Exemplo n.º 1
0
int authenticate_user(

  struct batch_request *preq,  /* I */
  struct credential    *pcred,
  char   **autherr) /* O */

  {
  int    rc;
  char   uath[PBS_MAXUSER + PBS_MAXHOSTNAME + 1];
  time_t time_now = time(NULL);
  char   error_msg[1024];
  bool   acl_enabled = false;

#ifdef MUNGE_AUTH
 
  if (strncmp(preq->rq_user, pcred->username, PBS_MAXUSER))
    {
    /* extra check for munge */
    struct array_strings *my_acl = NULL;
    char uh[PBS_MAXUSER + PBS_MAXHOSTNAME + 2];

    sprintf(uh, "%s@%s", preq->rq_user, pcred->hostname);
    
    get_svr_attr_arst(SRV_ATR_authusers, &my_acl); 
    if ((acl_check_my_array_string(my_acl, uh, ACL_User_Host)) == 0)
      {
      *autherr = strdup("User not in authorized user list.");
      sprintf(error_msg, "%s Requested user %s: requested from host %s",
                     *autherr, preq->rq_user, preq->rq_host);
      log_event(PBSEVENT_ADMIN, PBS_EVENTCLASS_SERVER, __func__, error_msg);
      return(PBSE_BADCRED);
      }
    }
#else
  if (strncmp(preq->rq_user, pcred->username, PBS_MAXUSER))
    {
    *autherr = strdup("Users do not match");
    sprintf(error_msg, "%s: Requested user %s: credential user %s: requested from host %s",
                   *autherr, preq->rq_user, pcred->username, preq->rq_host);
    log_event(PBSEVENT_ADMIN, PBS_EVENTCLASS_SERVER, __func__, error_msg);
    return(PBSE_BADCRED);
    }
#endif

  if (strncmp(preq->rq_host, pcred->hostname, PBS_MAXHOSTNAME))
    {
    struct sockaddr_in *sai1;
    struct sockaddr_in *sai2;
    struct addrinfo    *addr_info1 = NULL;
    struct addrinfo    *addr_info2 = NULL;

    sai1 = get_cached_addrinfo(preq->rq_host);
    sai2 = get_cached_addrinfo(pcred->hostname);

    if ((sai1 == NULL) &&
        (pbs_getaddrinfo(preq->rq_host, NULL, &addr_info1) == PBSE_NONE))
      {
      sai1 = (struct sockaddr_in *)addr_info1->ai_addr;
      }

    if ((sai2 == NULL) &&
        (pbs_getaddrinfo(pcred->hostname, NULL, &addr_info2) == PBSE_NONE))
      {
      sai2 = (struct sockaddr_in *)addr_info2->ai_addr;
      }

    if ((sai1 == NULL) ||
        (sai2 == NULL) ||
        (memcmp(sai1, sai2, sizeof(struct sockaddr_in))))
      {
      *autherr = strdup("Hosts do not match");
      
      sprintf(error_msg, "%s: Requested host %s: credential host: %s",
        *autherr, preq->rq_host, pcred->hostname);
      log_event(PBSEVENT_ADMIN, PBS_EVENTCLASS_SERVER, __func__, error_msg);
    
      return(PBSE_BADCRED);
      }
    }

  if (pcred->timestamp)
    {
    long lifetime = 0;
    if (get_svr_attr_l(SRV_ATR_CredentialLifetime, &lifetime) == PBSE_NONE)
      {
      /* use configured value if set */
      }
    else 
      {
      /* if not use the default */
      lifetime = CREDENTIAL_LIFETIME;
      }

    /* negative values mean that credentials have an infinite lifetime */
    if (lifetime > -1)
      {
      if ((pcred->timestamp - CREDENTIAL_TIME_DELTA > time_now) ||
          (pcred->timestamp + lifetime < time_now))
        {
        return(PBSE_EXPIRED);
        }
      }

    }

  /* If Server's Acl_User enabled, check if user in list */
  get_svr_attr_b(SRV_ATR_AclUserEnabled, &acl_enabled);
  if (acl_enabled)
    {
    struct array_strings *acl_users = NULL;
    snprintf(uath, sizeof(uath), "%s@%s", preq->rq_user, preq->rq_host);
    
    get_svr_attr_arst(SRV_ATR_AclUsers, &acl_users);
    if (acl_check_my_array_string(acl_users, uath, ACL_User) == 0)
      {
      int       my_err;
      pbs_net_t connect_addr = get_hostaddr(&my_err, preq->rq_host);
      pbs_net_t server_addr = get_hostaddr(&my_err, server_host);

