Hi again.
According to the maui doc, E.1.4 ADMINHOSTS should restrict ALL admin
level commands (admin1-3). The code to do this only restricted level 1
commands, and besides that it was broken.
Here is a patch that moves the adminhosts check to affect all admin
level commands and it also makes sure that there is a hostname to match
against.
This has only been given a short test locally, but given the earlier
state of being totally broken, its a step forward.
--
Ake Sandgren, HPC2N, Umea University, S-90187 Umea, Sweden
Internet: [EMAIL PROTECTED] Phone: +46 90 7866134 Fax: +46 90 7866126
Mobile: +46 70 7716134 WWW: http://www.hpc2n.umu.se
diff -ru site/src/mcom/MSU.c p1/src/mcom/MSU.c
--- site/src/mcom/MSU.c 2006-10-23 18:42:30.000000000 +0200
+++ p1/src/mcom/MSU.c 2006-11-16 14:45:53.000000000 +0100
@@ -982,6 +982,8 @@
# endif /* END !__AIX** */
} /* END if (MISSET(SocketType,msftTCP)) */
+ strncpy(C->RemoteHost, inet_ntoa(c_sockaddr.sin_addr), sizeof(C->RemoteHost));
+
if ((hoststruct = gethostbyaddr(
(char *)&c_sockaddr.sin_addr.s_addr,
sizeof(c_sockaddr.sin_addr.s_addr),
@@ -1001,6 +1003,7 @@
}
else
{
+ strncpy(C->RemoteHost, hoststruct->h_name, sizeof(C->RemoteHost));
MDB(2,fSOCK) MLog("INFO: received service request from host '%s'\n",
hoststruct->h_name);
}
diff -ru site/src/server/OUserI.c p1/src/server/OUserI.c
--- site/src/server/OUserI.c 2006-11-16 14:47:41.000000000 +0100
+++ p1/src/server/OUserI.c 2006-11-16 14:47:23.000000000 +0100
@@ -63,6 +63,7 @@
return(FAILURE);
}
+DBG(3,fSOCK) DPrint("ALERT: packet from %s\n", s->Host);
switch(S->WireProtocol)
{
@@ -85,7 +86,7 @@
S->SBuffer = SBuffer;
- strcpy(CurrentHostName,S->Host); /* NOTE: not very threadsafe :) */
+ strcpy(CurrentHostName,S->RemoteHost); /* NOTE: not very threadsafe :) */
if ((X.XUIHandler != (int (*)())0) &&
((*X.XUIHandler)(X.xd,S,MSched.DefaultCSKey,0) == SUCCESS))
@@ -296,33 +297,16 @@
break;
}
- hostcheck = FALSE;
-
- for (index = 0;index < MAX_MADMINHOSTS;index++)
- {
- if (MSched.AdminHost[index][0] == '\0')
- break;
-
- if (!strcmp(MSched.AdminHost[index],S->Host))
- {
- hostcheck = TRUE;
-
- break;
- }
-
- if (!strcmp(MSched.AdminHost[index],"ALL"))
- {
- hostcheck = TRUE;
+ /* admin1 or admin2 function */
- break;
- }
- } /* END for (index) */
+ case svcSetJobSystemPrio:
+ case svcRunJob:
- if (hostcheck == FALSE)
+ if (!(FLAGS & ((1 << fAdmin1) | (1 << fAdmin2))))
{
- sprintf(Message,"ERROR: command '%s' cannot be executed from host '%s'\n",
- MService[sindex],
- S->Host);
+ sprintf(Message,"ERROR: user '%s' is not authorized to execute command '%s'\n",
+ Auth,
+ MService[sindex]);
sprintf(S->SBuffer,"%s%d %s%s\n",
MCKeyword[mckStatusCode],
@@ -341,12 +325,18 @@
break;
}
- /* admin1 or admin2 function */
+ /* admin1, admin2, or admin3 functions */
- case svcSetJobSystemPrio:
- case svcRunJob:
+ case svcShowStats:
+ case svcDiagnose:
+ case svcShowJobDeadline:
+ case svcShowConfig:
+ case svcNodeShow:
+ case svcShowEstimatedStartTime:
+ case svcShowGrid:
+ case svcClusterShow:
- if (!(FLAGS & ((1 << fAdmin1) | (1 << fAdmin2))))
+ if (!(FLAGS & ((1 << fAdmin1) | (1 << fAdmin2) | (1 << fAdmin3))))
{
sprintf(Message,"ERROR: user '%s' is not authorized to execute command '%s'\n",
Auth,
@@ -369,22 +359,33 @@
break;
}
- /* admin1, admin2, or admin3 functions */
+ hostcheck = FALSE;
- case svcShowStats:
- case svcDiagnose:
- case svcShowJobDeadline:
- case svcShowConfig:
- case svcNodeShow:
- case svcShowEstimatedStartTime:
- case svcShowGrid:
- case svcClusterShow:
+ for (index = 0;index < MAX_MADMINHOSTS;index++)
+ {
+ if (MSched.AdminHost[index][0] == '\0')
+ break;
- if (!(FLAGS & ((1 << fAdmin1) | (1 << fAdmin2) | (1 << fAdmin3))))
+ if (!strcmp(MSched.AdminHost[index],S->RemoteHost))
+ {
+ hostcheck = TRUE;
+
+ break;
+ }
+
+ if (!strcmp(MSched.AdminHost[index],"ALL"))
+ {
+ hostcheck = TRUE;
+
+ break;
+ }
+ } /* END for (index) */
+
+ if (hostcheck == FALSE)
{
- sprintf(Message,"ERROR: user '%s' is not authorized to execute command '%s'\n",
- Auth,
- MService[sindex]);
+ sprintf(Message,"ERROR: command '%s' cannot be executed from host '%s'\n",
+ MService[sindex],
+ S->RemoteHost);
sprintf(S->SBuffer,"%s%d %s%s\n",
MCKeyword[mckStatusCode],
@@ -403,6 +404,7 @@
break;
}
+
/* global functions or case specific functions */
case svcResCreate:
diff -ru site/src/server/UserI.c p1/src/server/UserI.c
--- site/src/server/UserI.c 2006-11-01 13:26:14.000000000 +0100
+++ p1/src/server/UserI.c 2006-11-16 14:46:56.000000000 +0100
@@ -465,13 +465,9 @@
if (S->sd <= 0)
{
- memset(S,0,sizeof(MClS[index]));
+ memcpy(S, &C, sizeof(MClS[index]));
- S->sd = C.sd;
-
- if (C.SocketProtocol != 0)
- S->SocketProtocol = C.SocketProtocol;
- else
+ if (S->SocketProtocol == 0)
S->SocketProtocol = MSched.DefaultMCSocketProtocol;
DBG(5,fUI) DPrint("INFO: client connected at sd %d\n",
_______________________________________________
mauiusers mailing list
[email protected]
http://www.supercluster.org/mailman/listinfo/mauiusers
