pmix2x: sec/native: fix the pmix_native module under solaris by using getpeerucred()

and fail with a user friendly message if no method is available: "sec: native cannot validate_cred on this system" (back-ported from upstream pmix/master@c474a1fc60)
2016-08-24 11:16:20 +09:00 · 2016-08-24 11:16:20 +09:00 · c11e8163f8
--- a/opal/mca/pmix/pmix2x/pmix/config/pmix.m4
+++ b/opal/mca/pmix/pmix2x/pmix/config/pmix.m4
@ -302,7 +302,7 @@ AC_DEFUN([PMIX_SETUP_CORE],[
                      crt_externs.h signal.h \
                      ioLib.h sockLib.h hostLib.h limits.h \
                      sys/statfs.h sys/statvfs.h \
-                      netdb.h])
+                      netdb.h ucred.h])

    # Note that sometimes we have <stdbool.h>, but it doesn't work (e.g.,
    # have both Portland and GNU installed; using pgcc will find GNU's
@ -508,7 +508,7 @@ AC_DEFUN([PMIX_SETUP_CORE],[
    # Darwin doesn't need -lm, as it's a symlink to libSystem.dylib
    PMIX_SEARCH_LIBS_CORE([ceil], [m])

-    AC_CHECK_FUNCS([asprintf snprintf vasprintf vsnprintf strsignal socketpair strncpy_s usleep statfs statvfs getpeereid strnlen])
+    AC_CHECK_FUNCS([asprintf snprintf vasprintf vsnprintf strsignal socketpair strncpy_s usleep statfs statvfs getpeereid getpeerucred strnlen])

    # On some hosts, htonl is a define, so the AC_CHECK_FUNC will get
    # confused.  On others, it's in the standard library, but stubbed with
--- a/opal/mca/pmix/pmix2x/pmix/src/sec/pmix_native.c
+++ b/opal/mca/pmix/pmix2x/pmix/src/sec/pmix_native.c
@ -1,6 +1,8 @@
 /*
 * Copyright (c) 2015-2016 Intel, Inc.  All rights reserved.
 * Copyright (c) 2016      IBM Corporation.  All rights reserved.
+ * Copyright (c) 2016      Research Organization for Information Science
+ *                         and Technology (RIST). All rights reserved.
 *
 * $COPYRIGHT$
 *
@ -24,6 +26,9 @@
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
+#ifdef HAVE_UCRED_H
+#include <ucred.h>
+#endif

 #include "pmix_sec.h"
 #include "pmix_native.h"
@ -65,6 +70,9 @@ static pmix_status_t validate_cred(pmix_peer_t *peer, char *cred)
    struct ucred ucred;
 #endif
    socklen_t crlen = sizeof (ucred);
+#endif
+#ifdef HAVE_GETPEERUCRED
+    ucred_t *ucred = NULL;
 #endif
    uid_t euid;
    gid_t gid;
@ -99,7 +107,24 @@ static pmix_status_t validate_cred(pmix_peer_t *peer, char *cred)
                            strerror (pmix_socket_errno));
        return PMIX_ERR_INVALID_CRED;
    }
+#elif defined(HAVE_GETPEERUCRED)
+    pmix_output_verbose(2, pmix_globals.debug_output,
+                        "sec:native checking getpeerucred for peer credentials");
+    if (0 != getpeerucred(peer->sd, &ucred)) {
+        pmix_output_verbose(2, pmix_globals.debug_output,
+                            "sec: getsockopt getpeerucred failed: %s",
+                            strerror (pmix_socket_errno));
+        pmix_output_verbose(2, pmix_globals.debug_output,
+                            "sec: getsockopt getpeerucred failed: %s",
+                            strerror (errno));
+        return PMIX_ERR_INVALID_CRED;
+    }
+    euid = ucred_geteuid(ucred);
+    gid = ucred_getrgid(ucred);
+    ucred_free(ucred);
 #else
+    pmix_output_verbose(2, pmix_globals.debug_output,
+                        "sec: native cannot validate_cred on this system");
    return PMIX_ERR_NOT_SUPPORTED;
 #endif