#ifdef __CYGWIN__

      if ((!IamAdminByName(preq->rq_user)) || 
          (connect_addr != server_addr))
        {
        return(PBSE_PERM);
        }
#else /* __CYGWIN__ */
#ifdef PBS_ROOT_ALWAYS_ADMIN
      if ((strcmp(preq->rq_user, PBS_DEFAULT_ADMIN) != 0) ||
          (connect_addr != server_addr))
        {
        return(PBSE_PERM);
        }

#else /* PBS_ROOT_ALWAYS_ADMIN */
      return(PBSE_PERM);

#endif /* PBS_ROOT_ALWAYS_ADMIN */
#endif /* __CYGWIN__ */

      }
    }

  /* A site stub for additional checking */

  rc = site_allow_u(preq->rq_user, preq->rq_host);

  return(rc);
  }  /* END authenticate_user() */
Exemplo n.º 2
0
int set_jobexid(

  job           *pjob,    /* I */
  pbs_attribute *attrry,  /* I */
  char          *EMsg)    /* O (optional,minsize=1024) */

  {
  int             addflags = 0;
  pbs_attribute  *pattr;
  char          **pmem;

  struct group   *gpent;
  int             free_puser = FALSE;
  char           *puser = NULL;
  char           *at;
  char           *usr_at_host = NULL;
  int             len;


  struct passwd  *pwent = NULL;
  char           *pgrpn;
  int             free_pgrpn = TRUE;
  char            gname[PBS_MAXGRPN + 1];
#ifdef _CRAY

  struct udb     *pudb;
#endif

  char            tmpLine[1024 + 1];
  char            log_buf[LOCAL_LOG_BUF_SIZE];

  long            disable_id_check = 0;
  int             CheckID;  /* boolean */

  if (EMsg != NULL)
    EMsg[0] = '\0';

  /* use the passed User_List if set, may be a newly modified one     */
  /* if not set, fall back to the job's actual User_List, may be same */
  if (get_svr_attr_l(SRV_ATR_DisableServerIdCheck, &disable_id_check) != PBSE_NONE)
    CheckID = 1;
  else
    CheckID = !disable_id_check;

  if (CheckID == 0)
    {
    /* NOTE: use owner, not userlist - should this be changed? */
    /* Yes, changed 10/17/2007 */

    if (pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str != NULL)
      {
      /* start of change to use userlist instead of owner 10/17/2007 */

      if ((attrry + JOB_ATR_userlst)->at_flags & ATR_VFLAG_SET)
        pattr = attrry + JOB_ATR_userlst;
      else
        pattr = &pjob->ji_wattr[JOB_ATR_userlst];

      if (pjob->ji_wattr[JOB_ATR_proxy_user].at_flags & ATR_VFLAG_SET)
        {
        puser = pjob->ji_wattr[JOB_ATR_proxy_user].at_val.at_str;

        /* set the job's owner as the new user, appending @host if
         * the job's owner has that */
        at = strchr(pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str,'@');
        len = strlen(puser) + 1;
        if (at != NULL)
          {
          len += strlen(at);
          usr_at_host = (char *)calloc(len, sizeof(char));
          snprintf(usr_at_host,len,"%s%s",
            puser,
            at);
          }
        else
          {
          usr_at_host = (char *)calloc(len, sizeof(char));

          snprintf(usr_at_host,len,"%s",
            puser);
          }

        free(pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str);
        pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str = usr_at_host;
        }
      else if ((puser = geteusernam(pjob, pattr)) == NULL)
        {
        if (EMsg != NULL)
          snprintf(EMsg, 1024, "cannot locate user name in job");

        return(PBSE_BADUSER);
        }

      free_puser = TRUE;

      sprintf(tmpLine, "%s", puser);

