From c11e8163f8382a64fca7e283ba0a87530a3681e6 Mon Sep 17 00:00:00 2001 From: Gilles Gouaillardet Date: Wed, 24 Aug 2016 11:16:20 +0900 Subject: [PATCH] pmix2x: sec/native: fix the pmix_native module under solaris by using getpeerucred() and fail with a user friendly message if no method is available: "sec: native cannot validate_cred on this system" (back-ported from upstream pmix/master@c474a1fc6072c96d2c0ee0222846dc64af0fcddf) --- opal/mca/pmix/pmix2x/pmix/config/pmix.m4 | 4 +-- .../pmix/pmix2x/pmix/src/sec/pmix_native.c | 25 +++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/opal/mca/pmix/pmix2x/pmix/config/pmix.m4 b/opal/mca/pmix/pmix2x/pmix/config/pmix.m4 index e6587809a4..af6dc44580 100644 --- a/opal/mca/pmix/pmix2x/pmix/config/pmix.m4 +++ b/opal/mca/pmix/pmix2x/pmix/config/pmix.m4 @@ -302,7 +302,7 @@ AC_DEFUN([PMIX_SETUP_CORE],[ crt_externs.h signal.h \ ioLib.h sockLib.h hostLib.h limits.h \ sys/statfs.h sys/statvfs.h \ - netdb.h]) + netdb.h ucred.h]) # Note that sometimes we have , but it doesn't work (e.g., # have both Portland and GNU installed; using pgcc will find GNU's @@ -508,7 +508,7 @@ AC_DEFUN([PMIX_SETUP_CORE],[ # Darwin doesn't need -lm, as it's a symlink to libSystem.dylib PMIX_SEARCH_LIBS_CORE([ceil], [m]) - AC_CHECK_FUNCS([asprintf snprintf vasprintf vsnprintf strsignal socketpair strncpy_s usleep statfs statvfs getpeereid strnlen]) + AC_CHECK_FUNCS([asprintf snprintf vasprintf vsnprintf strsignal socketpair strncpy_s usleep statfs statvfs getpeereid getpeerucred strnlen]) # On some hosts, htonl is a define, so the AC_CHECK_FUNC will get # confused. On others, it's in the standard library, but stubbed with diff --git a/opal/mca/pmix/pmix2x/pmix/src/sec/pmix_native.c b/opal/mca/pmix/pmix2x/pmix/src/sec/pmix_native.c index 170e186cff..8a85ae596b 100644 --- a/opal/mca/pmix/pmix2x/pmix/src/sec/pmix_native.c +++ b/opal/mca/pmix/pmix2x/pmix/src/sec/pmix_native.c @@ -1,6 +1,8 @@ /* * Copyright (c) 2015-2016 Intel, Inc. All rights reserved. * Copyright (c) 2016 IBM Corporation. All rights reserved. + * Copyright (c) 2016 Research Organization for Information Science + * and Technology (RIST). All rights reserved. * * $COPYRIGHT$ * @@ -24,6 +26,9 @@ #ifdef HAVE_SYS_TYPES_H #include #endif +#ifdef HAVE_UCRED_H +#include +#endif #include "pmix_sec.h" #include "pmix_native.h" @@ -65,6 +70,9 @@ static pmix_status_t validate_cred(pmix_peer_t *peer, char *cred) struct ucred ucred; #endif socklen_t crlen = sizeof (ucred); +#endif +#ifdef HAVE_GETPEERUCRED + ucred_t *ucred = NULL; #endif uid_t euid; gid_t gid; @@ -99,7 +107,24 @@ static pmix_status_t validate_cred(pmix_peer_t *peer, char *cred) strerror (pmix_socket_errno)); return PMIX_ERR_INVALID_CRED; } +#elif defined(HAVE_GETPEERUCRED) + pmix_output_verbose(2, pmix_globals.debug_output, + "sec:native checking getpeerucred for peer credentials"); + if (0 != getpeerucred(peer->sd, &ucred)) { + pmix_output_verbose(2, pmix_globals.debug_output, + "sec: getsockopt getpeerucred failed: %s", + strerror (pmix_socket_errno)); + pmix_output_verbose(2, pmix_globals.debug_output, + "sec: getsockopt getpeerucred failed: %s", + strerror (errno)); + return PMIX_ERR_INVALID_CRED; + } + euid = ucred_geteuid(ucred); + gid = ucred_getrgid(ucred); + ucred_free(ucred); #else + pmix_output_verbose(2, pmix_globals.debug_output, + "sec: native cannot validate_cred on this system"); return PMIX_ERR_NOT_SUPPORTED; #endif