[devel] [PATCH 1/1] imm: fix non-local user cannot access IMM when accessControlMode is in ENFORCED [#3043]

Fri, 14 Feb 2020 01:40:13 -0800 

---
 src/base/osaf_secutil.c   | 19 +++++++++++++++++++
 src/base/osaf_secutil.h   |  9 +++++++++
 src/imm/immnd/immnd_evt.c |  4 +++-
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/src/base/osaf_secutil.c b/src/base/osaf_secutil.c
index 0e175c915..05652832a 100644
--- a/src/base/osaf_secutil.c
+++ b/src/base/osaf_secutil.c
@@ -42,6 +42,7 @@
 #include <pwd.h>
 #include <grp.h>
 #include <pthread.h>
+#include <stdio.h>
 #include "base/osaf_poll.h"
 
 #include "base/logtrace.h"
@@ -305,6 +306,24 @@ bool osaf_user_is_member_of_group(uid_t uid, const char 
*groupname)
        return false;
 }
 
+bool osaf_pid_is_member_of_group(pid_t pid, const char *groupname)
+{
+       char str[256];
+       struct group *gr;
+
+       gr = getgrnam(groupname);
+       if (!gr)
+               return false;
+       gid_t gid_auth = gr->gr_gid;
+
+       snprintf(str, sizeof(str),
+                "grep \"^Groups\" /proc/%d/status | grep -w -q \"%d\"", pid,
+                gid_auth);
+       if (system(str) != 0)
+               return false;
+       return true;
+}
+
 /* used in libraries, do not log. Only trace */
 int osaf_auth_server_connect(const char *path, const void *req_buf,
                             size_t req_size, void *resp_buf, size_t resp_size,
diff --git a/src/base/osaf_secutil.h b/src/base/osaf_secutil.h
index a2389241c..b0b5485f4 100644
--- a/src/base/osaf_secutil.h
+++ b/src/base/osaf_secutil.h
@@ -88,6 +88,15 @@ int osaf_auth_server_create(const char *_pathname,
  */
 bool osaf_user_is_member_of_group(uid_t uid, const char *groupname);
 
+/**
+ * Checks if user represented by pid is member of group
+ *
+ * @param pid
+ * @param groupname
+ * @return true if member
+ */
+bool osaf_pid_is_member_of_group(pid_t pid, const char *groupname);
+
 /**
  * Get list of groups that a user belong to
  * There already is a function in LSB for this purpose (getgrouplist) but it is
diff --git a/src/imm/immnd/immnd_evt.c b/src/imm/immnd/immnd_evt.c
index 51a9b8517..ac49fe5e5 100644
--- a/src/imm/immnd/immnd_evt.c
+++ b/src/imm/immnd/immnd_evt.c
@@ -895,7 +895,9 @@ static uint32_t immnd_evt_proc_imm_init(IMMND_CB *cb, 
IMMND_EVT *evt,
                            immModel_authorizedGroup(immnd_cb);
                        if ((authorized_group != NULL) &&
                            (osaf_user_is_member_of_group(sinfo->uid,
-                                                         authorized_group))) {
+                                                         authorized_group) ||
+                            osaf_pid_is_member_of_group(sinfo->pid,
+                                                        authorized_group))) {
                                TRACE("configured group");
                        } else {
                                if (mode == ACCESS_CONTROL_PERMISSIVE) {
-- 
2.17.1



_______________________________________________
Opensaf-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/opensaf-devel

Reply via email to