      /* end of change to use userlist instead of owner 10/17/2007 */
      }
    else
      {
      strcpy(tmpLine, "???");
      }
    }  /* END if (CheckID == 0) */
  else
    {
    int perm;

    if ((attrry + JOB_ATR_userlst)->at_flags & ATR_VFLAG_SET)
      pattr = attrry + JOB_ATR_userlst;
    else
      pattr = &pjob->ji_wattr[JOB_ATR_userlst];

    free_puser = TRUE;

    if ((puser = geteusernam(pjob, pattr)) == NULL)
      {
      if (EMsg != NULL)
        snprintf(EMsg, 1024, "cannot locate user name in job");

      return(PBSE_BADUSER);
      }

    pwent = getpwnam_ext(puser);

    perm = svr_get_privilege(puser,get_variable(pjob,(char *)"PBS_O_HOST"));

    if (pwent == NULL)
      {
      snprintf(log_buf,sizeof(log_buf),
        "User %s does not exist in server password file\n",
        puser);

      log_err(errno, __func__, log_buf);

      if (EMsg != NULL)
        snprintf(EMsg,1024,"%s",log_buf);

      free(puser);

      return(PBSE_BADUSER);
      }

    if ((pwent->pw_uid == 0) ||
        (perm & ATR_DFLAG_MGWR))
      {
      struct array_strings *pas = NULL;
      get_svr_attr_arst(SRV_ATR_AclRoot, &pas);

      /* add check here for virtual user */
      if (pjob->ji_wattr[JOB_ATR_proxy_user].at_flags & ATR_VFLAG_SET)
        {
        free(puser);
        free_puser = FALSE;

        puser = pjob->ji_wattr[JOB_ATR_proxy_user].at_val.at_str;

        pwent = getpwnam_ext(puser);

        if (pwent == NULL)
          {
          snprintf(log_buf,sizeof(log_buf),
            "User %s does not exist in server password file\n",
            puser);

          log_err(errno, __func__, log_buf);

          if (EMsg != NULL)
            snprintf(EMsg,1024,"%s",log_buf);

          return(PBSE_BADUSER);
          }

        /* set the job's owner as the new user */
        at = strchr(pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str,'@');
        len = strlen(puser) + 1;
        if (at != NULL)
          {
          len += strlen(at);
          usr_at_host = (char *)calloc(len, sizeof(char));
          snprintf(usr_at_host,len,"%s%s",
            puser,
            at);
          }
        else
          {
          usr_at_host = (char *)calloc(len, sizeof(char));

          snprintf(usr_at_host,len,"%s",
            puser);
          }

        free(pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str);
        pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str = usr_at_host;
        }
      else if (get_svr_attr_arst(SRV_ATR_AclRoot, &pas) == PBSE_NONE)
        {
        if (acl_check_my_array_string(pas, pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str, ACL_User) == 0)
          {
          if (EMsg != NULL)
            snprintf(EMsg, 1024, "root user %s fails ACL check",
                     puser);

          if (free_puser == TRUE)
            free(puser);

          return(PBSE_BADUSER); /* root not allowed */
          }
        }
      else if (pwent->pw_uid == 0)
        {
        if (EMsg != NULL)
          snprintf(EMsg, 1024, "root user %s not allowed",
                   puser);
          
        if (free_puser == TRUE)
          free(puser);

        return(PBSE_BADUSER); /* root not allowed */
        }
      }    /* END if (pwent->pw_uid == 0) */
    else if (pjob->ji_wattr[JOB_ATR_proxy_user].at_flags & ATR_VFLAG_SET)
      {
      /* cannot submit a proxy job if not root or a manager */
      if (EMsg != NULL)
        {
        snprintf(EMsg, 1024,
          "User '%s' is attempting to submit a proxy job for user '%s' but is not a manager",
          puser,
          pjob->ji_wattr[JOB_ATR_proxy_user].at_val.at_str);
        }

      snprintf(log_buf, 1024,
        "User '%s' is attempting to submit a proxy job for user '%s' but is not a manager",
        puser,
        pjob->ji_wattr[JOB_ATR_proxy_user].at_val.at_str);
      log_err(PBSE_BADUSER, __func__, log_buf);
          
      if (free_puser == TRUE)
        free(puser);

      return(PBSE_BADUSER);
      }

    if (site_check_user_map(pjob, puser, EMsg, LOGLEVEL) == -1)
      {
      if (free_puser == TRUE)
        free(puser);

      return(PBSE_BADUSER);
      }

    snprintf(tmpLine, sizeof(tmpLine), "%s", puser);
    }  /* END else (CheckID == 0) */

  pattr = attrry + JOB_ATR_euser;

  job_attr_def[JOB_ATR_euser].at_free(pattr);

  job_attr_def[JOB_ATR_euser].at_decode(pattr, NULL, NULL, tmpLine, 0);

