C++ (Cpp) secure_file2の例

コード例 #1

0

ファイルを表示

ファイル: accesinfo.c プロジェクト: Bhagat-Rajput/pbspro

/**
 * @brief
 *	Secures all the files' permissions in home_path to full control
 *	for administrators group and to read for everyone group.
 *
 *  @return void
 */
void
secure_misc_files()
{
	char	path[MAXPATHLEN+1];
	HANDLE	hfile;
	char	logb[LOG_BUF_SIZE] = {'\0' } ;


	if (pbs_conf.pbs_home_path == NULL) {
		sprintf(logb,"no home_path!");
		log_err(-1, "secure_misc_files", logb);
		return;
	}

	secure_file2(pbs_conf.pbs_home_path,
		"Administrators", READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
		"\\Everyone", READS_MASK | READ_CONTROL);
	sprintf(logb,"securing %s for read access by Everyone",
		pbs_conf.pbs_home_path);
	log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);

	sprintf(path, "%s/spool", pbs_conf.pbs_home_path);
	create_dir_everyone_readwrite(path);

	/* Only admin can run the launch.bat script */
	sprintf(path, "%s/launch.bat", path);
	secure_file2(path,
		"Administrators", READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
		"\\Everyone", READS_MASK|READ_CONTROL);

	sprintf(path, "%s/undelivered", pbs_conf.pbs_home_path);
	create_dir_everyone_readwrite(path);

	sprintf(path, "%s/pbs_environment", pbs_conf.pbs_home_path);

	hfile = CreateFile(path, GENERIC_WRITE, FILE_SHARE_WRITE, 0,
		OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);

	if (hfile != INVALID_HANDLE_VALUE) {
		sprintf(logb,"created file %s", path);
		log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG,PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
		CloseHandle(hfile);
	}
	sprintf(logb,"securing file %s: full access to admin and read to Everyone",
		path);
	log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
	secure_file2(path,
		"Administrators", READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
		"\\Everyone", READS_MASK|READ_CONTROL);

	sprintf(path, "%s/auxiliary", pbs_conf.pbs_home_path);
	create_dir_everyone_read(path);

	sprintf(path, "%s/checkpoint", pbs_conf.pbs_home_path);
	create_dir_admin_service_account_full_access(path);

}

コード例 #2

0

ファイルを表示

ファイル: accesinfo.c プロジェクト: Bhagat-Rajput/pbspro

/**
 *
 *	@brief Recursively change permissions to everyone read in a directory tree.
 *
 *	  @param[in]  path - the target file/directory
 *
 *	@return void
 *
 */
static void
make_dir_files_everyone_read(char *path)
{
	char	logb[LOG_BUF_SIZE] = {'\0' } ;
	DIR	*dir;
	struct	dirent *pdirent;
	char	dirfile[MAXPATHLEN+1];
	struct stat sb;
	int	isdir = 1;

	if (path == NULL || *path == '\0')
		return;
	/* Secure the item that path refers to. */
	secure_file2(path, "Administrators", READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
		"\\Everyone", READS_MASK|READ_CONTROL);
	sprintf(logb,"securing %s for read access by Everyone", path);
	log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
	/* If the item is not a directory, we are done. */
	if (stat(path, &sb) == -1) {
		sprintf(logb, "\"%s\" does not exist", path);
		log_err(-1, "make_dir_files_everyone_read", logb);
		return;
	}
	if (!S_ISDIR(sb.st_mode)) {
		return;
	}

	dir = opendir(path);
	if (dir == NULL) {
		sprintf(logb,"readdir error; %s", path);
		log_err(-1, "make_dir_files_everyone_read", logb);
		return;
	}
	/* Recurse into the directory. */
	while (errno = 0, (pdirent = readdir(dir)) != NULL) {
		/* Ignore the "." and ".." entries. */
		if (pdirent->d_name[0] == '.') {
			if (pdirent->d_name[1] == '\0')
				continue;
			if (pdirent->d_name[1] == '.' && pdirent->d_name[2] == '\0')
				continue;
		}
		/* If we will exceed the maximum path length, skip this item. */
		if (strlen(path) + strlen(pdirent->d_name) + 1 >= MAXPATHLEN)
			continue;
		sprintf(dirfile, "%s/%s", path, pdirent->d_name);
		make_dir_files_everyone_read(dirfile);
	}
	if (errno != 0 && errno != ENOENT) {
		sprintf(logb,"readdir error; %s", path);
		log_err(-1, "make_dir_files_everyone_read", logb);
	}
	(void)closedir(dir);
}

