merge
This commit is contained in:
aiju
commit
e14690517e
4 changed files with 134 additions and 1 deletions
|
|
@ -14,6 +14,9 @@ keyfs, warning \- authentication database files
|
|||
.BI -m mntpt
|
||||
]
|
||||
[
|
||||
.B -r
|
||||
]
|
||||
[
|
||||
.I keyfile
|
||||
]
|
||||
.PP
|
||||
|
|
@ -84,6 +87,10 @@ If any changes are made to the database that affect the information stored in
|
|||
.IR keyfile ,
|
||||
a new version of the file is written.
|
||||
.PP
|
||||
If the
|
||||
.B -r
|
||||
option is given, the database is mounted `read-only' and no changes are permitted.
|
||||
.PP
|
||||
There are two authentication databases,
|
||||
one for Plan 9 user information,
|
||||
and one for SecureNet user information.
|
||||
|
|
|
|||
106
sys/src/cmd/auth/asaudit.c
Normal file
106
sys/src/cmd/auth/asaudit.c
Normal file
|
|
@ -0,0 +1,106 @@
|
|||
#include <u.h>
|
||||
#include <libc.h>
|
||||
#include <bio.h>
|
||||
#include <authsrv.h>
|
||||
#include <ndb.h>
|
||||
|
||||
int havenvram;
|
||||
Nvrsafe nvr;
|
||||
char eve[128];
|
||||
Ndb *db;
|
||||
|
||||
void
|
||||
geteve(void)
|
||||
{
|
||||
int fd;
|
||||
|
||||
fd = open("#c/hostowner", OREAD);
|
||||
if(fd < 0) sysfatal("open: %r");
|
||||
memset(eve, 0, sizeof(eve));
|
||||
if(read(fd, eve, sizeof(eve)-1) < 0) sysfatal("read: %r");
|
||||
close(fd);
|
||||
if(strcmp(getuser(), eve) != 0) print("hostowner is %#q, but running as %#q\n", eve, getuser());
|
||||
}
|
||||
|
||||
void
|
||||
ndb(void)
|
||||
{
|
||||
db = ndbopen(nil);
|
||||
if(db == nil){
|
||||
print("ndbopen: %r");
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
nvram(void)
|
||||
{
|
||||
char *auth;
|
||||
|
||||
if(readnvram(&nvr, 0) < 0){
|
||||
print("readnvram: %r\n");
|
||||
return;
|
||||
}
|
||||
havenvram = 1;
|
||||
print("found nvram key for user '%s@%s'\n", nvr.authid, nvr.authdom);
|
||||
if(strcmp(eve, nvr.authid) != 0) print("nvram authid doesn't match hostowner %#q\n", eve);
|
||||
if(db != nil){
|
||||
auth = ndbgetvalue(db, nil, "authdom", nvr.authdom, "auth", nil);
|
||||
if(auth == nil) print("authdom %#q not found in ndb\n", nvr.authdom);
|
||||
else{
|
||||
print("ndb says authdom %#q corresponds to auth server %#q\n", nvr.authdom, auth);
|
||||
free(auth);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
keyfs(void)
|
||||
{
|
||||
char *buf;
|
||||
int fd;
|
||||
char aes[AESKEYLEN];
|
||||
|
||||
if(!havenvram) return;
|
||||
if(access("/adm/keys", AREAD) < 0){
|
||||
print("no access to /adm/keys\n");
|
||||
return;
|
||||
}
|
||||
print("starting keyfs\n");
|
||||
rfork(RFNAMEG);
|
||||
switch(fork()){
|
||||
case -1:
|
||||
sysfatal("fork: %r");
|
||||
case 0:
|
||||
if(execl("/bin/auth/keyfs", "auth/keyfs", "-r", nil) < 0)
|
||||
sysfatal("execl: %r");
|
||||
}
|
||||
waitpid();
|
||||
buf = smprint("/mnt/keys/%s/aeskey", nvr.authid);
|
||||
fd = open(buf, OREAD);
|
||||
if(fd < 0){