#ifdef _CRAY

  /* on cray check UDB (user data base) for permission to batch it */

  if ((pwent != NULL) && (puser != NULL))
    {
    pudb = getudbuid(pwent->pw_uid);

    endudb();

    if (pudb == UDB_NULL)
      {
      if (EMsg != NULL)
        snprintf(EMsg, 1024, "user %s not located in user data base",
                 puser);

      if (free_puser == TRUE)
        free(puser);

      return(PBSE_BADUSER);
      }

    if (pudb->ue_permbits & (PERMBITS_NOBATCH | PERMBITS_RESTRICTED))
      {
      if (free_puser == TRUE)
        free(puser);

      return(PBSE_QACESS);
      }

    /* if account (qsub -A) not specified, set default from UDB */

    pattr = attrry + JOB_ATR_account;

    if ((pattr->at_flags & ATR_VFLAG_SET) == 0)
      {
      job_attr_def[JOB_ATR_account].at_decode(
        pattr,
        NULL,
        NULL,
        (char *)acid2nam(pudb->ue_acids[0]));
      }
    }    /* END if ((pwent != NULL) && (puser != NULL)) */

#endif /* _CRAY */

  /*
   * now figure out the group name under which the job should execute
   * PBS requires that each group have an entry in the group file,
   * see the admin guide for the reason why...
   *
   * use the passed group_list if set, may be a newly modified one
   * if not set, fall back to the job's actual group_list, may be same
   */

  if ((attrry + JOB_ATR_grouplst)->at_flags & ATR_VFLAG_SET)
    pattr = attrry + JOB_ATR_grouplst;
  else
    pattr = &pjob->ji_wattr[JOB_ATR_grouplst];

  /* extract user-specified egroup if it exists */

  pgrpn = getegroup(pjob, pattr);

  if (pgrpn == NULL)
    {
    free_pgrpn = FALSE;

    if ((pwent != NULL) || ((pwent = getpwnam_ext(puser)) != NULL))
      {
      /* egroup not specified - use user login group */

      gpent = getgrgid(pwent->pw_gid);

      if (gpent != NULL)
        {
        pgrpn = gpent->gr_name;           /* use group name */
        }
      else
        {
        sprintf(gname, "%ld",
                (long)pwent->pw_gid);

        pgrpn = gname;            /* turn gid into string */
        }
      }
    else if (CheckID == 0)
      {
      strcpy(gname, "???");

      pgrpn = gname;
      }
    else
      {
      log_err(errno, __func__, (char *)"getpwnam failed");

      if (EMsg != NULL)
        snprintf(EMsg, 1024, "user does not exist in server password file");

      if (free_puser == TRUE)
        free(puser);

      return(PBSE_BADUSER);
      }

    /*
     * setting the DEFAULT flag is a "kludgy" way to keep MOM from
     * having to do an unneeded look up of the group file.
     * We needed to have JOB_ATR_egroup set for the server but
     * MOM only wants it if it is not the login group, so there!
     */

    addflags = ATR_VFLAG_DEFLT;
    }  /* END if ((pgrpn = getegroup(pjob,pattr))) */
  else if (CheckID == 0)
    {
    /* egroup specified - do not validate group within server */

    /* NO-OP */
    }
  else
    {
    /* user specified a group, group must exist and either */
    /* must be user's primary group or the user must be in it */

    gpent = getgrnam_ext(pgrpn);

    if (gpent == NULL)
      {
      if (CheckID == 0)
        {
        strcpy(gname, "???");

        pgrpn = gname;
        }
      else
        if (EMsg != NULL)
          snprintf(EMsg, 1024, "cannot locate group %s in server group file",
                   pgrpn);

      if (free_puser == TRUE)
        free(puser);

      free(pgrpn);

      return(PBSE_BADGRP);  /* no such group */
      }

    if (gpent->gr_gid != pwent->pw_gid)
      {
      /* not primary group */

      pmem = gpent->gr_mem;

      while (*pmem != NULL)
        {
        if (!strcmp(puser, *pmem))
          break;