コード例 #3

0

ファイルを表示

ファイル: accesinfo.c プロジェクト: Bhagat-Rajput/pbspro

/**
 *
 *	@brief Recursively change permissions for administrators group
 *         and Service account in a directory tree.
 *
 *	@param[in]  path - the target file/directory
 *
 *	@return void
 *
 */
void
make_dir_files_service_account_read(char *path)
{
	DIR	*dir;
	struct	dirent *pdirent;
	char    dirfile[MAXPATHLEN+1];
	char    *username = NULL;

	username = getlogin_full();
	secure_file2(path, "Administrators",
		READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
		username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED);

	dir = opendir(path);
	if (dir == NULL) {
		return;
	}

	while (errno = 0, (pdirent = readdir(dir)) != NULL) {
		if (strcmp(pdirent->d_name, ".") == 0 ||
			strcmp(pdirent->d_name, "..") == 0)
			continue;

		sprintf(dirfile, "%s/%s", path, pdirent->d_name);

		secure_file2(dirfile, "Administrators",
			READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
			username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED);
#ifdef DEBUG
		printf("securing file %s: full access to admin and %s \n", dirfile, username);
#endif

	}
#ifdef DEBUG
	if (errno != 0 && errno != ENOENT)
		printf("readdir error; %s\n", path);
#endif
	(void)closedir(dir);
}

コード例 #4

0

ファイルを表示

ファイル: accesinfo.c プロジェクト: Bhagat-Rajput/pbspro

/**
 *
 *  @brief Secures all the files' permissions (and recreate directories) that are related
 *		   to pbs_sched service to full control for administrators group and to read
 *		   for everyone group
 *
 *
 *  @return void
 */
void
secure_sched_files()
{
	DIR *dir;
	struct stat sbuf;
	char	path[MAXPATHLEN+1];
	char	logb[LOG_BUF_SIZE] = {'\0' } ;

	if (pbs_conf.pbs_home_path == NULL) {
		sprintf(logb,"no home_path!");
		log_err(-1, "secure_sched_files", logb);
		return;
	}

	sprintf(path, "%s/sched_priv", pbs_conf.pbs_home_path);
	create_dir_admin_service_account_full_access(path);

	dir = opendir(path);

	if (dir != NULL) {
		struct dirent *pdirent;
		char fpath[MAXPATHLEN+1];

		while (errno = 0,
			(pdirent = readdir(dir)) != NULL) {
			if( (strcmp(pdirent->d_name, ".") != 0) && \
		      (strcmp(pdirent->d_name, "..") != 0) ) {
				sprintf(fpath, "%s/%s", path, pdirent->d_name);
				if( (lstat(fpath, &sbuf) == 0) && \
					S_ISREG(sbuf.st_mode) ) {
					sprintf(logb,"securing file %s", fpath);
					log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
					secure_file2(fpath, "Administrators",
						READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
						"\\Everyone", READS_MASK|READ_CONTROL);
				} else {
					sprintf(logb,"file %s not reg", fpath);
					log_err(-1, "secure_sched_files", logb);
				}
			}
		}
		if (errno != 0 && errno != ENOENT) {
			sprintf(logb,"readdir error; %s", path);
			log_err(-1, "secure_sched_files", logb);
		}
		(void)closedir(dir);
	}

	sprintf(path, "%s/sched_logs", pbs_conf.pbs_home_path);
	create_dir_everyone_read(path);
}

