||||
cred->fc_uid);
|
||||
fputs(PQerrormsg, stderr);
|
||||
pqdebug("%s", PQerrormsg);
|
||||
return false;
|
||||
}
|
||||
|
||||
StrNCpy(ident_user, pw->pw_name, IDENT_USERNAME_MAX+1);
|
||||
|
||||
return true;
|
||||
|
||||
#else
|
||||
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
|
||||
"IDENT auth is not supported on local connections on this platform\n");
|
||||
"'ident' auth is not supported on local connections on this platform\n");
|
||||
fputs(PQerrormsg, stderr);
|
||||
pqdebug("%s", PQerrormsg);
|
||||
|
||||
return false;
|
||||
|
||||
#endif /* SO_PEERCRED */
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@@ -127,12 +127,12 @@
|
||||
# ident: For TCP/IP connections, authentication is done by contacting
|
||||
# the ident server on the client host. (CAUTION: this is only
|
||||
# as secure as the client machine!) On machines that support
|
||||
# SO_PEERCRED socket requests, this method also works for
|
||||
# local Unix-domain connections. AUTH_ARGUMENT is required:
|
||||
# it determines how to map remote user names to Postgres user
|
||||
# names. The AUTH_ARGUMENT is a map name found in the
|
||||
# $PGDATA/pg_ident.conf file. The connection is accepted if
|
||||
# that file contains an entry for this map name with the
|
||||
# SO_PEERCRED or SCM_CREDS socket requests, this method also
|
||||
# works for local Unix-domain connections. AUTH_ARGUMENT is
|
||||
# required: it determines how to map remote user names to
|
||||
# Postgres user names. The AUTH_ARGUMENT is a map name found
|
||||
# in the $PGDATA/pg_ident.conf file. The connection is accepted
|
||||
# if that file contains an entry for this map name with the
|
||||
# ident-supplied username and the requested Postgres username.
|
||||
# The special map name "sameuser" indicates an implied map
|
||||
# (not in pg_ident.conf) that maps each ident username to the
|
||||
|
||||
Reference in New Issue
Block a user