|
||||
print("can't get key from keyfs: %r");
|
||||
return;
|
||||
}
|
||||
werrstr("short read");
|
||||
if(read(fd, aes, sizeof(aes)) < sizeof(aes)){
|
||||
print("read: %r");
|
||||
close(fd);
|
||||
return;
|
||||
}
|
||||
if(memcmp(nvr.aesmachkey, aes, AESKEYLEN) != 0)
|
||||
print("key in keyfs does not match nvram\n");
|
||||
else
|
||||
print("key in keyfs matches nvram\n");
|
||||
close(fd);
|
||||
}
|
||||
|
||||
void
|
||||
main()
|
||||
{
|
||||
quotefmtinstall();
|
||||
geteve();
|
||||
ndb();
|
||||
nvram();
|
||||
keyfs();
|
||||
}
|
||||
|
|
@ -92,6 +92,7 @@ int nuser;
|
|||
ulong uniq = 1;
|
||||
Fcall rhdr, thdr;
|
||||
int usepass;
|
||||
int readonly;
|
||||
char *warnarg;
|
||||
uchar mdata[8192 + IOHDRSZ];
|
||||
int messagesize = sizeof mdata;
|
||||
|
|
@ -137,7 +138,7 @@ char *(*fcalls[])(Fid*) = {
|
|||
static void
|
||||
usage(void)
|
||||
{
|
||||
fprint(2, "usage: %s [-p] [-m mtpt] [-w warn] [keyfile]\n", argv0);
|
||||
fprint(2, "usage: %s [-p] [-r] [-m mtpt] [-w warn] [keyfile]\n", argv0);
|
||||
exits("usage");
|
||||
}
|
||||
|
||||
|
|
@ -165,6 +166,9 @@ main(int argc, char *argv[])
|
|||
case 'w':
|
||||
warnarg = EARGF(usage());
|
||||
break;
|
||||
case 'r':
|
||||
readonly = 1;
|
||||
break;
|
||||
default:
|
||||
usage();
|
||||
break;
|
||||
|
|
@ -390,6 +394,8 @@ Create(Fid *f)
|
|||
|
||||
if(!f->busy)
|
||||
return "create of unused fid";
|
||||
if(readonly)
|
||||
return "mounted read-only";
|
||||
name = rhdr.name;
|
||||
if(f->user != nil){
|
||||
return "permission denied";
|
||||
|
|
@ -531,6 +537,8 @@ Write(Fid *f)
|
|||
|
||||
if(!f->busy)
|
||||
return "permission denied";
|
||||
if(readonly)
|
||||
return "mounted read-only";
|
||||
n = rhdr.count;
|
||||
data = rhdr.data;
|
||||
switch(f->qtype){
|
||||
|
|
@ -613,6 +621,10 @@ Remove(Fid *f)
|
|||
{
|
||||
if(!f->busy)
|
||||
return "permission denied";
|
||||
if(readonly){
|
||||
Clunk(f);
|
||||
return "mounted read-only";
|
||||
}
|
||||
if(f->qtype == Qwarnings)
|
||||
f->user->warnings = 0;
|
||||
else if(f->qtype == Quser)
|
||||
|
|
@ -649,6 +661,8 @@ Wstat(Fid *f)
|
|||
|
||||
if(!f->busy || f->qtype != Quser)
|
||||
return "permission denied";
|
||||
if(readonly)
|
||||
return "mounted read-only";
|
||||
if(rhdr.nstat > sizeof buf)
|
||||
return "wstat buffer too big";
|
||||
if(convM2D(rhdr.stat, rhdr.nstat, &d, buf) == 0)
|
||||
|
|
@ -712,6 +726,11 @@ writeusers(void)
|
|||
uchar *p, *buf;
|
||||
ulong expire;
|
||||
|
||||
if(readonly){
|
||||
fprint(2, "writeusers called while read-only; shouldn't happen\n");
|
||||
return;
|
||||
}
|
||||
|
||||
/* what format to use */
|
||||
keydblen = KEYDBLEN;
|
||||
keydboff = KEYDBOFF;
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@
|
|||
#
|
||||
TARG=\
|
||||
as\
|
||||
asaudit\
|
||||
asn12dsa\
|
||||
asn12rsa\
|
||||
authsrv\
|
||||
|
|
|
|||
Loading…
Reference in a new issue