コード例 #5

0

ファイルを表示

ファイル: accesinfo.c プロジェクト: Bhagat-Rajput/pbspro

/**
 * @brief
 *	create read/write directory in given path,
 *
 * @param[in] path - path where directory to be created
 */
static void
create_dir_everyone_readwrite(char *path)
{
	char	logb[LOG_BUF_SIZE] = {'\0' } ;
	if (CreateDirectory(path, 0) != 0) {
		sprintf(logb,"created %s for everyone to read/write", path);
		log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
	}
	sprintf(logb,"securing %s for read/write access by Everyone", path);
	log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
	secure_file2(path,
		"Administrators", READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
		"\\Everyone", READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED);
}

コード例 #6

0

ファイルを表示

ファイル: accesinfo.c プロジェクト: Bhagat-Rajput/pbspro

/**
 *
 * @brief
 *	Secures all the files' permissions (and recreate directories)
 *	that are related to pbs_mom service.
 *
 */
void
secure_mom_files(void)
{
	DIR *dir;
	char	path[MAXPATHLEN+1];
	HANDLE	hfile;
        char    *username = NULL;
	char	logb[LOG_BUF_SIZE] = {'\0' } ;

	if (pbs_conf.pbs_home_path == NULL) {
		sprintf(logb,"no home_path!");
		log_err(-1, "secure_mom_files", logb);
		return;
	}
        username = getlogin_full();

	sprintf(path, "%s/mom_priv", pbs_conf.pbs_home_path);
	create_dir_everyone_read(path);

	dir = opendir(path);

	if (dir != NULL) {
		struct dirent *pdirent;
		char fpath[MAXPATHLEN+1];

		while (errno = 0,
			(pdirent = readdir(dir)) != NULL) {
			char *p;
			if (p = strrchr(pdirent->d_name, '.')) {
				int baselen = strlen(p)-4;
				if (baselen < 0)
					continue;
				if (strcmpi(p+baselen, ".bat") == 0) {
					sprintf(fpath, "%s/%s", path, pdirent->d_name);
					sprintf(logb,"securing file %s", fpath);
					log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
					secure_file2(fpath, "Administrators",
						READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
						"\\Everyone", READS_MASK|READ_CONTROL);
				}
			}
		}
		if (errno != 0 && errno != ENOENT) {
			sprintf(logb,"readdir error; %s", path);
			log_err(-1, "secure_mom_files", logb);
		}
		(void)closedir(dir);
	}

	sprintf(path, "%s/mom_priv/config", pbs_conf.pbs_home_path);

	hfile = CreateFile(path, GENERIC_WRITE, FILE_SHARE_WRITE, 0,
		OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);

	if (hfile != INVALID_HANDLE_VALUE) {
		sprintf(logb,"created file %s", path);
		log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
		CloseHandle(hfile);

	}
	sprintf(logb,"securing %s for admin-only access", path);
	log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
	secure_file2(path, "Administrators",
		READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
		username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED);

	sprintf(path, "%s/mom_logs", pbs_conf.pbs_home_path);
	create_dir_everyone_read(path);

	sprintf(path, "%s/mom_priv/jobs", pbs_conf.pbs_home_path);
	create_dir_everyone_read(path);

	sprintf(path, "%s/mom_priv/hooks", pbs_conf.pbs_home_path);
	create_dir_admin_service_account_full_access(path);

	sprintf(path, "%s/mom_priv/hooks/tmp", pbs_conf.pbs_home_path);
	create_dir_admin_service_account_full_access(path);
}

コード例 #7

0

ファイルを表示

ファイル: accesinfo.c プロジェクト: Bhagat-Rajput/pbspro

/**
 *
 *  @brief Secures all the files' permissions (and recreate directories) that are
 *         related to pbs_server service to full control for administrators group
 *		   and to read for everyone group.
 *
 *  @return void
 *
 */
void
secure_server_files()
{
	char	path[MAXPATHLEN+1];
	HANDLE	hfile;
        char    *username = NULL;
	char	logb[LOG_BUF_SIZE] = {'\0' } ;

	if (pbs_conf.pbs_home_path == NULL) {
		sprintf(logb,"no home_path!");
		log_err(-1, "secure_server_files", logb);
		return;
	}
        username = getlogin_full();

	sprintf(path, "%s/server_priv", pbs_conf.pbs_home_path);
	create_dir_admin_service_account_full_access(path);

	sprintf(path, "%s/server_priv/jobs", pbs_conf.pbs_home_path);
	create_dir_admin_service_account_full_access(path);