        ++pmem;
        }

      if (*pmem == NULL)
        {
        /* requested group not allowed */
        snprintf(log_buf,sizeof(log_buf),
          "user %s is not a member of group %s in server password file",
          puser,
          pgrpn);

        log_err(-1, __func__, log_buf);

        if (EMsg != NULL)
          snprintf(EMsg, 1024, "%s",log_buf);

        if (free_puser == TRUE)
          free(puser);

        free(pgrpn);

        return(PBSE_BADGRP); /* user not in group */
        }
      }
    }    /* END if ((pgrpn = getegroup(pjob,pattr))) */

  /* set new group */

  pattr = attrry + JOB_ATR_egroup;

  job_attr_def[JOB_ATR_egroup].at_free(pattr);

  job_attr_def[JOB_ATR_egroup].at_decode(pattr, NULL, NULL, pgrpn, 0);

  pattr->at_flags |= addflags;

  /* SUCCESS */
  if (free_puser == TRUE)
    free(puser);

  if (free_pgrpn == TRUE)
    free(pgrpn);

  return(0);
  }  /* END set_jobexid() */
int process_request(

  struct tcp_chan *chan) /* file descriptor (socket) to get request */

  {
  int                   rc = PBSE_NONE;
  struct batch_request *request = NULL;
  char                  log_buf[LOCAL_LOG_BUF_SIZE];
  long                  acl_enable = FALSE;
  long                  state = SV_STATE_DOWN;

  time_t                time_now = time(NULL);
  int                   free_request = TRUE;
  char                  tmpLine[MAXLINE];
  char                 *auth_err = NULL;
  enum conn_type        conn_active;
  unsigned short        conn_socktype;
  unsigned short        conn_authen;
  unsigned long         conn_addr;
  int                   sfds = chan->sock;

  pthread_mutex_lock(svr_conn[sfds].cn_mutex);
  conn_active = svr_conn[sfds].cn_active;
  conn_socktype = svr_conn[sfds].cn_socktype;
  conn_authen = svr_conn[sfds].cn_authen;
  conn_addr = svr_conn[sfds].cn_addr;
  svr_conn[sfds].cn_lasttime = time_now;
  pthread_mutex_unlock(svr_conn[sfds].cn_mutex);

  if ((request = alloc_br(0)) == NULL)
    {
    snprintf(tmpLine, sizeof(tmpLine),
        "cannot allocate memory for request from %lu",
        conn_addr);
    req_reject(PBSE_MEM_MALLOC, 0, request, NULL, tmpLine);
    free_request = FALSE;
    rc = PBSE_SYSTEM;
    goto process_request_cleanup;
    }

  request->rq_conn = sfds;

  /*
   * Read in the request and decode it to the internal request structure.
   */
  if (conn_active == FromClientDIS || conn_active == ToServerDIS)
    {
#ifdef ENABLE_UNIX_SOCKETS

    if ((conn_socktype & PBS_SOCK_UNIX) &&
        (conn_authen != PBS_NET_CONN_AUTHENTICATED))
      {
      /* get_creds interestingly always returns 0 */
      get_creds(sfds, conn_credent[sfds].username, conn_credent[sfds].hostname);
      }

#endif /* END ENABLE_UNIX_SOCKETS */
    rc = dis_request_read(chan, request);
    }
  else
    {
    char out[80];

    snprintf(tmpLine, MAXLINE, "request on invalid type of connection: %d, sock type: %d, from address %s", 
                conn_active,conn_socktype, netaddr_long(conn_addr, out));
    log_event(PBSEVENT_SYSTEM, PBS_EVENTCLASS_REQUEST,
      "process_req", tmpLine);
    snprintf(tmpLine, sizeof(tmpLine),
        "request on invalid type of connection (%d) from %s",
        conn_active,
        netaddr_long(conn_addr, out));
    req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
    free_request = FALSE;
    rc = PBSE_BADHOST;
    goto process_request_cleanup;
    }

