int
getpeereid(int s, uid_t *euid, gid_t *gid)
{
ucred_t *ucred = NULL;
if (getpeerucred(s, &ucred) == -1)
return (-1);
if ((*euid = ucred_geteuid(ucred)) == -1)
return (-1);
if ((*gid = ucred_getrgid(ucred)) == -1)
return (-1);
ucred_free(ucred);
return (0);
}
static int ctrls_get_creds_peerucred(int sockfd, uid_t *uid, gid_t *gid) {
ucred_t *cred = NULL;
if (getpeerucred(sockfd, &cred) < 0) {
int xerrno = errno;
pr_trace_msg(trace_channel, 7, "error obtaining credentials using "
"getpeerucred(3) on fd %d: %s", sockfd, strerror(xerrno));
errno = xerrno;
return -1;
}
if (uid)
*uid = ucred_getruid(cred);
if (gid)
*gid = ucred_getrgid(cred);
ucred_free(cred);
return 0;
}
static pmix_status_t validate_cred(pmix_peer_t *peer, char *cred)
{
#if defined(SO_PEERCRED)
#ifdef HAVE_STRUCT_SOCKPEERCRED_UID
#define HAVE_STRUCT_UCRED_UID
struct sockpeercred ucred;
#else
struct ucred ucred;
#endif
socklen_t crlen = sizeof (ucred);
#endif
#ifdef HAVE_GETPEERUCRED
ucred_t *ucred = NULL;
#endif
uid_t euid;
gid_t gid;
pmix_output_verbose(2, pmix_globals.debug_output,
"sec: native validate_cred %s", cred ? cred : "NULL");
#if defined(SO_PEERCRED) && (defined(HAVE_STRUCT_UCRED_UID) || defined(HAVE_STRUCT_UCRED_CR_UID))
/* Ignore received 'cred' and validate ucred for socket instead. */
pmix_output_verbose(2, pmix_globals.debug_output,
"sec:native checking getsockopt for peer credentials");
if (getsockopt (peer->sd, SOL_SOCKET, SO_PEERCRED, &ucred, &crlen) < 0) {
pmix_output_verbose(2, pmix_globals.debug_output,
"sec: getsockopt SO_PEERCRED failed: %s",
strerror (pmix_socket_errno));
return PMIX_ERR_INVALID_CRED;
}
#if defined(HAVE_STRUCT_UCRED_UID)
euid = ucred.uid;
gid = ucred.gid;
#else
euid = ucred.cr_uid;
gid = ucred.cr_gid;
#endif
#elif defined(HAVE_GETPEEREID)
pmix_output_verbose(2, pmix_globals.debug_output,
"sec:native checking getpeereid for peer credentials");
if (0 != getpeereid(peer->sd, &euid, &gid)) {
pmix_output_verbose(2, pmix_globals.debug_output,
"sec: getsockopt getpeereid failed: %s",
strerror (pmix_socket_errno));
return PMIX_ERR_INVALID_CRED;
}
#elif defined(HAVE_GETPEERUCRED)
pmix_output_verbose(2, pmix_globals.debug_output,
"sec:native checking getpeerucred for peer credentials");
if (0 != getpeerucred(peer->sd, &ucred)) {
pmix_output_verbose(2, pmix_globals.debug_output,
"sec: getsockopt getpeerucred failed: %s",
strerror (pmix_socket_errno));
pmix_output_verbose(2, pmix_globals.debug_output,
"sec: getsockopt getpeerucred failed: %s",
strerror (errno));
return PMIX_ERR_INVALID_CRED;
}
euid = ucred_geteuid(ucred);
gid = ucred_getrgid(ucred);
ucred_free(ucred);
#else
pmix_output_verbose(2, pmix_globals.debug_output,
"sec: native cannot validate_cred on this system");
return PMIX_ERR_NOT_SUPPORTED;
#endif
/* check uid */
if (euid != peer->info->uid) {
pmix_output_verbose(2, pmix_globals.debug_output,
"sec: socket cred contains invalid uid %u", euid);
return PMIX_ERR_INVALID_CRED;
}
/* check gid */
if (gid != peer->info->gid) {
pmix_output_verbose(2, pmix_globals.debug_output,
"sec: socket cred contains invalid gid %u", gid);
return PMIX_ERR_INVALID_CRED;
}
pmix_output_verbose(2, pmix_globals.debug_output,
"sec: native credential %u:%u valid",
euid, gid);
return PMIX_SUCCESS;
}