	sprintf(path, "%s/server_priv/users", pbs_conf.pbs_home_path);
	create_dir_admin_service_account_full_access(path);

	sprintf(path, "%s/server_priv/hooks", pbs_conf.pbs_home_path);
	create_dir_admin_service_account_full_access(path);

	sprintf(path, "%s/server_priv/hooks/tmp", pbs_conf.pbs_home_path);
	create_dir_admin_service_account_full_access(path);

	sprintf(path, "%s/server_priv/license_file",
		pbs_conf.pbs_home_path);
	secure_file2(path, "Administrators",
		READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
		username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED);

	sprintf(path, "%s/server_priv/resourcedef",
		pbs_conf.pbs_home_path);

	hfile = CreateFile(path, GENERIC_WRITE, FILE_SHARE_WRITE, 0,
		OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);

	if (hfile != INVALID_HANDLE_VALUE) {

		sprintf(logb,"created file %s", path);
		log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);

		CloseHandle(hfile);
	}
	sprintf(logb,"securing %s for admin-only access", path);
	log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
	secure_file2(path, "Administrators",
		READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
		username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED);

	sprintf(path, "%s/server_logs", pbs_conf.pbs_home_path);
	create_dir_everyone_read(path);

	sprintf(path, "%s/server_priv/accounting",
		pbs_conf.pbs_home_path);
	create_dir_everyone_read(path);

	sprintf(path, "%s/lib/python", pbs_conf.pbs_exec_path);
	make_dir_files_everyone_read(path);

	/*
	 * Permissions of the file $PBS_HOME/server_priv/svrlive, on creation, is set to
	 * read/write for administrator group. However, on Windows Vista, a combination of a
	 * reboot after installation and permission setting on server_priv (earlier in this
	 * function) changes the permission of the svrlive file, thus disallowing server
	 * database saves (resulting in cascading failures, e.g., job submission). Thus we
	 * "reset" the permissions on the svrlive file here to what it is supposed to be.
	 */
	sprintf(path, "%s/server_priv/svrlive", pbs_conf.pbs_home_path);
	sprintf(logb,"securing %s for admin-only access", path);
	log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
	secure_file2(path, "Administrators",
		READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
		username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED);

	secure_server_datastore_files();

}

コード例 #8

0

ファイルを表示

ファイル: pbs_log.c プロジェクト: rampranesh/pbspro

/**
 *
 * @brief
 * 	Open the log file for append.
 *
 * @par
 *	Opens a (new) log file.
 *	If a log file is already open, and the new file is successfully opened,
 *	the old file is closed.  Otherwise the old file is left open.

 * @param[in]	filename - if non-NULL or non-empty string, then this must be
 *			   an absolute pathname, which is opened and made as
 *			   the log file.
 *			 - if NULL or empty string, then calls mk_log_name()
 *			   to create a log file named after the current date
 *			   yymmdd, which is made into the log file.
 * @param[in]	log_directory -  The directory used by mk_log_name()
 *			         as the log directory for the generated
 *				 log filename.
 * @param[in]	silent - if set to 1, then extra messages such as
 *			"Log opened", "pbs_version=", "pbs_build="
 *			are not printed out on the log file.
 *
 * @return int
 * @retval 0	for success
 * @retval != 0 for failure
 */
int
log_open_main(char *filename, char *directory, int silent)
{
	char  buf[_POSIX_PATH_MAX];
	int   fds;

	/*providing temporary buffer, tbuf, for forming pbs_version
	 *and pbs_build messages that get written on logfile open.
	 *Using the usual buffer, log_buffer, that one sees in calls
	 *to log_event() will result in clobbering the first message
	 *after midnight:  log_event(), calls log_record(), calls
	 *log_close() followed by log_open() - so a write into "log_buffer"
	 *inside log_open() obliterates the message that would have been
	 *placed in the newly opened, after mignight, server logfile.
	 */
	char  tbuf[LOG_BUF_SIZE];