  if (rc == -1)
    {
    /* FAILURE */
    /* premature end of file */
    rc = PBSE_PREMATURE_EOF;
    goto process_request_cleanup;
    }

  if ((rc == PBSE_SYSTEM) || (rc == PBSE_INTERNAL) || (rc == PBSE_SOCKET_CLOSE))
    {
    /* FAILURE */
    /* read error, likely cannot send reply so just disconnect */
    /* ??? not sure about this ??? */
    goto process_request_cleanup;
    }

  if (rc > 0)
    {
    /* FAILURE */

    /*
     * request didn't decode, either garbage or unknown
     * request type, in either case, return reject-reply
     */

    req_reject(rc, 0, request, NULL, "cannot decode message");
    free_request = FALSE;
    goto process_request_cleanup;
    }

  if (get_connecthost(sfds, request->rq_host, PBS_MAXHOSTNAME) != 0)
    {
    sprintf(log_buf, "%s: %lu",
      pbse_to_txt(PBSE_BADHOST),
      conn_addr);

    log_event(PBSEVENT_DEBUG, PBS_EVENTCLASS_REQUEST, "", log_buf);

    snprintf(tmpLine, sizeof(tmpLine),
        "cannot determine hostname for connection from %lu",
        conn_addr);

    req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
    free_request = FALSE;
    rc = PBSE_BADHOST;
    goto process_request_cleanup;
    }

  if (LOGLEVEL >= 1)
    {
    sprintf(log_buf,
      msg_request,
      reqtype_to_txt(request->rq_type),
      request->rq_user,
      request->rq_host,
      sfds);

    log_event(PBSEVENT_DEBUG2, PBS_EVENTCLASS_REQUEST, "", log_buf);
    }

  /* is the request from a host acceptable to the server */
  if (conn_socktype & PBS_SOCK_UNIX)
    {
    strcpy(request->rq_host, server_name);
    }

  get_svr_attr_l(SRV_ATR_acl_host_enable, &acl_enable);
  if (acl_enable)
    {
    /* acl enabled, check it; always allow myself and nodes */
    struct array_strings *pas = NULL;
    struct pbsnode       *isanode;

    get_svr_attr_arst(SRV_ATR_acl_hosts, &pas);
    isanode = PGetNodeFromAddr(conn_addr);

    if ((isanode == NULL) &&
        (strcmp(server_host, request->rq_host) != 0) &&
        (acl_check_my_array_string(pas, request->rq_host, ACL_Host) == 0))
      {
      char tmpLine[MAXLINE];
      snprintf(tmpLine, sizeof(tmpLine), "request not authorized from host %s",
               request->rq_host);

      req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
      free_request = FALSE;
      rc = PBSE_BADHOST;
      goto process_request_cleanup;
      }

    if (isanode != NULL)
      unlock_node(isanode, "process_request", NULL, LOGLEVEL);
    }

  /*
   * determine source (user client or another server) of request.
   * set the permissions granted to the client
   */

  if (conn_authen == PBS_NET_CONN_FROM_PRIVIL)
    {
    /* request came from another server */

    request->rq_fromsvr = 1;

    request->rq_perm =
      ATR_DFLAG_USRD | ATR_DFLAG_USWR |
      ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
      ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
      ATR_DFLAG_SvWR;
    }
  else
    {
    /* request not from another server */
    conn_credent[sfds].timestamp = time_now;

    request->rq_fromsvr = 0;

    /*
     * Client must be authenticated by an Authenticate User Request, if not,
     * reject request and close connection.  -- The following is retained for
     * compat with old cmds -- The exception to this is of course the Connect
     * Request which cannot have been authenticated, because it contains the
     * needed ticket; so trap it here.  Of course, there is no prior
     * authentication on the Authenticate User request either, but it comes
     * over a reserved port and appears from another server, hence is
     * automatically granted authentication.
     *
     * The above is only true with inet sockets.  With unix domain sockets, the
     * user creds were read before the first dis_request_read call above.
     * We automatically granted authentication because we can trust the socket
     * creds.  Authorization is still granted in svr_get_privilege below
     */

    if (request->rq_type == PBS_BATCH_Connect)
      {
      req_connect(request);

      if (conn_socktype == PBS_SOCK_INET)
        {
        rc = PBSE_IVALREQ;
        req_reject(rc, 0, request, NULL, NULL);
        free_request = FALSE;
        goto process_request_cleanup;
        }

