From 11ed178796e282e242741b964861832a3bdcb4db Mon Sep 17 00:00:00 2001 From: "Bill(Shuzhou) Liu" Date: Fri, 8 May 2020 09:13:41 -0400 Subject: [PATCH] Allow the rdcd to be started by user other than rdc or root Remove the check whether the rdcd is started by rdc user. Add the read access check for the private key and certificates if the authentication is enabled. Change-Id: I0e7a7eafb7985801572f809da0cb3e4012683153 [ROCm/rdc commit: 96afb248452f2f68e7057f46eafd7eb72b95c673] --- projects/rdc/include/rdc/rdc.h | 8 +++ projects/rdc/server/src/rdc_server_main.cc | 61 ++++++++-------------- 2 files changed, 29 insertions(+), 40 deletions(-) diff --git a/projects/rdc/include/rdc/rdc.h b/projects/rdc/include/rdc/rdc.h index c9de84715d..add3ca7e39 100755 --- a/projects/rdc/include/rdc/rdc.h +++ b/projects/rdc/include/rdc/rdc.h @@ -23,6 +23,10 @@ THE SOFTWARE. #ifndef INCLUDE_RDC_RDC_H_ #define INCLUDE_RDC_RDC_H_ +#ifdef __cplusplus +extern "C" { +#endif // __cplusplus + #include /** \file rdc_lib.h @@ -803,4 +807,8 @@ const char* rdc_status_string(rdc_status_t status); */ const char* field_id_string(uint32_t field_id); +#ifdef __cplusplus +} +#endif // __cplusplus + #endif // INCLUDE_RDC_RDC_H_ diff --git a/projects/rdc/server/src/rdc_server_main.cc b/projects/rdc/server/src/rdc_server_main.cc index 8d5adbfa55..5a5a5ddf3b 100755 --- a/projects/rdc/server/src/rdc_server_main.cc +++ b/projects/rdc/server/src/rdc_server_main.cc @@ -299,33 +299,6 @@ FileOwner(const char *fn, std::string *owner) { return 0; } -static int UserID(const char *un, uid_t *uid) { - int ret; - struct passwd pw; - struct passwd *result; - char *buf; - int bufsize; - - assert(uid != nullptr); - - bufsize = sysconf(_SC_GETPW_R_SIZE_MAX); - if (bufsize == -1) { - bufsize = 16384; - } - buf = new char[bufsize]; - - ret = getpwnam_r(un, &pw, buf, bufsize, &result); - delete []buf; - - if (ret == 0) { - *uid = pw.pw_uid; - } else { - perror("Failed to determine user id for given name"); - return 1; - } - return 0; -} - void RDCServer::ShutDown(void) { server_->Shutdown(); @@ -623,26 +596,34 @@ int main(int argc, char** argv) { RDCServer rdc_server; RdcdCmdLineOpts cmd_line_opts; int err; - uid_t rdc_uid; uid_t caller_id = geteuid(); bool is_root = (caller_id == 0); - if (!is_root) { - // Ensure user is calling as "rdc" - err = UserID("rdc", &rdc_uid); - if (err != 0) { - return 1; - } - if (rdc_uid != caller_id) { - std::cerr << "Only user \"rdc\" or root can start rdcd." << std::endl; - exit(1); - } - } - init_cmd_line_opts(&cmd_line_opts); ProcessCmdline(&cmd_line_opts, argc, argv); + // Can read the certificates and private key when authentication. + if (!cmd_line_opts.no_authentication) { + if (cmd_line_opts.use_pinned_certs && + (access(kDefaultRDCServerCertPinPath, R_OK) != 0 || + access(kDefaultRDCServerKeyPinPath, R_OK) != 0 || + access(kDefaultRDCClientCertPinPath, R_OK) != 0)) { + std::cerr << "The user needs read access to the pinned " + << "certificates and private key." << std::endl; + return 1; + } + + if (!cmd_line_opts.use_pinned_certs && + (access(kDefaultRDCServerCertKeyPkiPath, R_OK) != 0 || + access(kDefaultRDCServerCertPemPkiPath, R_OK) != 0 || + access(kDefaultRDCClientCACertPemPkiPath, R_OK) != 0)) { + std::cerr << "The user needs read access to the PKI " + << "certificates and private key." << std::endl; + return 1; + } + } + MakeDaemon(is_root); rdc_server.Initialize(&cmd_line_opts);