Allow the rdcd to be started by user other than rdc or root

Remove the check whether the rdcd is started by rdc user.
Add the read access check for the private key and certificates if
the authentication is enabled.

Change-Id: I0e7a7eafb7985801572f809da0cb3e4012683153


[ROCm/rdc commit: 96afb24845]
Этот коммит содержится в:
Bill(Shuzhou) Liu
2020-05-08 09:13:41 -04:00
коммит произвёл Chris Freehill
родитель c4dc0f4f56
Коммит 11ed178796
2 изменённых файлов: 29 добавлений и 40 удалений
+8
Просмотреть файл
@@ -23,6 +23,10 @@ THE SOFTWARE.
#ifndef INCLUDE_RDC_RDC_H_
#define INCLUDE_RDC_RDC_H_
#ifdef __cplusplus
extern "C" {
#endif // __cplusplus
#include <cstdint>
/** \file rdc_lib.h
@@ -803,4 +807,8 @@ const char* rdc_status_string(rdc_status_t status);
*/
const char* field_id_string(uint32_t field_id);
#ifdef __cplusplus
}
#endif // __cplusplus
#endif // INCLUDE_RDC_RDC_H_
+21 -40
Просмотреть файл
@@ -299,33 +299,6 @@ FileOwner(const char *fn, std::string *owner) {
return 0;
}
static int UserID(const char *un, uid_t *uid) {
int ret;
struct passwd pw;
struct passwd *result;
char *buf;
int bufsize;
assert(uid != nullptr);
bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
if (bufsize == -1) {
bufsize = 16384;
}
buf = new char[bufsize];
ret = getpwnam_r(un, &pw, buf, bufsize, &result);
delete []buf;
if (ret == 0) {
*uid = pw.pw_uid;
} else {
perror("Failed to determine user id for given name");
return 1;
}
return 0;
}
void
RDCServer::ShutDown(void) {
server_->Shutdown();
@@ -623,26 +596,34 @@ int main(int argc, char** argv) {
RDCServer rdc_server;
RdcdCmdLineOpts cmd_line_opts;
int err;
uid_t rdc_uid;
uid_t caller_id = geteuid();
bool is_root = (caller_id == 0);
if (!is_root) {
// Ensure user is calling as "rdc"
err = UserID("rdc", &rdc_uid);
if (err != 0) {
return 1;
}
if (rdc_uid != caller_id) {
std::cerr << "Only user \"rdc\" or root can start rdcd." << std::endl;
exit(1);
}
}
init_cmd_line_opts(&cmd_line_opts);
ProcessCmdline(&cmd_line_opts, argc, argv);
// Can read the certificates and private key when authentication.
if (!cmd_line_opts.no_authentication) {
if (cmd_line_opts.use_pinned_certs &&
(access(kDefaultRDCServerCertPinPath, R_OK) != 0 ||
access(kDefaultRDCServerKeyPinPath, R_OK) != 0 ||
access(kDefaultRDCClientCertPinPath, R_OK) != 0)) {
std::cerr << "The user needs read access to the pinned "
<< "certificates and private key." << std::endl;
return 1;
}
if (!cmd_line_opts.use_pinned_certs &&
(access(kDefaultRDCServerCertKeyPkiPath, R_OK) != 0 ||
access(kDefaultRDCServerCertPemPkiPath, R_OK) != 0 ||
access(kDefaultRDCClientCACertPemPkiPath, R_OK) != 0)) {
std::cerr << "The user needs read access to the PKI "
<< "certificates and private key." << std::endl;
return 1;
}
}
MakeDaemon(is_root);
rdc_server.Initialize(&cmd_line_opts);