      }

    if (conn_socktype & PBS_SOCK_UNIX)
      {
      pthread_mutex_lock(svr_conn[sfds].cn_mutex);
      svr_conn[sfds].cn_authen = PBS_NET_CONN_AUTHENTICATED;
      pthread_mutex_unlock(svr_conn[sfds].cn_mutex);
      }

    if (ENABLE_TRUSTED_AUTH == TRUE )
      rc = PBSE_NONE;  /* bypass the authentication of the user--trust the client completely */
    else if (munge_on)
      {
      /* If munge_on is true we will validate the connection now */
      if (request->rq_type == PBS_BATCH_AltAuthenUser)
        {
        rc = req_altauthenuser(request);
        free_request = FALSE;
        goto process_request_cleanup;
        }
      else
        {
        rc = authenticate_user(request, &conn_credent[sfds], &auth_err);
        }
      }
    else if (conn_authen != PBS_NET_CONN_AUTHENTICATED)
      /* skip checking user if we did not get an authenticated credential */
      rc = PBSE_BADCRED;
    else
      rc = authenticate_user(request, &conn_credent[sfds], &auth_err);

    if (rc != 0)
      {
      req_reject(rc, 0, request, NULL, auth_err);
      if (auth_err != NULL)
        free(auth_err);
      free_request = FALSE;
      goto process_request_cleanup;
      }

    /*
     * pbs_mom and checkpoint restart scripts both need the authority to do
     * alters and releases on checkpointable jobs.  Allow manager permission
     * for root on the jobs execution node.
     */
     
    if (((request->rq_type == PBS_BATCH_ModifyJob) ||
        (request->rq_type == PBS_BATCH_ReleaseJob)) &&
        (strcmp(request->rq_user, PBS_DEFAULT_ADMIN) == 0))
      {
      job *pjob;
      char *dptr;
      int skip = FALSE;
      char short_host[PBS_MAXHOSTNAME+1];

      /* make short host name */

      strcpy(short_host, request->rq_host);
      if ((dptr = strchr(short_host, '.')) != NULL)
        {
        *dptr = '\0';
        }
      
      if ((pjob = svr_find_job(request->rq_ind.rq_modify.rq_objname, FALSE)) != (job *)0)
        {
        if (pjob->ji_qs.ji_state == JOB_STATE_RUNNING)
          {

          if ((pjob->ji_wattr[JOB_ATR_checkpoint].at_flags & ATR_VFLAG_SET) &&
              ((csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "s") != NULL) ||
               (csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "c") != NULL) ||
               (csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "enabled") != NULL)) &&
              (strstr(pjob->ji_wattr[JOB_ATR_exec_host].at_val.at_str, short_host) != NULL))
            {
            request->rq_perm = svr_get_privilege(request->rq_user, server_host);
            skip = TRUE;
            }

          }
        unlock_ji_mutex(pjob, __func__, "1", LOGLEVEL);
        }
      
      if (!skip)
        {
        request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
        }
      }
    else
      {
      request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
      }
    }  /* END else (conn_authen == PBS_NET_CONN_FROM_PRIVIL) */

  /* if server shutting down, disallow new jobs and new running */
  get_svr_attr_l(SRV_ATR_State, &state);

  if (state > SV_STATE_RUN)
    {
    switch (request->rq_type)
      {
      case PBS_BATCH_AsyrunJob:
      case PBS_BATCH_JobCred:
      case PBS_BATCH_MoveJob:
      case PBS_BATCH_QueueJob:
      case PBS_BATCH_RunJob:
      case PBS_BATCH_StageIn:
      case PBS_BATCH_jobscript:

        req_reject(PBSE_SVRDOWN, 0, request, NULL, NULL);
        rc = PBSE_SVRDOWN;
        free_request = FALSE;
        goto process_request_cleanup;
        /*NOTREACHED*/

        break;
      }
    }

  /*
   * dispatch the request to the correct processing function.
   * The processing function must call reply_send() to free
   * the request struture.
   */

  rc = dispatch_request(sfds, request);

  return(rc);

process_request_cleanup:

  if (free_request == TRUE)
    free_br(request);

  return(rc);
  }  /* END process_request() */