	pthread_once(&log_once_ctl, log_init); /* initialize mutex once */

	if (log_opened > 0)
		return (-1);	/* already open */

	if (pbs_conf.locallog != 0 || pbs_conf.syslogfac == 0) {

		/* open PBS local logging */

		if (strcmp(log_directory, directory) != 0)
			(void)strncpy(log_directory, directory, _POSIX_PATH_MAX/2-1);

		if ((filename == (char *)0) || (*filename == '\0')) {
			filename = mk_log_name(buf, _POSIX_PATH_MAX);
			log_auto_switch = 1;
		}
#ifdef WIN32
		else if (*filename != '\\' && (strlen(filename) > 1 && \
				*(filename+1) != ':') ) {
			return (-1);	/* must be absolute path */
		}
#else
		else if (*filename != '/') {
			return (-1);	/* must be absolute path */
		}
#endif

#ifdef WIN32
		if ((fds = open(filename, O_CREAT|O_WRONLY|O_APPEND, S_IREAD | S_IWRITE)) < 0)
#elif defined (O_LARGEFILE )
		if ((fds = open(filename, O_CREAT|O_WRONLY|O_APPEND|O_LARGEFILE, 0644)) < 0)
#else
			if ((fds = open(filename, O_CREAT|O_WRONLY|O_APPEND, 0644)) < 0)
#endif
			{
				log_opened = -1;	/* note that open failed */
				return (-1);
			}

#ifdef WIN32
		secure_file2(filename, "Administrators",
			READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
			"Everyone", READS_MASK | READ_CONTROL);
#endif
		DBPRT(("Opened log file %s\n", filename))
		if (fds < 3) {

			log_opened = fcntl(fds, F_DUPFD, 3);	/* overload variable */
			if (log_opened < 0)
				return (-1);
			(void)close(fds);
			fds = log_opened;
		}
		logfile = fdopen(fds, "a");

#ifdef WIN32
		(void)setvbuf(logfile, NULL, _IONBF, 0);	/* no buffering to get instant log */
#else
		(void)setvbuf(logfile, NULL, _IOLBF, 0);	/* set line buffering */
#endif
		log_opened = 1;			/* note that file is open */

		if (!silent) {
			log_record(PBSEVENT_SYSTEM, PBS_EVENTCLASS_SERVER, LOG_INFO, "Log", "Log opened");
			snprintf(tbuf, LOG_BUF_SIZE, "pbs_version=%s", pbs_version);
			log_record(PBSEVENT_SYSTEM, PBS_EVENTCLASS_SERVER, LOG_INFO, msg_daemonname, tbuf);
			snprintf(tbuf, LOG_BUF_SIZE, "pbs_build=%s", pbs_build);
			log_record(PBSEVENT_SYSTEM, PBS_EVENTCLASS_SERVER, LOG_INFO, msg_daemonname, tbuf);
		}
	}
#if SYSLOG
	if (syslogopen == 0 && pbs_conf.syslogfac > 0 && pbs_conf.syslogfac < 10) {
		/*
		 * We do not assume that the log facilities are defined sequentially.
		 * That is why we reference them each by name.
		 */
		switch (pbs_conf.syslogfac) {
			case 2:
				syslogopen = LOG_LOCAL0;
				break;
			case 3:
				syslogopen = LOG_LOCAL1;
				break;
			case 4:
				syslogopen = LOG_LOCAL2;
				break;
			case 5:
				syslogopen = LOG_LOCAL3;
				break;
			case 6:
				syslogopen = LOG_LOCAL4;
				break;
			case 7:
				syslogopen = LOG_LOCAL5;
				break;
			case 8:
				syslogopen = LOG_LOCAL6;
				break;
			case 9:
				syslogopen = LOG_LOCAL7;
				break;
			case 1:
			default:
				syslogopen = LOG_DAEMON;
				break;
		}
		openlog(msg_daemonname, LOG_NOWAIT, syslogopen);
		DBPRT(("Syslog enabled, facility = %d\n", syslogopen))
		if (pbs_conf.syslogsvr != 0) {
			/* set min priority of what gets logged via syslog */
			setlogmask(LOG_UPTO(pbs_conf.syslogsvr));
			DBPRT(("Syslog mask set to 0x%x\n", pbs_conf.syslogsvr))
		}
	}