Allow the rdcd to be started by user other than rdc or root
Remove the check whether the rdcd is started by rdc user.
Add the read access check for the private key and certificates if
the authentication is enabled.
Change-Id: I0e7a7eafb7985801572f809da0cb3e4012683153
[ROCm/rdc commit: 96afb24845]
Этот коммит содержится в:
коммит произвёл
Chris Freehill
родитель
c4dc0f4f56
Коммит
11ed178796
@@ -23,6 +23,10 @@ THE SOFTWARE.
|
||||
#ifndef INCLUDE_RDC_RDC_H_
|
||||
#define INCLUDE_RDC_RDC_H_
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif // __cplusplus
|
||||
|
||||
#include <cstdint>
|
||||
|
||||
/** \file rdc_lib.h
|
||||
@@ -803,4 +807,8 @@ const char* rdc_status_string(rdc_status_t status);
|
||||
*/
|
||||
const char* field_id_string(uint32_t field_id);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif // __cplusplus
|
||||
|
||||
#endif // INCLUDE_RDC_RDC_H_
|
||||
|
||||
@@ -299,33 +299,6 @@ FileOwner(const char *fn, std::string *owner) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int UserID(const char *un, uid_t *uid) {
|
||||
int ret;
|
||||
struct passwd pw;
|
||||
struct passwd *result;
|
||||
char *buf;
|
||||
int bufsize;
|
||||
|
||||
assert(uid != nullptr);
|
||||
|
||||
bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
|
||||
if (bufsize == -1) {
|
||||
bufsize = 16384;
|
||||
}
|
||||
buf = new char[bufsize];
|
||||
|
||||
ret = getpwnam_r(un, &pw, buf, bufsize, &result);
|
||||
delete []buf;
|
||||
|
||||
if (ret == 0) {
|
||||
*uid = pw.pw_uid;
|
||||
} else {
|
||||
perror("Failed to determine user id for given name");
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
RDCServer::ShutDown(void) {
|
||||
server_->Shutdown();
|
||||
@@ -623,26 +596,34 @@ int main(int argc, char** argv) {
|
||||
RDCServer rdc_server;
|
||||
RdcdCmdLineOpts cmd_line_opts;
|
||||
int err;
|
||||
uid_t rdc_uid;
|
||||
uid_t caller_id = geteuid();
|
||||
|
||||
bool is_root = (caller_id == 0);
|
||||
|
||||
if (!is_root) {
|
||||
// Ensure user is calling as "rdc"
|
||||
err = UserID("rdc", &rdc_uid);
|
||||
if (err != 0) {
|
||||
return 1;
|
||||
}
|
||||
if (rdc_uid != caller_id) {
|
||||
std::cerr << "Only user \"rdc\" or root can start rdcd." << std::endl;
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
init_cmd_line_opts(&cmd_line_opts);
|
||||
ProcessCmdline(&cmd_line_opts, argc, argv);
|
||||
|
||||
// Can read the certificates and private key when authentication.
|
||||
if (!cmd_line_opts.no_authentication) {
|
||||
if (cmd_line_opts.use_pinned_certs &&
|
||||
(access(kDefaultRDCServerCertPinPath, R_OK) != 0 ||
|
||||
access(kDefaultRDCServerKeyPinPath, R_OK) != 0 ||
|
||||
access(kDefaultRDCClientCertPinPath, R_OK) != 0)) {
|
||||
std::cerr << "The user needs read access to the pinned "
|
||||
<< "certificates and private key." << std::endl;
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (!cmd_line_opts.use_pinned_certs &&
|
||||
(access(kDefaultRDCServerCertKeyPkiPath, R_OK) != 0 ||
|
||||
access(kDefaultRDCServerCertPemPkiPath, R_OK) != 0 ||
|
||||
access(kDefaultRDCClientCACertPemPkiPath, R_OK) != 0)) {
|
||||
std::cerr << "The user needs read access to the PKI "
|
||||
<< "certificates and private key." << std::endl;
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
MakeDaemon(is_root);
|
||||
|
||||
rdc_server.Initialize(&cmd_line_opts);
|
||||
|
||||
Ссылка в новой задаче
Block a user